What key laws exist in terms of obligations as to the maintenance of cybersecurity?
There is no one US federal requirement for the maintenance of cybersecurity. Instead, the adequacy of cybersecurity is governed by a patchwork of federal industry-specific laws, by the Federal Trade Commission (FTC) under its authority to protect consumers from “unfair and deceptive trade practices,” and by a number of state laws. The following sections summarize some of the key regulations governing cybersecurity and the industries to which they apply, but should not be considered an exhaustive list of US cybersecurity regulations.
- FTC Act: The general law governing privacy is Section 5 of the Federal Trade Commission Act, which gives the FTC authority to regulate unfair and deceptive trade practices. The FTC has brought actions alleging “deceptive” cybersecurity practices against companies who made misleading representations in their privacy policies regarding their data protection practices. In 2015, in the Third Circuit Court of Appeals affirmed the FTC’s authority to regulate “unfair” cybersecurity practices even in the absence of any deceptive or misleading statements. The Wyndham ruling clearly signaled that the FTC had jurisdiction to regulate companies who chose to go without minimal security measures, such as firewalls, encryption, access controls, vendor management, and incident response planning. The ruling also indicated that information security programs and incident response plans should not be static but should adapt to changing threat landscapes.
In addition to the general provisions of Section 5, certain industries are subject industry-specific security obligations:
- Healthcare Providers and Payers: The Health Insurance Portability and Accountability Act of 1996 requires certain healthcare providers and payers (“covered entities”) and their “business associates” to protect the privacy and security of certain protected health information (“PHI”). HIPAA’s Security Rule establishes minimum security requirements for PHI that a covered entity receives, creates, maintains, or transmits in electronic form. These security requirements are comprised of administrative, technical, and physical safeguards, and are required to take into account: (1) the size, complexity and capabilities of the covered entity; (2) the covered entity’s technical infrastructure, hardware, and software security capabilities; (3) the cost of security measures; and (4) the probability and criticality of potential risks to electronic protected health information.”
- Financial Institutions: The Gramm-Leach-Bliley Act Safeguards Rule requires financial institutions to maintain security controls to protect the confidentiality of personal consume information. The Rule requires financial institutions to develop and implement a comprehensive information security program, which “must be appropriate for the size, complexity, nature and scope of the activities of the institution,” and must be made up of administrative, technical and physical security measures.
- New York Financial Institutions: The New York Department of Financial Services Cybersecurity Requirements for Financial Companies went into effect March 1, 2017. The new regulation requires financial services firms licensed in New York to have a cybersecurity program designed to protect the confidentiality, integrity, and availability of information systems. The program should be based on a risk assessment, and should include controlled access to company systems, the development of an incident response plan, and notification procedures. Financial institutions subject to the regulation are also required to designate a Chief Information Security Officer (CISO), who is required to submit a report on cybersecurity to the Board of Directors or equivalent governing body.
- Government Contractors: Government contractors will be subject to strict new cybersecurity regulations as of December 31, 2017. Contractors who do business with the Department of Defense are subject to the Defense Federal Acquisition Regulation Supplement (DFARS), which require that all contractors provide “adequate security on all covered contractor information systems,”(those systems that house or touch “covered defense information.”). The new DFARS requirements mandate that covered contractors must meet more than 100 security requirements specified by the National Institute of Standards and Technology (NIST) SP 800-171. Non-defense contractors subject to the Federal Acquisition Regulation are required to protect information systems that process, store or transmit “Federal contract information.” These systems are subject to 15 standards, relating to six of the fourteen security control families in NIST SP 800-171.
- California: The California Department of Justice (CDOJ) has promulgated guidelines that cite 20 security controls identified by the Center for Internet Security that “constitutes a minimum level of security – a floor – that any organization that collects or maintains personal information should meet.”
The DPA, in conjunction with subsidiary legislation established under it, provides legal provisions on the technical and organisational measures which must be implemented by controllers and processers in order to prevent, apart from unlawful processing, accidental destruction or loss. Such a framework provides for security obligations which need to be implemented by processors of personal data. It is also pertinent to note that the General Data Protection Regulation (the ‘GDPR’) is to become directly applicable in 2018, which means that Malta will have to comply with any further obligations to cater for cybersecurity which the GDPR may impose.
The ECNSR require any undertaking authorised to operate a public communications network to ensure the security and integrity of networks from any threats, vulnerabilities or incidents. An entity providing publicly available electronic communications services over public communications networks must do all that is necessary to ensure availability of such services, should there be a catastrophic network breakdown.
Other sector specific legislation provide for measures to be taken in order to ensure proper information security. With respect to qualified trust service providers, which provide various electronic services, the eIDAS Regulation places obligations on such providers to ensure a high level of security by implementing appropriate technical and organisational measures, taking into account the latest technological developments. The eIDAS Regulation, inter alia, requires providers to ensure that measures are taken to minimise and prevent the impact of security and further provides that stakeholders are to be informed of adverse effects, in the event of any security incident.
In the remote gaming sector the Remote Gaming Regulations, Subsidiary Legislation 438.04 of the Laws of Malta, require service providers to adhere to information security requirements and are subjected to certain testing and audit processed by the Malta Gaming Authority where they must prove that security measures which are proportionate to the risks were implemented.
With respect to the Financial sector, in particular the Financial Institutions Act, Chapter 376 of the Laws of Malta and the Banking Act, Chapter 371 of the Laws of Malta both provide a rather general obligation that the institution in question must have sufficient procedures to identify, manage, monitor and report any risks and appropriate internal control mechanisms. In addition to this, service providers in the financial sector are being increasingly expected to set up an internal audit function, in order to assess the appropriateness of such financial service provider’s internal policies and procedures, including information security and risk management strategies, and the organisation’s compliance with such policies.
Cybersecurity is primarily a private matter and responsibility for organisations and other entities. However, certain laws and regulations prescribes duties relating to cybersecurity.
The Personal Data Act Section 13 prescribes that the data controller and the data processors shall, by means of planned and systematic measures, ensure satisfactory data security with regard to confidentiality, integrity and accessibility in connection with the processing of personal data. To that end, the aforementioned parties shall document their data system and security measures. Such documentation shall be available to the employees of the aforementioned parties, as well as the Data Protection Authority and the Privacy Appeals Board. Furthermore, the Regulation on the Processing of Personal Data of 15 December 2000 no. 1265 Chapter 2 imposes several duties on the data controller with regard to risk assessments, security revisions or other organisational, physical, procedural or technical measures suitable for preventing the loss, misuse, unauthorised access, disclosure, or modification of any personal data.
Other laws and regulations providing similar requirements on cybersecurity are the Electronic Communications Act and Act no. 10 of 20 March 1998 on Preventive Security Service (The Security Act).
There is no specific law on cybersecurity under Turkish Law however there are cybersecurity obligations and obligations to establish a data security management system in sector specific regulations such as the Electronic Communications Law, Banking Law, Law on Regulation of Electronic Commerce.
Further, Pursuant to Law on Protection of Personal Data w. no 6698, data controllers are under an obligation to keep personal data secure and take necessary measures to prevent illegal access to such data.
The Regulations of the Security Protection of Computer Information Systems and the Cyber Security Law are the key laws stipulating obligations in maintaining the cyber security. Obligations in the Regulations of the Security Protection of Computer Information Systems include that, for example, any organizations or individuals shall not endanger the security of computer information systems; any organizations using computer information systems shall establish the security management system and be responsible for the security of its computer information systems.
