Global cybersecurity still fractured but getting tougher

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.insidecounsel.com/2013/09/26/global-cybersecurity-still-fractured-but-getting-t

Cybersecurity may be a top concernfor legal counsel, but the shifting
waters of global cybersecurity law are becoming increasingly difficult  to
navigate. With recent changes in cybersecurity law across the globe, the
cybersecurity legal realm is no longer as uniform as it once was, while
rules are becoming tougher across the board.

Take, for instance, the differences between Europe, Asia and the U.S.
 trial attorneys. Thomas Mahlum and Melissa Goodman of Robins, Kaplan,
Miller & Ciresi L.L.P. wrote on InsideCounsel in August, the European Union
(EU) has one completely codified set of rules for what counts as personally
identifiable information (PII), with the EU Data Protection Directive and
the Organization for Economic Cooperation and Development Guidelines. The
Asian-Pacific Economic Cooperation, however, takes a less strict view of
PII in the APEC Framework. The U.S., meanwhile, has a number of guidelines
to abide by, including the Video Privacy Protection Act, the Cable
Television Protection and Competition Act, the Children's Online Privacy
Protection Act, and the Stored Communications Act.

“Businesses need to also adhere to the clearer guidelines on corporate data
preservation duties developed as part of e-discovery’s emerging
jurisprudence,” Mahlum and Goodman wrote. “Balancing these data-driven
issues requires an understanding of the ever-evolving landscape of each
competing concern.”

Now, even those laws may be changing. According to an article in the Wall
Street Journal, both the EU and Japan are set to institute new privacy laws
that tighten existing data breach legislation, much like the U.S. has done
in recent years. In Japan, the government is targeting specifically
financial firms, raising the penalty for not disclosing when an individual
user’s data has been breached from 500 yen to 10,000 yen ($75) per user.
 Olivier Piou, chief executive of data-security firm Gemalto, told the WSJ
that 500 yen was simply “not enough of a deterrent.”

The EU, meanwhile, looks to institute widespread data breach notification
rules. The discussion is in the early stages, and the proposed legislation
is controversial due to its stringent nature — companies would be required
to disclose any data breach within 24 hours. However, the fact that the EU
is even having this discussion is noteworthy.

The way the litigation is going, in-house counsel should beware that the
rules are only going to become stricter within the next couple of years. As
Piou said, “In the next few years it will be an obligation, whether by law
or reputation. Banks still hesitate to communicate a lot on their
penetration and their events. Why? I think we are past the question of
‘should we do something,’ it’s ‘let’s do something.’”

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

# OWASP http://www.appsecusa.org
# Builders, Breakers and Defenders
# Time Square, NYC 20-21 Nov
o()xxxx[{::::::::::::::::::::::::::::::::::::::::>

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security offers security intelligence, risk management services and customized security solutions. The 
YourCISO portal gives decision makers access to tools for evaluating their security posture and prioritizing risk 
mitigation strategies. Cyber Risk Analytics offers actionable threat information and breach analysis.