CYBERLAW PREDICTIONS: DATA SECURITY, CLOUD COMPUTING, AND IDENTITY MANAGEMENT

 This post is the thirteenth in a series of predictions from legal and business experts about the directions cyberlaw policy might take in 2013, solicited by editors of BNA's Electronic Commerce & Law Report during the closing weeks of 2012. We asked that the remarks be brief -- something along the lines of a Twitter "tweet" or an elevator pitch. Over 100 attorneys, law professors, online business executives, policy advocates and other cyberlaw experts responded, producing 307 separate assessments, predictions, or just plain complaints regarding any of the many legal subject areas that affect online businesses.

laptop image

Most observers see Congress again picking up cybersecurity as a policy priority in 2013. If Congress doesn't act, President Obama may very well impose his own cybersecurity program. Increasing levels of identity theft and other cybercrimes may lead courts, or the Federal Trade Commission, to fashion new data security standards of care for net-connected businesses. Identity management technologies, backed by new laws encouraging or demanding their deployment, could also play a role in combatting online crimes. Finally, the rapid adoption of cloud computing technologies will test everyone's toleration for cyber-risks in 2013.

The experts' views:

Information Security

If only Privacy by Design had started out as Cybersecurity by Design. Alan Charles Raul, Global Coordinator of Privacy, Data Security and Information Law Group, Sidley Austin LLP, Washington, D.C.

Whether by legislation, FTC action, or common law, we're rapidly moving toward an environment where all businesses will be subject to a legal duty to provide "reasonable" security for the data they maintain and the systems they operate. Thomas J. Smedinghoff, @smedinghoff, Partner, Edwards Wildman Palmer LLP, Chicago.

Grammatical errors in spam will increase because they are intentional and tactical. The errors weed out sophisticated people who assume the spam is from clumsy low-level scam artists rather than cunning criminals, and effectively generate responses from less sophisticated internet users who innocently answer phony requests for emergency funds purportedly sent by acquaintances saying they have been robbed at gunpoint while traveling abroad. William A. Tanenbaum, Partner and Chair, Intellectual Property & Outsourcing Group, Kaye Scholer LLP, New York, N.Y.

An international convention on cybersecurity will authorize deep packet inspections and other governmental intrusions, confirming existing homeland security rules. William B. Bierce, @wbierce, Partner, Bierce & Kenerson, P.C., New York, N.Y.

While attackers can be persistent and use sophisticated tools, most data breaches result from the failure to implement basic or intermediate security controls across a network, or across a linked network of affiliated entities. As a legal risk management matter, therefore, corporate legal departments need to get involved in whether IT department has the time, resources, head count, and budget to mitigate the top threats and vulnerabilities. Jennifer C. Archie, Partner, Latham & Watkins LLP, Washington, D.C.

The HIPAA and HITECH final omnibus rules will be released, if not before the end of 2012, for sure in 2013. The remaining CEs who have been sitting on their hands for the past several years, and almost all of the BAs who've done little more than sign a BA agreement, will scramble trying to get into compliance as quickly as possible, fearing that they will be audited and will face huge fines and associated penalties. Rebecca Herold, @PrivacyProf, Chief Executive Officer, The Privacy Professor, Compliance Helper, and Norwich University, Des Moines, Iowa.

Security of critical infrastructure will emerge as a defining issue of 2013. Andy Roth, Partner, SNR Denton, New York, N.Y.

There won't be cybersecurity legislation anytime soon, but there will be an executive order. What it says about information sharing and "voluntary" security standards will be important for companies that constitute "critical infrastructures," even if the EO lacks the force of legislation. Michael Vatis, Partner, Steptoe & Johnson LLP, New York, N.Y.

Cybersecurity is the new frontier. Private companies and governments will have to cooperate in new and creative ways to protect assets, critical infrastructure and data. Miriam Wugmeister, Partner, Morrison & Foerster, New York, N.Y.

Identity Management

Digital identity management is becoming a hot issue both in the U.S. and the EU. Businesses and governments alike are beginning to realize that digital identity management is fundamental to the further development of the internet economy. For each party to a significant online transaction, identifying the other, and being able to authenticate that identity is a key requirement. Thomas J. Smedinghoff, @smedinghoff, Partner, Edwards Wildman Palmer LLP, Chicago.