The ‘cyber security’ in the Cyber Security Law includes network operating security and network information security. To maintain the network operating security, the law introduces the obligations for network operators and operators of CII. Key obligations of network operators include that network operators shall formulate internal security management systems and operating instructions, determine the persons responsible for cyber security; take technical measures to prevent computer viruses, network attacks, network intrusions; take technical measures to monitor, record the network operation status and cyber security incidents and preserve relevant web logs for no less than six months according to the provisions; and so on. In addition to the above obligations, for operators of CII, they shall set up independent security management institutions and designate persons responsible for the security management; make disaster recovery backups of important systems and databases; formulate contingency plans for cyber security incidents and carry out drills periodically; and so on.
To protect the network information security, Article 41 of the Cyber Security Law introduces obligations for network operators in collecting, using and providing others any personal information. Network operators shall follow the principles of legitimacy, rightfulness and necessity, disclose their rules of collecting and using the information, express the purpose, ways and scope of collecting and using the information, and obtain consent from the information subjects. Network operators shall not provide the personal information to any third parties without the consent of the information subject.
The most important laws on obligations related to the maintenance of cybersecurity are related to the processing and protection of personal data (as the Mexican Data Protection Law) and specific and specialized rules or regulations applicable to financial institutions (for example regulations applicable to electronic banking).
The key laws imposing obligations on companies to maintain cybersecurity include the Communications Act 2003 ("2003 Act"), the Privacy and Electronic Communications (EC Directive) Regulations 2003 ("2003 Regulations") and the Data Protection Act 1998 ("DPA 1998").
Under the 2003 Act, public electronic communications network ("PECN") providers and public electronic communications service ("PECS") providers have an obligation to take technical and organisation measures to manage risks in respect of electronic communications (section 105A). This includes notifying Ofcom of any breaches (section 105B).
PECS providers are also subject to obligations under the 2003 Regulations, which require them to take appropriate technical and organisational measures to safeguard the security of their services (Regulation 5(1)). PECS providers must inform the Information Commissioner's Office ("ICO") if there is a personal data breach (Regulation 5A(2)) and the individuals concerned if the breach is likely to adversely affect the personal data or privacy of the subscriber or user (Regulation 5A(3)).
Under the DPA 1998, data controllers are subject to various obligations including selecting a processor that sufficiently guarantees appropriate technical and organisational measures, and taking reasonable steps to ensure compliance with such measures (Paragraph 11, Part II, Schedule 1). In the event of a data breach, there is no mandatory legal duty to notify the ICO of the breach having occurred. However, voluntary reporting of a data breach will be taken into account by the ICO as a potential mitigating factor when exercising its enforcement powers and such voluntary notification may reduce any monetary penalty imposed.
Businesses operating in the financial services sector are also subject to the Senior Management Arrangements Systems and Controls ("SYSC") set out in the FCA Handbook and the STAR and CBEST standards developed by the Council for Registered Ethical Security Testers and the Bank of England. The SYSC provides obligations relating to governance, systems and controls that can directly or indirectly impose cyber security obligations on financial service providers (eg securing systems, managing risks, reducing the risk of financial crime and protecting client confidentiality). The STAR and CBEST standards allow financial services providers to demonstrate their cybersecurity assurance by passing stipulated penetration and vulnerability tests.
Company directors also have an obligation to maintain cybersecurity through the fiduciary duties they owe to their company, which are set out in the Companies Act 2006. These include the duty to promote the success of the company and to exercise reasonable care, skill and diligence while conducting their role (sections 172 and 174). Failure to understand and mitigate cyber risk (eg by failing to implement appropriate cybersecurity measures) could equate to a breach of these duties, which could lead to a claim being brought against the directors by the company or its shareholders.
Government Decision no. 271/2013 regulates Cyber security strategy of Romania.
At the beginning of 2016, a draft law for the Cyber security of Romania was launched. The draft law was under public debate until September 2016, when it was withdrawn. At present, there are no further developments in this area.
