In House - The FindLaw Corporate Counsel Blog

Global Cybersecurity Threats Are Coming

In a world connected through the internet, satellites, cell zones, and wireless networks, cybersecurity threats can come from virtually anywhere and affect almost anybody.

This is especially true in the United States, where even the recent presidential election was affected by email hacks and security breaches. Cyber-espionage has become the weapon of choice for some governments.

In the breach, lawyers and their clients may want to consider cybersecurity laws taking shape in many parts of the world. Winston and Strawn partner Lisa Thomas lays out a global roadmap for the coming years:

1. Privacy and Security in China

In November 2016, China passed a cybersecurity law that permits the government to audit and release source code and encryption keys. The law also requires government's permission to transfer personal information out of the country. The new law will take effect in June 2017, causing Chinese businesses to assess their security and data transfer policies now.

Under new regulations, Thomas said, companies will be limited on the amount of personal information they can collect and must collect only information that is relevant to a company's business. If consumer consent is required, records of that consent must be retained for five years.

2. The New European-Wide Privacy Regulation

Multinational companies will spend much of 2017 preparing for compliance under the new EU General Data Protection Regulations (GDPR). The regulation goes into effect in 2018 and differs from the current privacy regime in Europe.

The changes will require many companies to reevaluate their practices and create new procedures to ensure compliance. For example, the GDPR includes a "right to be forgotten" for individuals to ask a company's data controller to delete their personal information.

Some companies will also be required to have a data protection officer, Thomas wrote. The regulations are provide procedures for handling data breaches and the types of security required for personal information.

3. United States' Cybersecurity Changes

In the United States, states like California, Nebraska, Oregon, Rhode Island, and Tennessee continued to modify cybersecurity laws in 2016. California changes have already gone into effect.

Some states, such as Illinois, have changed how they handle encryption. Others, according to Thomas, modified requirements about when individuals need to be notified, or added a requirement to notify the relevant attorney general.

Related Resources: