In Wake of Equifax Breach: Standards Advance, Uncertainty Follows

[caption id="attachment_13925" align="aligncenter" width="616"]

F. Paul Greene[/caption] A mere seven working days after the Equifax breach, the New York State Department of Financial Services (DFS) proposed regulations extending its recently promulgated cybersecurity requirements, found in 23 NYCRR Part 500, to cover consumer credit reporting agencies. Little was made of this move, lost as it was in the dry and often arcane world of administrative procedure. The move was remarkable, however, in that an administrative agency was undertaking to determine for itself the scope of its own authority, attempting to extend that authority in reaction to a headlines-grabbing event. Administrative agencies exist to enforce the law, not make it, and require legislative authority to promulgate regulations. Given the scope and nature of the Equifax breach, however, it seems unlikely that any serious jurisdictional challenge to DFS’s proposal will be made. The comment period for DFS’s proposal ended on Nov. 20, 2017.

A 'Reasonableness' Standard Is Growing

In New York State, DFS’s proposed extension of Part 500 to consumer credit reporting agencies was only the tip of the iceberg for lawmakers and regulators who want to demonstrate responsiveness to the growing breach-related alarm and anxiety among their constituents. On Nov. 1, 2017, the New York State Attorney General introduced legislation to amend the state’s data breach notification statute, N.Y. General Business Law §899-aa, and add substantive data security requirements for “any person or business that owns or licenses computerized data which includes private information of a resident of New York.” See S.B. 6933, 2017-18 Reg. Sess. (N.Y. 2017). Currently, §899-aa requires only notice in relation to a data breach, not pre-breach data security standards, and it applies only to persons or businesses “conduct[ing] business in New York state.” See N.Y. Gen. Bus. Law §899-aa. The attorney general’s Stop Hacks and Improve Electronic Data Security (SHIELD) Act is a direct response to the Equifax breach, seeking, according to the Attorney General’s office, to “close major gaps in New York’s data security laws,” and “[r]equir[e] reasonable security for private information, using standards tailored to the size of the business, while avoiding duplicate regulations and providing incentive to businesses that certify security compliance.” See https://ag.ny.gov/press-release/ag-schneiderman-announces-shield-act-protect-new-yorkers-data-breaches. Yet the SHIELD Act’s focus on “reasonable” data security standards is not new. It has been part of the regulatory landscape for many businesses since at least 2002, when the Federal Trade Commission entered into a consent order with Eli Lilly & Co., requiring that Eli Lilly establish an information security program “identifying reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of personal information, including any such risks posed by lack of training, and addressing these risks.” See Matter of Eli Lilly & Co., Docket No. C-4047, F.T.C. (May 8, 2002). The FTC drew this “reasonableness” standard from its long history of enforcing against unfair and deceptive business practices under Section 5 of the FTC Act generally, but without the support of any specific legislation or regulation mandating “reasonable” data security practices. Since 2002, states have begun to adopt this standard. Nevada has required “reasonable security measures to protect [certain forms of personal information] from unauthorized access, acquisition, destruction, use, modification or disclosure” since it enacted its Security of Personal Information Law in 2005. See NRS 603A.210. Earlier this year, Delaware adopted changes to its data breach notification statute, effective April 2018, requiring “[a]ny person who conducts business in this state and owns, licenses, or maintains personal information in Delaware” to adopt “reasonable procedures and practices to prevent the unauthorized acquisition, use, modification, disclosure, or destruction of personal information collected or maintained in the regular course of business.” See 6 Del. C. 12B-100. This of course includes many of the largest publicly traded corporations in the world, which are organized under the laws of the State of Delaware.