There are several laws and regulations applicable in Italy which impose the adoption of policies and technologies aimed at maintaining the cybersecurity. The Privacy Code requires any data controller to implement certain minimum-security measures to protect the personal data, with higher standards imposed to companies controlling more critical types of data (for example sensitive data or genetic data) or providing certain type of services (i.e. electronic communications services providers). Moreover, additional specific obligations to protect the security of data are imposed by regulatory authorities (such as Banca d’Italia, Consob and IVASS) to companies operating in specific sectors, like banks, financial services providers and insurance companies.
It is worth also underlining that the Italian government has recently approved a new national plan for computer security (published on the Italian Official Journal of 31 May 2017), based on the Decree of the President of the Ministers’ Council of 17 February 2017 (hereafter the “Decree”). The plan and the Decree allocate the responsibilities within the Italian public administration regarding cyber protection and national computer security, and set forth the guidelines to be followed to achieve the national security in this respect. The Decree contains also certain obligations applicable to a number of private operators (including providers of electronic communications networks and services, suppliers of digital services, providers managing critical infrastructures) to notify any material security breach and adopt best practices to maintain cyber security.
Finally, on 6 July 2016 the European Parliament has approved the Directive on security of network and information systems (the NIS Directive), which contains significant provisions relating to cybersecurity. Member States, including Italy have 21 months as from August 2016 to transpose the Directive into their national laws.
The key laws imposing obligations on companies to maintain cybersecurity include general provisions in the Dutch Penal Code ("Wetboek van Strafrecht"), the Dutch Code on Criminal Procedures ("Wetboek van Strafvordering"), the Dutch Data Protection Act ("Wet bescherming persoonsgegevens") and the specific provisions of the Dutch Law on Computer Crime ("Wet Computercriminaliteit") which is incorporated in the Dutch Code of Criminal Procedures.
On 11 July 2017 the Senate of the Dutch Parliament has passed a bill regarding the processing of data and cybersecurity notification ("Wet gegevensverwerking en meldplicht cybersecurity" ("Wgmc")). This new law, that will likely come into force late 2017, states the obligation to notify the Dutch authorities in case of serious IT breaches. This notification obligation will only be applicable to product or service providers of which the availability or dependability is of vital importance to the Dutch society.
According to the provisions set forth in the Consumer Code, companies shall take all reasonable measures to offer safe and free-of-defect products and services. Therefore, if the company does not implement appropriate security measures (normally based in industry-standards) their product or service may be deemed defective and trigger liabilities. The Internet Act establishes that, in addition to the provisions of the Consumer Code, the following security measures to be implemented by internet application providers:
- strict control over the access to personal data upon the definition of responsibilities for the personnel who will have access to the data stored;
- authentication mechanisms must be used to allow the access to personal data stored (e.g., two steps verification should be used to ensure the identification of the individual who have permissions to access personal data stored);
- detailed data inventories must be created containing the access to personal data (date, time and duration of the access, the identity of the employee responsible for the access, as well as the files that were accessed must be kept); and
- use of IT solutions that ensure the inviolability of data, such as encryption or equivalent protective measures.
In addition to the foregoing, the Brazilian Internet Steering Committee (the “CGI”) may recommend additional security measures and standards to be adopted.
Cybersecurity maintenance obligations are not contained in one specific regulation. Instead, they are scattered within several regulations, namely:
- ITE Law, as amended;
- GR 82/2012; and
- MOCI Reg.
Protection of information, equipment, devices, computer, and computer resource, communication device from unauthorised access, use, disclosure, disruption, modification or destruction comprises “cybersecurity” under the IT Act. The IT Act also requires companies to report incidents of breach of cybersecurity to the designated authority, and this obligation also extends to intermediaries under the IT Act.
There is currently no legislation in Singapore that sets out general obligations as to the maintenance of cybersecurity.
In relation to personal data, the PDPA imposes obligations on an organisation to make reasonable security arrangements to prevent unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks. There is no "one size fits all" approach that organisations can take to protect personal data. Ultimately, the security arrangements implemented should be reasonable and appropriate in the circumstances taking into account the type of personal data that is collected and the possible impact to the individual concerned if an unauthorised person obtained, modified or disposed of the personal data.
