Back
Back
Back
Back
Back
Back
Back
Back
Back
Back
Back
Back
Back
Back
Back
Back
Back

Expanding the Cyber Regulations Landscape: How Can We Keep Up?

Written by: Cameron G. Shilling

Published in NH Bar News (3/18/2020)

Lawyers and law firms face a multiplicity of laws governing information privacy and security, and the regulatory landscape expand continuously.  Addressing each applicable law and responding to each emerging regulation is not operationally feasible or cost effective. We need a strategy that gets us and keeps us ahead of the regulatory curve.

Cyber regulations have expanded in two ways: (1) the scope of information covered; and (2) the types of obligations imposed. Early widespread cyber laws covered limited information, known as personally identifiable information (PII). PII consisted of an individual’s name in combination with social security, financial account or governmental identification number. Most such laws imposed only an obligation to notify regulators and affected individuals of a breach.

Initial regulatory expansion imposed obligations on businesses to affirmatively identify their cyber vulnerabilities, implement measures appropriate to the business to mitigate or eliminate the risks, adopt an information security policy, and train employees. Massachusetts and California led with such laws, which impacted New Hampshire and other States, since the regulations apply to any business that has covered information about residents of Massachusetts and California. At the same time, federal regulations expanded to encompass many businesses that handle protected health information (PHI) for HIPAA covered entities.

Recent regulatory expansion has dramatically increased the scope of covered information. At first, such laws encompassed additional categories, like genetics, biometrics, geolocation, and social media information. However, now, regulations have grown to cover all information that is identifiable to an individual, including information as basic as name, address, and email, which is simply called personal information (PI).  One example of such a law is New York’s artfully named Stop Hacks and Improve Electronic Data Security (NY SHIELD) Act.

Recent regulations also dramatically expanded the obligations imposed on businesses with respect to the privacy of PI. Such laws require a business to notify individuals about what PI it collects about them and how it uses the PI, obtain consent from individuals before using certain sensitive PI, and honor rights that individuals have with respect to their PI, such as requiring the business to correct inaccurate PI, give a copy of their PI to individuals and other businesses in a usable format, restrict use of their PI, and delete all PI that the business has about them.

These broad privacy regulations initially emanated from the European Union General Data Privacy Regulation (GDPR) and Canadian Personal Information Protection and Electronic Documents Act (PIPEDA). However, California adopted a similar law called the California Consumer Privacy Act (CCPA) effective January 1 this year, and many other States (including New Hampshire and Massachusetts) have such privacy bills pending in their legislatures.  These laws apply extra-territorially to businesses that have PI about residents of those jurisdictions, and engage in business either with those individuals or in those jurisdictions.

Adding to this landscape, lawyers and law firms are ethically required to implement reasonable measures to safeguard client information.  Those ethical obligations were discussed in the article Information Security Is Our Ethical Duty, N.H. Bar News (Feb. 20, 2019).

Getting ahead of the regulatory curve requires lawyers and law firms to address both security and privacy for all PI. Doing so means, first, conducting a comprehensive assessment to identify what information the business has, how it is used, and what risks exist to the confidentiality, integrity, and availability of it. Given the complexity of regulations and the lack of experience most lawyers and firms have in this area, it is critical to retain a knowledgeable professional to guide you through the process and select an appropriate compliance regime for the business.

Based on that assessment, you must then implement measures that remediate the risks, adopt policies that comprehensively address current and forward-looking privacy and security issues (including existing and likely forthcoming regulations), and train employees about information privacy and security. While this can seem daunting, lawyers and law firms that commit to the process can and do achieve compliance with information privacy and security regulations.

Cameron Shilling chairs McLane Middleton’s Information Privacy and Security Practice Group.  Founded in 2009, the firm’s team of three attorneys and a technology paralegal assist businesses and private clients to improve upon their information privacy and security compliance, and address any security breach or incident that may arise.

Integrity and trust

At McLane Middleton we establish and maintain long-standing relationships with our clients to help us better achieve their unique goals over time. This approach to building trust requires that our esteemed lawyers and professionals use their broad, in-depth knowledge and work together with integrity to ascertain sound resolutions to legal matters for their clients.

Strength in numbers

McLane Middleton is made up of more than 105 attorneys who represent a broad range of clients throughout the region, delivering customized solutions. As a firm we are recognized as having the highest legal ability rating. The firm is rated Preeminent by Martindale Hubbell and is recognized as one of the nation's leading law firms in Chambers USA. Our attorneys are distinguished leaders in their respective practice areas.

Meet Our People

Commitment and collaboration

McLane Middleton's versatile group of attorneys and paralegals become trusted authorities on each case through collaboration. We work with our clients to learn their individual needs first and foremost and, together, we develop comprehensive solutions to their specific legal matters. This approach helps us exceed our clients' expectations efficiently and effectively, client by client, case by case.

Practice Areas

A history of excellence

McLane Middleton was established in 1919 in New Hampshire, and has five offices across two states. However, deep historical roots don't allow you to become innate. Our firm is organized, technological, and knowledgeable. Our history means we are recognized. But our reputation is built on the highest quality of service and experience in very specific areas of law.

The Firm

Intelligence paired with action

Our team continuously seeks opportunities to enhance their professional development and put key learnings to action. The pursuit of further insight guides us to volunteer service opportunities, speaking engagements, and teaching roles. Our lawyers are sought after thought leaders across their industries, and recipients of leadership awards throughout the region.