Cyber Law is ramping up around the world, but can it keep pace?
According to Forbes, 2016 was a particularly eventful year in the cyber threat landscape. Nation-state operations played large in the US presidential election, database breaches grew ever larger and cybercriminal tactics more innovative and cyber law is struggling to keep up. Individual activists and mass-participation campaigns continued to target companies and organizations for ideological reasons. 2017 will be a year when geopolitical shifts and technological advances by nation-state and criminal actors will combine to create an unprecedentedly complex cyber threat landscape.
In terms of nation-state activity, Donald Trump’s accession to the presidency is likely to mark a shift in US foreign policy, bringing a number of cyber security implications. Trump’s stated desire to priorities what he feels are US interests and a more transactional foreign policy, and his indication that he will better tolerate the spheres of influence of other global powers, is likely to embolden these actors to conduct a range of cyber activity within their respective backyards, with reduced fears of US reprisals.
The lay of the cyber law land in 2016
Key legislation on cyber security and data flows in 2016:
China: Cyber law outlines stricter government controls over ‘critical information infrastructure’
Russia: Yarovaya cyber law increases government access to online content
UK: Investigatory Powers Act places new obligations on telecommunications companies
US: Amendments to Rule 41 expand hacking powers of law enforcement agencies
US/EU: Ongoing challenges to Privacy Shield Agreement threaten companies’ ability to transfer data
- Net neutrality legislation and guidelines
- General Data Protection Regulations give companies greater responsibility for data security
- Proposed amendments to ePrivacy Directive to regulate communications services over the internet
- Directive on Security of Network Information Systems aims to harmonize cyber security standards
Australia: Privacy Amendment Bill set to introduce mandatory disclosure of data breaches
United Arab Emirates: Increased restrictions on use of virtual private networks in the country
What about me?
In the US, currently bipartisan support for a federal data breach disclosure law is growing. How soon would you want to know if hackers got their hands on your Social Security number, credit card details or even your email and phone number?
More than 1 billion Yahoo (YHOO) accounts were breached in 2013, but consumers didn’t hear about the hack until December 2016. Yahoo says it found out about the security issue in November 2016, but even a month delay may have been too much time for some. That’s because the laws governing when companies have to inform customers about data breaches vary widely around the country, prompting legislators, regulators and consumer advocates to call for federal legislation requiring companies to contact customers who have had their data breached.
Speaking at a panel hosted by the National Cyber Security Alliance, a public-private partnership for online security and privacy, the standing Federal Trade Commission Chairman Maureen Ohlhausen said legislation may soon be on the way. The FTC regulates businesses to protect consumers, and can penalize hacked companies under Section 5 of the Federal Trade Commission Act — even though it wasn’t originally written for online issues — because it targets companies for “unfair or deceptive acts or practices.” Although 47 out of 50 U.S. states have their own data breach laws.