Last Thursday and in partnership with FieldFisher, Vormetric released a press release and White Paper outlining the latest legal obligations for encryption of personal data in the United States, Europe, Asia and Australia. As cyber threats, security breaches and data loss become more and more commonplace, lawmakers and regulators are under pressure to put strong data security legal frameworks in place. Consequently, encryption laws are an increasingly common part of compliance around databases, unstructured data, cloud technologies and application data.
Below, I’ve summarized some of the most interesting data security laws in the aforementioned regions. I’ve also revisited the May 2014 security breach of popular e-commerce site eBay and the legal repercussions stemming from the cyberattack, to help you better understand this new compliance reality.
The European Union (EU) data protection regime is built around the Data Protection Directive of 1995, the ePrivacy Directive and the Payment Services Directive 2 (PSD 2). In the case of the Data Protection Directive, organizations that process personal data about living individuals must protect personal data against accidental loss or unauthorized disclosure and ensure those measures are commensurate to the risk involved. The ePrivacy Directive governs the processing of personal data in the electronic communications sector and breach notification requirements, while PSD 2 (which is expected to be fully implemented in 2016) governs the security and authentication requirements for payment service providers.
On page 6 of the report, we noted four principles that are useful to keep in mind when thinking about encryption in the EU: a) some national legislations of EU member states have referred to encryption, but most have not b) the law is developed by regulators and courts, and it evolves with technology c) EU data protection authorities universally expect companies to use encryption when dealing with personal, sensitive or confidential data and d) because regulation tends to be developed in a piecemeal manner, regulators have yet to address allforms of encryption available. But, given the aggressive and uniform frameworks in place, it’s fair to say the EU is committed to strong encryption and user authentication solutions across the board.
In the United States, data protection laws generally vary sector-by-sector, so each industry typically takes a different approach. Organizations must also contend with both state and federal law, which can make things somewhat complex. That said, the advent of the 21st century saw the federal government take aggressive action on the data security front. Two of the most well-known federal laws governing data security in the U.S. are the Federal Information Security Amendment Act of 2002 (FISMA) and the Federal Information Security Amendments Act of 2013. FISMA requires federal agencies put processes and systems controls in place to ensure all IT systems and government information is protected against natural or man-made threats. The Federal Information Security Amendments Act further strengthens FISMA by mandating federal agencies comply with computer standards developed by the National Institute of Standards and Technology (NIST).
Also of considerable interest are the global Payment Card Industry Security Standards (PCI DSS). PCI DSS standards were put in place by the PCI DSS Council, a group devoted to enhancing “payment account data security by driving education and awareness of the PCI Security Standards.” Founding members of PCI DSS Council include American Express, Discover Financial Services and Visa Inc. PCI DSS is particularly significant because it mandates encryption; as we mentioned in our White Paper, “Requirement 2.3 of PCI DSS v3.0 requires entities implementing PCI DSS to ‘encrypt all non- console administrative access using strong cryptography.’”
Australian data protection is governed by the Privacy Act of 1988, since updated by the Privacy Amendment Act of 2012 (the Privacy Act). The Amendment’s new stipulations came into effect on March 12, 2014 and lay out the Australian Privacy Principles (APPs), which requires organizations take “reasonable steps” to protect personal information. From the language, one can safely infer encryption is part of those measures. In 2012, the Office of the Australian Information Commissioner (OAIC) also offered up regulatory guidance pertaining to encryption.
Similar to Australia, the data protection laws on the books in Singapore make it easy to infer encryption is one of the tactics organizations employ to protect personal data. The Singapore Personal Data Protection Act (PDPA) and provisions related to the creation of the Personal Data Protection Commission (the Commission) currently require organizations to protect personal data in its control by making “reasonable security arrangements to prevent unauthorized access, collection, use, disclosure, copying, modification or disposal or similar risks.” Additional data protection provisions (and subsequent enforcement activities) are due to come into effect in July of 2014.
South Korea’s Personal Information Protection Act (PIPA) is one of the strictest data protection laws in the world. It’s also supported and enhanced by sector-specific legislation. Per PIPA, both public and private organizations must notify data subjects and the Korean Communications Commission (KCC) in the event of a breach. The South Korean Financial Services Commission (FSC), the agency responsible for financial policy making, is also considering new regulations, stricter rules and harsher penalties for companies that experience data breaches. Interestingly, in January 2014 South Korea saw a massive data breach when 100 million credit card account details from the databases of three South Korean banks were leaked by a single contractor. Post-breach, the FSC made a point of saying the data was easy to steal because it was unencrypted.
The Case of eBay
As our team has noted on many different occasions, security breaches can have a huge impact on organizations from a reputational and financial standpoint. Although the legal ramifications of a security breach may not be “sexy,” they’re real and they’re burdensome. For example, in May eBay revealed its corporate network had been hacked and user credentials compromised. Shortly thereafter, the company recommended all users change their passwords.
While the company claims financial information is not at risk, it wasn’t enough to assuage the fears of U.S. state attorney generals in Connecticut, Florida and Illinois. The attorney generals are set to launch a joint investigation focused around the circumstances that lead to the breach, the security measures the company had in place, the number of users affected, and the company’s response to the breach and prevention measures.
According to the CNET article I linked to above, the UK Information Commission is also considering a formal probe. There are over 145 million eBay users worldwide, so it’s safe to say government agencies in the U.S., UK, and other geographies will be closely monitoring the situation and weighing their legal options for some time. In the meantime, the current investigations are forcing eBay to spend considerable time and money reevaluating its security best practices, thus diverting resources from further business innovation. Additionally, the odds are high eBay will face both regulatory fines and civil litigation, further impacting the company’s bottom line.
eBay is only one in a laundry list of high-profile companies that have been exposed to security breaches – and governments are paying attention. In my blog from April 10, 2014, I cited the Federal Trade Commission’s request for Congress to pass a national breach notification bill, which would require companies that have their systems compromised alert consumers and appropriate government authorities within a specific time frame. With hackers growing increasingly bold and sophisticated we’ll undoubtedly see tougher penalties against those that haven’t done their due diligence and prescriptive measures from companies anxious to avoid becoming the next eBay, Target or Neiman Marcus.