This October marks the Cybersecurity and Infrastructure Security Agency’s 18th Cybersecurity Awareness Month, with this week’s theme being #BeCyberSmart. For many organizations, being cyber smart begins from the ground up, training users as your first and often most effective line of defense against a growing and increasingly organized spectrum of cyber threats. This LEGALcurrents focuses instead on the top-down approach to being cyber smart: thinking strategically about how cybersecurity awareness and practice fits into your organizational ethos, structure, and goals. A potentially unlikely place to begin this cyber discussion is on the issue of privacy, taking the 2021 New York Privacy Act Bill, S.6701/A.680-A (“NYPA”), as a case study in how privacy developments can affect and drive—or even derail—cybersecurity strategy.
As has been reported widely in the press, NYPA marks a break with traditional privacy regulatory regimes in that it adopts a pure opt-in consent model, meaning that no processing of the personal information of a New Yorker would be allowed absent “freely given, specific, informed, and unambiguous” consent to such processing. See NYPA §§ 1100(4) (definition of consent); 1102(2) (opt-in consent requirement). Putting aside the viability of such a requirement, which, for example, would require prior consent before targeted advertising, NYPA’s groundbreaking proposals make one thing clear: the regulation of consumer privacy is expanding in scope and depth, in ways that will tax any organization’s security team in the very near future. This conclusion is likely a forgone one, as other states like California, Virginia, and Colorado have enacted comprehensive privacy regulatory regimes with jurisdictional reach far beyond their boundaries. These regimes strain an organization’s security team because, in many organizations, information security, or the information technology team more generally, is the resource to which the organization turns when it must better understand, and control, the personal data it processes.
Whether NYPA, which has not yet become law, advances in the upcoming legislative session in New York beginning on January 1, 2022, or whether some other approach wins out, like an analog to the California Consumer Privacy Act (“CCPA”) or the Virginia Consumer Data Protection Act (“CDPA”), comprehensive privacy regulation is coming to New York, and soon. Indeed, many New York organizations are already subject to CCPA, which took effect in 2020, or they are preparing for recently enacted changes to CCPA, or CDPA more generally, both of which take effect on January 1, 2023. Given this, 2022 will not only be a time of heightened risk for information security teams, as they deal with the increasing scourge of ransomware-as-a-service attacks and supply chain cyber vulnerabilities, it will also be a time of introspection and restructuring. These teams will be asked to identify the personal data their organizations process and aid their organizations in developing privacy practices soon to be required by law.
Three key projects can aid any organization in tackling these issues together, working cyber smart and not just cyber hard. These are the critical data protection triad of a personal data inventory, a risk assessment, and development of a written information security program (“WISP”). Few organizations have taken all three of these steps in a rigorous and comprehensive manner. And for those organizations that have already taken these steps, the relevant goalposts have now changed, as privacy regimes like CCPA, CDPA, NYPA and others all define personal data (or “personal information,” depending on the definitions used) differently than traditional security regimes, like the NY SHIELD Act, N.Y. Gen. Bus. Law § 899-bb, or the New York State Department of Financial Services cybersecurity regulations, found at 23 N.Y.C.R.R. Part 500. Hence, a SHIELD Act risk assessment, for example, would not be sufficient for CCPA, CDPA, or even NYPA, if NYPA passes.
Lastly, what these new privacy regimes underscore is that data protection, i.e., the intersection of information security and personal data privacy, is a team sport. It requires the input and focus of the information security team, certainly, but also of internal and external legal resources, because the question of data protection compliance is always a legal question in the first instance. Organizations too frequently ignore the protection the attorney-client privilege can give when working on a data inventory, risk assessment, or a WISP. The first place a regulator or plaintiffs’ attorney would look for evidence of a problem or flaw in an organization’s data protection approach would be, however, in these foundational steps.
So, to be cyber smart in 2022 and beyond, organizations are best served if they think about privacy and security together, and plan for the significant work ahead in meeting the requirements of new data protection regimes. The one constant in this equation is change, and the greatest challenge an organization has in relation to data protection is managing that change in a strategic and hopefully beneficial fashion.
If you have any questions regarding this LEGALcurrents, please contact any member of the Privacy and Data Security group at 585.232.6500 or 716.853.1616.