From cybersecurity breaches to compliance mishaps, 2017 proved atough year for many of the biggest enterprises in the economy. Butorganizations face an even more difficult situation in the monthsto come.

Cybersecurity laws are breaking new legal ground. More uniquetypes of personal data are being created, stored and increasinglyregulated. And old risks are more prominent than ever.

For enterprise risk management programs, it's all hands on deck.Here's a look at the three biggest risks facing enterprises in2018:

|

1. A new type of cyber regulation?

Sure, the New York State Department of Financial Services' (NYSDFS) new data security regulation only affects certain financialcompanies within the state of New York. But it represents a newtype of proactive state cybersecurity law that may become moreprominent in the months to come.

“Of the newer laws, I do think the DFS one in New York isprobably the most interesting, and possibly the most impactful,”said John F. Mullen, partner and co-founder of law firm MullenCoughlin.

He explained that this was primarily due to the law'sproscriptive nature, something that was previously unseen amonglocal cyber regulations. “Because of that, the NYS DFS law opens upa whole new area of risk for companies to make sure they areaffirmatively complying with it, not just complying after apossible event.”

Though the regulation only recently went into effect forenterprises, in August 2017, and more of its mandates are stillcoming online in periodic stages, New York financialinstitutions are optimistic they can meet its cybersecurityrequirements.

“I don't think many have had a lot of trouble implementingmultifactor authentication and other policies,” Monique Ferraro,cyber counsel at Hartford SteamBoiler, said at ALM's cyberSecure conference in New York lastmonth.

Still, she noted that there are some compliance issues that needto be addressed. “Encryption, however, is a little bit moredifficult to interpret, but everyone has decided we're going tointerpret it this way. And if it's good, it's fine; if it's not,it's not.”

If and when the NYS DFS law spurs similar laws around thecountry remains to be seen. But following the Equifax Inc. breach, New York state hasalready proposed a new proscriptive cybersecurity lawcovering all companies within the state that handle “sensitivedata.”

|

2. The ever-present pitfall: vendor risk

The need for third-party risk management is nothing new. But going into2018, it's still a difficult challenge for manyenterprises. Just ask Verizon. Late last year, the company had thepersonal information of 6 million of its customers exposed due toa breach at one of its vendors.

But for some, including several legal experts speaking at ALM'scyberSecure conference in December, vendor risk may be anunavoidable reality. As the example of how hard it is to completelymitigate this risk, Noga Rosenthal, chief privacy officer atEpsilon, noted the 2013 breach at Target, whichoccurred when one of the company's HVAC vendors was compromised bycyberattackers.

“What I struggled with was that the vendor that allowed theattackers in was the HVAC vendor,” she said. “How do we stop that?Would I have [classified] that HVAC vendor as a high-risk vendorthat is touching my data?”

At the same session, Buck de Wolf, vice president, chiefintellectual property counsel and general counsel at GE GlobalResearch, added that if a vendor is a critical supply chainpartner in a company's operations, vendor risk can sometimes be theinevitable cost of doing business.

“What if the vendor makes a critical component for what you'reselling?” de Wolf asked. “Do you stop selling that product becausethe vendor says we cannot comply with your contractual securityrequirements?”

But while vendor risk may be unavoidable, Nicole Eagan, CEO atDarktrace, who also spoke at thesession, noted that there are ways to better manage it than simplysurveying third parties.

“If you're just filling out a vendor survey once a year, it'snot enough. Threats change hourly, they change daily,” she said.“The person answering that survey likely doesn't know the answer,and they are doing their best to answer. But they lack visibilityinto what their own threats are.”

Instead, Eagan advised companies to deploy artificialintelligence-based cybersecurity technology that can monitorvendors networks, “because then you can see the inside of theirnetwork and detect what is going on.”

|

3. The growth of biometric data privacylaws

Enacted in 2008, Illinois's Biometric Information Privacy Act (BIPA) was thefirst law in the nation to regulate how companies handle biometricdata. But given the current legal climate, it may be far from thelast.

While there have been efforts to weaken what some seeas the BIPA's broad scope, it is becoming increasingly clear thatthe Illinois law was the first in what may be numerous statestatutes across the United States.

Though they're not as expansive as the BIPA, Texas andWashington state have come out with their own biometric dataregulations, for example. And there are more states moving toregulate biometrics on the horizon.

Hanley Chew, of counsel at Fenwick &West, wrote in Legaltech News that currently, “severalstate Legislatures are considering legislation that would regulate[biometric data] collection, use and retention,” including Alaska,Connecticut, Montana and New Hampshire.

And states may be not be the only ones looking to regulate thisspace. Given the potential security issues withbiometrics data, federal agencies have also started to issueguidance on how biometric data should be used by corporations.

Both the Federal Trade Commission and the Department ofCommerce's National Telecommunications and InformationAdministration, for example, have come out with best practicerecommendations for facial recognition technologies.

——————-

Rhys Dipshan is a New York-based legal techreporter covering everything from in-house technology disruption toprivacy trends, blockchain, AI, cybersecurity, andghosts-in-the-machine. Contact him at [email protected].

From: LegalTechNews