Financial institutions in Singapore are also subject to additional regulations imposed by the MAS in relation to the maintenance of cybersecurity measures and controls.
Additionally, a draft Cybersecurity Bill was released by the Cyber Security Agency of Singapore (“CSA”) on 10 July 2017 for public consultation. This draft Cybersecurity Bill aims to regulate critical information infrastructure owners by imposing cybersecurity obligations such as notification obligations, audit obligations, obligations to provide information to the CSA and obligations to participate in cybersecurity exercises. The consultation period of the Bill will close on 3 August 2017.
Key legal provisions in respect of cybersecurity include in particular:
- article 34 of the 1978 Act (see Question 7), which requires the data controller to "take all necessary precautions, in light of the nature of the data and of the risks presented by the processing, in order to preserve the security of the data and, in particular, to prevent the data being distorted, damaged or subject to unauthorized access by third parties.’ The data controller which does not conform to its security obligations under this article is liable to a criminal fine of up to 300,000 euros (1,5 million euros for legal persons);
- the Military Programming Act of 18 December 2013, pursuant to which the State must rule on certain obligations such as the prohibition of certain systems connected to the internet; encourage the implementation of detection systems by certified providers; audit the security level of critical information systems; and, in the event of a major crisis, impose the necessary measures on ‘operators of vital importance.’ Further, legal persons designated as ‘operators of vital importance’ must strengthen at their own expense the security of the information systems they operate and that are deemed vital, and they are required to report incidents to the relevant authorities to give advance warning to entities potentially concerned;
- EU directive 2016/1148 of 6 July 2016 provides for, among other measures, a high common level of security of networks and information systems between member States, including through standardization; for security and notification requirements on operators of ‘essential services’ as well as on digital service providers; for the creation of a computer security incident response team network.
There are diverse regulations on cybersecurity depending on the industry sector and depending on which data is processed. When personal data is processed, the sections 9 BDSG and 32 GDPR require a level of security appropriate to the risk. Telecommunications operators are obliged to take measures for the security of the secrecy of telecommunications and against unauthorized access to personal data in accordance with section 109 TKG. Section 8a BSI-Act (BSIG) regulates obligations for operators of critical infrastructure to ensure their technical functionality. An adjustment of the BSIG will be made to implement the NIS EU directive. The directive defines measures to ensure a high common security level of network and information systems in the EU.
No cross-sector cybersecurity rules as regards minimum security requirements have been adopted in Switzerland. Sector-specific rules and regulator guidance are applicable. In general, personal data must be protected by appropriate technical and organisational measures against unauthorised processing regardless of where it is stored. Anyone processing personal data must ensure its protection against unauthorised access, its availability and its integrity (see Question 10). While adherence to international standards relating to cybersecurity (e.g. ISO 27001 2013) is not mandatory in Switzerland, such standards are considered as a relevant tool for assessing compliance with best practices. As regards data security, the FDPIC has become active only in a limited number of cases. Under the TCA, OFCOM is responsible for implementing the administrative and technical requirements pertaining to the security and availability of telecommunications services, which includes notifying the regulator in the event of security incidents. Specific rules apply to providers of financial markets infrastructure, inluding, among other things, to ensure the availability, confidentiality and integrity of data as well as business continuity.
Cybersecurity does not have a specific legal framework in Ecuador; nonetheless, it is protected through Article 178 of the Integral Criminal Code, that determines:
Art. 178.- Invasion of Privacy.- A person that access, intercepts, examines, retains, records, reproduces, discloses or publishes personal data, data, voice, audio and video messages, postal consignments, information contained in computer storage media, private or reserved communications of another person by any means, without consent or legal authorization, is punishable with imprisonment from one to three years.
This provision is not applicable to the person that discloses audio and video recording where he or she personally intervenes nor when it refers to public information as provided for in the law. (emphasis added)