A Call for Harmonized Legal Frameworks
As we end 2021, the cyber threat environment is no less dangerous, and the laws and regulations surrounding privacy and cyber security are no less complicated.
Privacy fines are on the rise, and cyber crime is at an all-time high. Citizens and companies alike are in the crosshairs, and governments around the globe are responding by introducing legislation and mandating private sector actions. The need for global harmonized legal frameworks for privacy and cyber crime has never been more urgent.
On the Privacy Front
On the privacy front, compliance costs are rising as companies prepare to comply with comprehensive state privacy laws. The California Privacy Rights Act (CPRA) goes into effect Jan. 1, 2023, but it has a year “look back provision.” Virginia and Colorado also adopted comprehensive privacy laws that go into effect on Jan. 1, 2023, and July 1, 2023, respectively. All three of these laws track the GDPR and are pushing the United States toward an approach harmonized with the EU, which, frankly, is starting to make a lot of sense.
The EU Data Protection Directive was adopted in October 1995. The directive had its issues in implementation and enforcement, and U.S. companies howled and whined. But ultimately, none of that stopped the European Union from adopting stronger privacy controls when the GDPR replaced the Data Protection Directive on May 25, 2018.
Let’s face it: the European Union has won on privacy, and the United States’ attempts to hold on to its fragmented privacy laws that slice and dice data by industry sector (health, financial, education, etc.) and type of data is proving to be expensive. Plus, consumers want more privacy protections and favor the comprehensive approaches that mirror the GDPR. Aligning U.S. privacy laws with the GDPR will simplify compliance for global companies and enable small and midsize businesses to engage in international commerce with lower compliance costs.
The U.S. Department of Commerce, meanwhile, is trying to maintain the status quo through its negotiations with the European Union on a new Privacy Shield agreement. The Europeans, of course, want assurances that U.S. intelligence agencies will not hoover up or review trans-Atlantic communications. A September 2021 Congressional Research Report on the subject quoted European Commission vice president Věra Jourová as stating, “On the commercial side, we don’t see such a big issue…but of course, there is the issue of access to data from the national security agencies…a legally binding rule would be very useful, I would even say necessary.” U.S. officials remain hopeful that negotiations are close to complete but expressed caution, noting that they want an agreement that will withstand a Schrems III-type legal challenge.
We just negotiated a global tax agreement. Why aren’t we negotiating a global privacy agreement? A harmonized global privacy framework would reduce all of this uncertainty, and it would certainly be embraced by individuals who are left to fend for themselves against identity theft and breaches of their personal data. According to a 2021 report on identify theft by GIACT, 47% of U.S. consumers experienced identity theft or account takeover in the past two years. The privacy risks associated with social media companies and online advertising has heightened the awareness of individuals and Congress, but it remains to be seen whether Washington has the willpower to finally address privacy with the same gusto as U.S. states.
The European Union Agency for Cybersecurity (ENISA) just published its “Threat Landscape 2021 Report,” which noted, “One of the more enduring developments that resulted from the COVID-19 pandemic is a lasting shift to a hybrid office model.” At last, someone finally said it. It is doubtful that office life will ever return to the way it was before the pandemic. The criminals took full advantage of the cyber-security risks created by a workforce that suddenly began working from home and cyber-security programs that had gaps and deficiencies, and cyber crime soared the past 18 months.
Cyber crime is projected to cost companies worldwide an estimated $10.5 trillion annually by 2025, up from $3 trillion in 2015. Ransomware is still the top threat, which is fueled by cryptocurrency ransom payments. So why are the bad guys winning? Two reasons. First, tracking and tracing cyber crimes is very difficult due to inconsistent cyber crime laws around the globe. Second, most police forces do not have officers skilled in cyber investigations who can track the path of an attack and properly capture, store, and document digital evidence. Unfortunately, with the exception of a few major metropolitan police forces, this is true across the United States and most of the world.
The U.S. law enforcement units that are best equipped to investigate and prosecute cyber crimes are the Federal Bureau of Investigation and the Secret Service. These two entities, however, are not staffed to handle the flood of cyber crime reports that come their way. Plus, many of these incidents do not meet the federal threshold of at least $75,000 in damages. Even if they do, their claim may still be too low when triaged against higher-value cases seeking their attention that may involve attacks on critical infrastructure or include nation-state involvement.
So, if the FBI or Secret Service cannot help, who will? Most organizations either try to manage the incident on their own (which is very difficult and expensive) or they call their state bureau of investigation or local law enforcement. But then they run into another problem. In addition to the lack of trained cyber investigators at the state and local levels, few U.S. states have adequate cyber crime laws. So state law enforcement has to try to patch together a legal basis for the investigation based on other state laws, which creates issues when seeking assistance in other jurisdictions (and most cyber crimes are multi-jurisdictional). “Inconsistent cyber crime laws across the U.S. is one of the biggest problems facing state prosecutors,” noted Frank Russo, director of government and legislative affairs for the National District Attorneys Association.
Most companies are not aware of the cyber crime laws in the jurisdictions where they do business. The cyber criminals, however, are very aware of which countries do not have strong cyber crime laws and adequately trained cyber investigators. They know which countries follow Russia’s lead and will look the other way and ignore cyber criminal activity as long as the criminals don’t attack local businesses. They know which countries are safe havens for their activities and their repositories of stolen data.
The U.S. government helped draft the Council of Europe (CoE) Convention on Cyber Crime, which has been ratified by 65 countries, including the United States. The CoE convention contains both substantive cyber crime provisions as well as procedural provisions regarding investigations. It is a good start toward solving this problem, but it is not enough when there are 250 countries and territories connected to the internet. There is a desperate need for a binding international legal framework that will govern actions by nation-states in cyber space and will provide for a harmonized approach to cyber crime laws and investigations.
What to Do
So what do organizations do in the face of such fractured legal frameworks and gigantic global issues? They get smart. They identify the data they have in their organizations, put controls on it, and manage the risk. They identify the cyber crime laws in the jurisdictions where they do business, and they build relationships with their communications providers (telecommunications and internet service providers) and law enforcement. They cultivate local points of contact and include them in their incident response plans.
They also work with their insurance agents and brokers to identify points of business interruption, develop strong incident response plans, and test backup/recovery capabilities. Experts within the insurance industry can help organizations assess the adequacy of their coverage for cyber incidents—across all policies—and review their policy language to ensure the types of incidents that could occur are covered.
But policyholders and their agents and brokers can do more than address this problem client by client. The insurance industry is global and influential and knows more about risk management than governments. Together, businesses and the insurance industry can help governments understand the reduction in risks and costs that could be achieved through harmonized cyber crime laws and coordinated approaches to privacy. Happy 2022!