Cyber security and the Trump era
March 2017 | PROFESSIONAL INSIGHT | RISK MANAGEMENT
Financier Worldwide Magazine
Much of the recent US presidential campaign was unprecedented. Among the various shocks, vitriol and hyperbole, there was one recurring theme that had already been a concern for business and investors for some time: cyber security. From the Target Inc. data breach in 2012, to the US indictment of several Chinese military officers in 2014, the hacking of TalkTalk in Britain during 2015, the growth of ‘outsider trading’ (i.e., trading in securities affected by possessing price-sensitive information stolen through hacking), and the SWIFT banking transfer hacks of 2016, cyber security rose up the corporate risk agenda. While cyber activity by Russia apparently affected the US election (and may affect others due in Europe this year), businesses remain primarily concerned about guarding their (and their customers’) information and data systems: this includes personal data, as well as confidential commercial material and intellectual property.
While politicians, scholars, historians and the rest of the world’s intelligentsia must decipher what the game-changing events of 2016 (including the UK’s referendum vote to leave the European Union) mean for the future, business leaders do not have the luxury of waiting. They must continue to move forward on all fronts, even as they grapple with a volatile environment. This is particularly true in the areas of data privacy and cyber security. Those two issues are inescapable aspects of how business is now conducted. However, at the same time, the law and regulation regarding each continues to develop.
In the US, a Trump presidency, coupled with a Republican House of Representatives and Senate, will inevitably usher in an era of deregulation, less government and arguably a far less intrusive posture by the regulatory community as it relates to business generally. Specifically on data privacy and cyber security, however, we can expect the exact opposite; i.e., more active regulation is likely.
On the campaign trail, Mr Trump stated that “improving cyber security will be an immediate and top priority” for his administration. He has subsequently called for a comprehensive review of US cyber defences, vulnerabilities and infrastructure, to be conducted by a cross-disciplinary team of military, law enforcement and private sector experts. The Department of Justice will be instructed to create joint task forces to work together with federal, state and local law enforcement authorities and international law enforcement to focus on this rapidly evolving area of crime. President Trump is known to favour legislation that permits broader surveillance of individual citizens.
The Trump administration’s stated plans might face headwinds on the trade front, however. If Congress increased the government’s ability to access personal data in the name of national security, it would jeopardise, if not invalidate, the EU-US Privacy Shield. That agreement, which enables companies to send data from the EU to the US, in compliance with the EU’s privacy law, is dependent on US safeguards against bulk access to personal data. Loss of the agreement could bring EU-US trade to a virtual standstill.
President Trump could prevail in other areas, however. He is against net neutrality – the concept that all internet traffic should be treated equally. He is likely to appoint anti-regulatory individuals to head the Federal Trade Commission (FTC) and Federal Communications Commission (FCC), where they can be expected to begin rolling back the regulations established in previous administrations, and to be less involved in regulating e-commerce and data security enforcement.
He will also soon appoint two commissioners and a chair to the FTC, and his choices will provide a peek into the government’s overall privacy stance. Throughout the Obama administration, the FTC used Section 5 of the FTC Act to pursue – some say overzealously – companies that, in its judgment, were insufficiently protective of consumers’ data or used the data in unauthorised ways. Even though the new appointees may arrive with a pro-business mandate, the protection of consumer privacy has become a bi-partisan issue, and easing up on enforcement may be both politically unwise and institutionally unsound.
The path is particularly uncertain for the financial sector, a natural repository for sensitive customer information. The sector’s business models depend, in part, on the ability to monetise data, and they will be particularly affected by any changes in privacy laws. While the institutional cost of regulatory compliance can be high, it is nothing compared to the harm (whether reputation or purely financial) of a significant breach. Financial regulators in the US and elsewhere (for example, in the UK and across Europe) have been increasingly active on cyber security. For example, the SEC’s Office of Compliance Inspections and Examinations has been examining cyber security processes at regulated firms for the past few years; it lists cyber security as one of its priority market-wide risks. Further, in 2016 the US Federal Financial Institutions Examination Council proposed new cyber security rules for certain businesses in the financial sector. This is consistent with the trend toward regulation in other parts of the world. In Europe, for example, the European Union (EU) finally approved its long-discussed Network Information Security Directive, which requires Member States to implement laws demanding that relevant businesses implement certain cyber standards and, crucially, notify authorities of a significant breach. That is in addition to the new EU General Data Protection Regulation (effective from May 2018) regarding personal data, which imposes breach notification obligations and introduces significant fines (up to 4 percent of a company’s global annual revenue) for inadequate data security.
As incidents become increasingly destructive and attract further media attention, organisations face the risk of serious reputational, financial and legal liability. Forward-looking institutions, businesses and professional organisations have already realised that cyber security is not just an IT or compliance issue. In fact, it is the key to protecting some of their most valuable assets: intellectual property, customer information, financial data, confidential commercial plans and employee records, etc. As a result, cyber security, including, but not limited to personal data protection, has now become an essential part of enterprise risk management. As such, it deserves a coordinated, integrated approach that addresses its many components comprehensively.
Companies should conduct a full legal and technical review to identify and address weak points in their security systems, policies and procedures. They should establish metrics to measure cyber threats, implement best practices, and develop incident response plans to minimise the potential damage of an attack.
Accountability does not stop at the chief technology or chief information security officers’ doors. The host of new technologies, complex corporate governance issues, laws and regulations now facing businesses require the concerted planning and strategic thinking of senior executives, including the board of directors. Given the scope and seriousness of the challenges, businesses need to develop holistic programmes that address the myriad technical, criminal, regulatory, fiduciary and civil liability issues involved in data protection and breach preparedness. In the US, at least, there is already a growing body of civil litigation against companies that suffer a cyber breach. Businesses should proactively consult their attorneys for confidential and privileged legal advice both before and after an incident occurs.
While no one can predict the future in these uncertain times, it is clear that cyber security will remain a live issue for businesses and investors, as well as for governments and politicians.
Jeremy I. Bohrer is a partner and Anupreet S. Amole is an associate at Brown Rudnick. Mr Bohrer can be contacted on +1 (212) 209 4807 or by email: firstname.lastname@example.org. Mr Amole can be contacted on +44 (0)20 7851 6118 or by email: email@example.com.
© Financier Worldwide
Jeremy I. Bohrer and Anupreet S. Amole