Offering tips to attendees at the Cybersecurity Summit last week in downtown Denver, Colorado Attorney General Phil Weiser made a reference some readers might recognize:
“What I would say about cybersecurity is what Mad-Eye Moody said to Harry Potter: ‘Constant vigilance.’”
That might have been a recurring theme across the panel discussions held Wednesday. The Ballard Spahr-hosted event featured speakers from the Colorado Attorney General’s Office and private and in-house lawyers and covered issues spanning the legal landscape of cybersecurity.
The Colorado Attorney General’s Office is the state’s prime enforcer of data privacy rights, particularly Colorado’s data breach notification requirements. Weiser shared his views on enforcing data privacy laws and best practices. “Constant vigilance,” he said, includes monitoring who’s in the organization’s networks and whether it has adopted current practices in encryption and two-factor authentication.
“Organizations should be living in fear of how cybersecurity harms can cripple them,” Weiser said. “The challenge for lawyers and those in public policy is how do we create a regulatory regime that acts in the service of better cybersecurity, not one that gets in the way?”
Weiser said he is “a big fan” of Europe’s co-regulation approach, which he described as governments laying out data privacy principles, giving private entities “room to implement them,” and the governments overseeing compliance. That approach is “promising” for driving better practices in data privacy and security, Weiser said. “As we think about cybersecurity in Colorado, and also nationally, this is the way I’d like to see us go.”
In one of the panels, attorneys from Weiser’s office discussed how it enforced Colorado’s new data privacy law in its first year on the books. Mark Bailey and Dan Pietragallo, senior assistant attorneys general in the consumer fraud unit, stressed their remarks weren’t to be taken as legal advice, but they offered insights on how they often make enforcement decisions.
Bailey said the “reasonable” standard that companies must meet in protecting Coloradans’ personal information accounts for the company’s size and the type of data it has, and the office takes that flexible approach to enforcement when a company has a data breach.
“We’re reasonable people,” Bailey said, adding that the office understands that the nature of the data breach can dictate how quickly an organization can internally investigate the incident and notify the Attorney General’s Office.
But once the company does tell the office about the breach, it should be an open book about it, Bailey said.
“I would encourage you to be as straightforward as you can,” Bailey told attorneys in the audience. “If I’ve got the one person over here who’s being up front and transparent with me, and I’ve got this other person, when I walk away from the conversation thinking that maybe there’s something more out there, that’s the person that is more likely to prompt me to do more investigation.”
“Bad faith and hiding the ball are things that will jump out at us,” Pietragallo said.
Businesses and their data privacy counsel have been watching for years as Congress has attempted to enact a federal data privacy standard. John Walsh, former U.S. Attorney for the Colorado District who also ran for U.S. Senate, weighed in on the possibility of federal standards as well as the data privacy standards states have already imposed.
Moderator and Ballard Spahr associate Gregory Szewczyk said California’s broad data privacy requirements are driving companies to minimize the amount of personal data they’re retaining but not using. Szewczyk asked Walsh if he thought Congress could push companies to minimize unnecessary data retention without being as burdensome as the California Consumer Privacy Act.
Walsh said a federal statute, as an incentive, could allow companies to opt out of requirements “if they minimize the kind of data that they hold on to.”
Some state attorneys general are wary of Congress passing a federal data breach notification standard because it might preempt the standards their states enforce. Walsh said “some preemption is … certain in any kind of federal privacy act,” although it will be “heavily contested” how far it will go.
Szewczyk asked Walsh if a federal statute could include a private right of action despite the “political hurdle” it would face. A provision allowing individuals to sue over data privacy violations has drawn opposition from lawmakers, especially Republicans.
“Right now it seems like quite an impasse,” Walsh said, adding to some laughter, “We’ll have to see what President [Elizabeth] Warren decides.”
Another panel offered the inside perspective of how businesses have been dealing with changing data privacy laws from the CCPA to the European Union’s GDPR rules. Lindsey Schultz, counsel at Western Union, was one of her company’s lead attorneys on its GDPR compliance program, and she shared tips for companies on how to run an effective data privacy program.
Co-panelist Douglas Brush, vice president of cybersecurity for legal services company Special Counsel, also touched on the subject of data retention.
He said attorneys should question why different departments, such as marketing, are holding onto certain customer data that could put them at risk.
He said professionals may have to “start having those mature discussions … whether it’s with an IT person, or corporate counsel, or privacy officer or the C-Suite about why we have this data, and start getting rid of it.”
— Doug Chartier