The international landscape for cybersecurity is at best a “patchwork” of requirements based on national rules and laws, with a potential agreement between the United States and European Union on transatlantic data flows offering an important opportunity for establishing global consistency, according to a new cybersecurity “handbook” by the American Bar Association.
These varying international requirements pose a major challenge for both large and small law firms in advising clients who engage in multinational business or rely on global suppliers, according to the ABA, which offers crucial advice for these firms in navigating cybersecurity rules and standards and ensuring the protection of critical client data.
“While counsel for businesses and large firms must be steadfast in monitoring and recording their organization’s dedication to following best practices and zeal for international cybersecurity norms, other priorities may apply to lawyers focused specifically on the practice of law,” according to the ABA handbook, which is slated for release early next month.
“The myth that law firms are too small to attract attention from cyber threats has long been proven false,” the ABA warns, in advising lawyers and law firms on “the emphasis on cybersecurity measures must be placed on the protection of privileged data.”
A lack of international norms of cybersecurity presents both a challenge and opportunity for law firms in terms of data security risks and the potential for helping shape future global requirements, as presented in chapter five of the ABA handbook, and examined in this article as the second in series on “The ABA Cybersecurity Handbook: A Resource for Attorneys, Law Firms, and Business Professionals.”
The first article in the series published on Oct. 24 examined the cybersecurity risks confronted by law firms and lawyers, and specific steps recommended by the ABA on developing a risk-management strategy and cyber-incident response plan.
“While the international system is far from developing a common system of laws regarding cybersecurity, nations, nongovernmental organizations, and companies have all had a hand in developing, and will continue to influence in creating, global cybersecurity norms,” write Conor Sullivan, Kelly Russo and Harvey Rishikof in chapter five of the handbook on “international norms.”
The authors argue this lack of international consensus has led to a “patchwork” of requirements, but the possibility of achieving global agreement could rest on the abilities of the U.S. and EU to establish their own bilateral understanding.
“Currently, as a result of the competing interests between states, the world has a patchwork of international and domestic laws, regulations, and norms,” according to the ABA handbook. Yet the “goal of developing some form of consistent cyber norms is not outside the realm of possibilities,” the ABA handbook authors write.
“Through their shared cultural and economic values, it is certainly possible that the EU and U.S. could one day agree on a joint cybersecurity regulatory environment,” according to the ABA. “Such a trans-Atlantic partnership would command immense power in the development of future cybersecurity standards, simply from the combined economic and softpower clout of the Western powers.”
The ABA handbook provides a primer on various cybersecurity standards that have international influence including the International Organization for Standardization and the voluntary framework of cybersecurity standards issued by the U.S. National Institute of Standards and Technology, as well as the NATO-backed development of the Tallinn Manuals and the United Nations' Group of Governmental Expert studies.
“However, the recent failure of the 2017 GGE symbolizes the fundamental disagreements still remaining in the international community,” the ABA handbook authors conclude.
The handbook also examines the requirements established by China, Russia and the EU which have international influence. “The European Union has consistently been at the forefront of cybersecurity norm development through its rigorous data protection regime,” according to the ABA.
For instance, the handbook authors stress the far-reaching influence of the EU's General Data Protection Regulation which goes into effect next year.
“For entities outside the EU, the GDPR notably increases the companies subject to EU data privacy laws by including companies using data from EU citizens anywhere in the world (rather than merely companies domiciled in the EU), while increasing penalties for noncompliance and limiting legal language available in consent forms,” according to the ABA handbook.
“These changes combine to create what is, arguably, the most protective cybersecurity regulatory environment in existence at this point,” the authors conclude.
Overall, they recommend that law firms and lawyers track and adopt various international and U.S. standards to ensure the protection of personally identifiable information entrusted to them.
“While there are no clear and consistent regimes for U.S. cybersecurity yet, the consensus is that a best practices regime, as described supra, is the optimum way to avoid breaches and mitigate damage if they occur,” the handbook recommends. “Adopting the ISO and NIST frameworks can only benefit a lawyer in the case of a PII breach, and having an associate or e-mail listserv keep apprised of cybersecurity developments is a wise idea.”
The authors of the handbook's chapter five are active voices within the ABA on national security law.
Rishikof is the director and convening authority for the Office of Military Commissions and was dean of faculty at the National War College at the National Defense University in Washington, DC, and co-chaired the ABA's Cybersecurity Legal Task Force. Russo is the staff attorney for the ABA's cyber task force, and Sullivan is a joint juris doctor and master of public administration candidate from Syracuse University’s College of Law and Maxwell School of Citizenship. He interned with the ABA’s Standing Committee on Law and National Security. – Rick Weber (rweber@iwpnews.com)