'Reasonableness' Is a Moving Target

At first glance, a “reasonableness” standard may seem eminently reasonable. What less should one expect from those to whom we give our sensitive information than to act reasonably? The problem comes, however, when attempting to determine, especially post-breach, what data security efforts were reasonable in light of circumstances that existed before the breach. The FTC gives extensive guidance as to what it considers to be reasonable, but too much guidance can be a bad thing. When asked to identify, under oath, where companies should look to determine what the FTC considers to be reasonable, the FTC pointed to no less than seven separate sources for guidance, all of which color what a company should consider to be “reasonable” in the eyes of the FTC: the FTC’s “speeches, business education, Congressional testimony, articles, blog entries[,…] Commission materials, as well as other FTC settlements in the data security area.” See Matter of LabMD, Deposition of Daniel Kaufman, Deputy Director, Bureau of Consumer Protection, FTC, May 12, 2014. Of course, a standard that must be cobbled together from at least seven different, changing, and potentially contradicting sources is no standard at all. Yet the FTCs position, which has been upheld in the federal courts, is that data security considerations are, by definition, unique to the facts and circumstances that surround them, and the outlines of any inquiry into “unfair” or “deceptive” business practices under Section 5 of the FTC Act must be “flexible.” See FTC v. Wyndham Worldwide, 10 F. Supp. 3d 602, 620 (D.N.J. 2014). (“[T]he contour of an unfairness claim in the data-security context, like any other, is necessarily ‘flexible’ such that the FTC can apply Section 5 ‘to the facts of particular cases arising out of unprecedented situations.’”).

Overlap and Non-Exclusivity

The watchwords for data security standards in the United States, whether public or private, have long been overlap and non-exclusivity. Most U.S. for-profit businesses face at least two regulators in relation to data security: the FTC and the state in which the business resides. Many face dozens of regulators, each with differing standards concerning what kinds of data are protected; what protection standards apply; when, how, and to whom to give notice of a breach; and potential fines and penalties. And with all 50 states having adopted “little FTC Acts” or otherwise prohibiting “unfair” or “deceptive” business practices, every state is de facto empowered to enforce the same kind of “flexible” data security standard adopted by the FTC since at least 2002. This only increases the inherent complexity of a “reasonableness” standard, especially with no consensus among competing jurisdictions as to what is considered “reasonable.” The New York SHIELD Act is symptomatic of an accelerating arms race occurring around the United States, as states, and sometimes multiple regulators within a state, rush to be at the vanguard of data security regulation. Part 500, promulgated by DFS, was the first example of a state administrative agency creating data security requirements based upon the agency’s general authority to regulate a specific industry. In doing so, DFS now exerts authority well beyond the physical boundaries of New York state, affecting businesses around the world that operate under the New York banking, financial services, or insurance laws. The SHIELD Act has taken up DFS’s gauntlet, proposing to extend the attorney general’s authority worldwide, specifically to any “person or business” that maintains private information concerning a New York state resident. This potentially includes, for the first time in New York state, not-for-profits, churches, local public benefit corporations, as well as individuals gathering private information for purely personal purposes. In this regard, the SHIELD Act outstrips even the expansive EU General Data Protection Regulation (GDPR), which goes into effect in May 2018. GDPR, like the proposed SHIELD Act, has potential worldwide reach, but at least GDPR excludes from its scope actions “by a natural person in the course of a purely personal or household activity.” See GDPR Art. 2, §2(c). Following another trend seen among the states, the SHIELD Act provides a safe harbor for persons or businesses complying with certain other regulatory standards, such as Part 500, the HIPAA Security Rule or the Gramm-Leach-Bliley Act. This safe harbor can be limited, however, providing protection only from attorney general enforcement, and excludes other state-law data security standards, such as, for example, the substantive data security requirements found in Massachusetts and elsewhere. The safe harbor also excludes acts determined to be gross negligence. The problem with a gross negligence standard, however, is that, after a breach, hindsight is often 20/20 and negative. A company facing the inevitable public backlash arising from a data breach may be reluctant to engage in a protracted and public legal battle with the state as to whether the breached company was grossly or only merely negligent.

Conclusion

Given the post-Equifax political climate, there is every indication that the SHIELD Act will pass in its current or a substantially similar form. And as proverbial “laboratories of invention,” other states are sure to follow, adding to the confusion and complexity surrounding data security regulation in the United States. When viewed against this backdrop, a “reasonableness” standard might unfortunately be the most unreasonable approach a regulator or state legislature can take. F. Paul Greene is a partner and chair of the privacy and data security practice group at Harter Secrest & Emery. He can be reached at fgreene@hselaw.com.