Identity management should be a basic course for everyone in the school of life. Individuals need to consider how much information they give up to third parties with whom she/he interacts. Companies need to develop what they collect and how they use identity information as the repercussions of leaking identity information or mismanaging it is being increasingly policed by public and private parties. Kevin R. Erdman, @kevinerdman, Partner, Reichel IP LLP, Indianapolis.

Through implementation of its National Strategy for Trusted Identities in Cyberspace (NSTIC), the U.S. is seeking to establish a private-sector led voluntary framework to facilitate trustworthy online identity verification. By contrast, the European Commission is promoting a draft eID regulation for the EU to achieve the same goal. Addressing the privacy and liability issues remain the biggest legal hurdles under both approaches. Thomas J. Smedinghoff, @smedinghoff, Partner, Edwards Wildman Palmer LLP, Chicago.

Cloud Computing

In the cloud, nobody knows you're a dog--unless they do their due diligence. Alan Charles Raul, Global Coordinator of Privacy, Data Security and Information Law Group, Sidley Austin LLP, Washington, D.C.

Cloud computing will make disaster recovery sites unnecessary. There is little need to maintain expensive backup sites when data is replicated in the cloud and can be downloaded rather than restored from backup media in a time-consuming, labor-intensive effort under emergency conditions. William A. Tanenbaum, Partner and Chair, Intellectual Property & Outsourcing Group, Kaye Scholer LLP, New York, N.Y.

Cloud Computing is rapidly growing market, but legal differences make it difficult for U.S. companies to successfully offer their services in Europe. Seek expert advice and make your services compliant with European laws. Thomas Rickert, @thomasrickert, Managing Partner, Schollmeyer & Rickert Law Firm, Bonn & Frankfurt, Germany.

After Hurricane Sandy, every enterprise will put key confidential operational data into the Cloud or other virtual environment, with uncertain security. William B. Bierce, @wbierce, Partner, Bierce & Kenerson, P.C., New York, N.Y.

The shift to smartphone-centric computing is as big an inflection point as the shift from mainframes to PCs. It is not a return to mainframe time-sharing, because the computing power is in your hand and the data is available by the data anytime, data anywhere cloud model. William A. Tanenbaum, Partner and Chair, Intellectual Property & Outsourcing Group, Kaye Scholer LLP, New York, N.Y.

Hackers and Other Cybercriminals

By the end of 2013 (if not already), every type of crime will rely heavily on the use of computers. As a result, every law enforcement official from the head of the FBI down to the traditional "beat cop" must master cybercrime, digital evidence collection, and computer forensics." Joseph V. DeMarco, @devoredemarco, Partner, DeVore & DeMarco LLP, New York, N.Y.

Phishing & Vishing: Why is it so difficult to catch the fisherman? Convention of the Council of Europe on Cybercrime is first international treaty to address cybercrime. Increasing investigative techniques and providing procedural measures. Edwin Jacobs, @Edwin_Jacobs, Partner, time.lex, Brussels.

Brazilian cybercrime bill, enacted on December 3, 2012, will be enforceable in April. Now unauthorized access is forbidden. Renato Opice Blum, @opiceblum, Partner, Opice Blum Advogados Associados, Sao Paulo.

New types of cyber-fraud will emerge through exploiting privacy risks associated with big data analytics. Even with no specific PII involved, the big data will reveal personal information that will be exploited for fraud and other crimes. Rebecca Herold, @PrivacyProf, Chief Executive Officer, The Privacy Professor, Compliance Helper, and Norwich University, Des Moines, Iowa.

First steps are taken against Brazil's lack of legal framework to prevent illegal activities in the cyberspace, as two laws on cyber and computer crimes were enacted in late 2012. João Harres & Fábio Pereira, Associates, Veirano Advogados, Rio de Janeiro.

Invasion of digital devices for obtainment, adulteration or destruction of data or information are now typified as crimes in Brazil and may lead to imprisonment. João Harres & Fábio Pereira, Associates, Veirano Advogados, Rio de Janeiro.

By

Follow @tjotoole on Twitter Follow me on Twitter at @tjotoole.