Security and privacy

As technology and economics continues to drive connectivity, cloud, mobility, data ana- lytics, the Internet of Things, and the Industrial Internet, we must deal effectively with security and privacy. It’s not just the Snowden effect. People are still working to ‘real security’ is the goal, and one that will

likely get you where you need to be for com- pliance as well.

Here is a list of categories of laws to be concerned about and a few specifi c-use cases:

 infrastructure security: voluntary public-

private partnerships (U.S., U.K.), regulation of critical infrastructure (China, pending in E.U., pending in Germany), sector- specifi c regulation (India telecoms, U.S. chemical, Russia strategic industries)

 incident notifi cation: data breach (U.S.

in 47 states, E.U. telecoms, pending new E.U. Privacy Directive), SEC disclose material adverse events (U.S. SEC)

 tort, contract, product liability: in the

absence of specifi c regulation, a company must use ‘reasonable care’ to secure their and third-party data, continue to provide service, build secure products, and protect IP (U.S., E.U., India and for contract, globally)

 board of directors corporate: the board

must use its ‘business judgment’ to secure the assets of the company and provide reasonable security (U.S.)

 acquisition of information by nation-

states: lawful intercept telecoms (most countries), requests from non-telecoms by judicial or administrative process (most countries), collection outside of home country (most countries)

 technology controls, national security

reviews, and certifications: export control commercial technologies (U.S.), export control of military technologies ITAR (U.S.), certifi cation of IT product (26 countries Common Criteria evaluation, China own requirements, Russia own requirements, Korea pending), import restriction on encryption (China, Russia), in-country use of encryption (China, Russia), national security reviews for M&A (U.S. CFIUS & FCC, China).

 privacy: economy-wide limits on

collection and transfer of information about individuals (E.U.), sector specifi c (U.S. health care HIPAA, fi nancial GLB),

INTERNATIONAL INFLECTION POINT—COMPANIES, GOVERNMENTS, AND RULES OF THE ROAD

questions companies can and should ask when providing service, domestically, but particularly globally. There no doubt is com- petitive advantage in providing solutions that don’t raise privacy concerns.

■ Conclusion

Cyber is by defi nition a global issue for any company, CEO, and board. The company’s networks are global, products are global, and adversaries are global. Furthermore, the company must have relationships with gov- ernments globally. Many companies are ‘global citizens’ and have a majority of their sales outside their home country. Where the cyber issue is in the top of the mind in each of the major markets these companies serve and where governments have not yet sorted out acceptable global ‘rules of the road,’ it is incumbent on company leadership to help fi gure out what the future is going to look like. Without common ground about what’s OK and not OK for governments to do with regard to each other, companies, and citi- zens, we will face an uncertain technology future. I am optimistic about the future and about the ability to master the cyber issue. However, it will take moving through the problem set. We are at an infl ection point— as we continue to embed devices, software, and hardware into everything, we need to have a view, a path, a structure that gives us confi dence. Therefore, when we sit down in an offi ce such as the attorney general’s or a board of directors and ponder the better and lesser proclivities of mankind, we must be confi dent we are driving rules-based deci- sions to the happier side of the ledger—one that ensures we reap the benefi ts of this terrifi c, accelerating, age of technology. through what they think about security and

privacy. Most want both. Some regions have differing views. In the U.S., we limit what the government can do through Constitutional Fourth Amendment restrictions on unrea- sonable searches and seizures, but we freely give personal information to commercial companies in exchange for free content and other services we like. In Europe, it’s the opposite. The E.U. presumptively limits what information relating to individuals the private sector can collect and share but often has minimal legal procedures regulating government activities to collect information about its citizens. China has its own view on national security and information, as does Russia. In any event, companies have an important role to play in the future of the intersection of security and privacy.

Most people talk in terms of balancing security and privacy. This may be a false dichotomy. I think the better approach is to drive to security and privacy. Try to get both right. Do what you need to secure a system or crown jewels or an enterprise, and use techniques and technologies that help ensure privacy. I think this is the challenge for the future and likely an area that will spur great innovation. How can we work effectively with anonymized data? How can we implement machine-to-machine anoma- ly detection without identifying the indi- vidual or that a device belongs to a particu- lar individual? How can we manipulate encrypted data at scale? Can we know enough from encrypted data streams across the enterprise or network to understand and stop an exfi ltration or an attack? How can we share cyberthreat information that is anonymous and actionable? These are the

Pillsbury Winthrop Shaw Pittman LLP – Brian Finch, Partner

Managing third-party liability