Cybersecurity laws in the US and UK
Kathleen Rice and Huw Beverley-Smith consider the effects of cybersecurity legislation on data protection and privacy, both at home and abroad
Recent legislative
activity in both the
US and UK signals
that cybersecurity remains
at the forefront of national security priorities for lawmakers. At its broadest, cybersecurity concerns
the integrity of information stored electronically and the communications infrastructure which allows the free flow of such information.
Governments, businesses, and individuals require protection from unlawful access, disclosure, or interference with communications networks - whether by criminals, private bodies, state-backed organisations, 'hacktivists',
or political and religious extremists.
Such laws require a
delicate balance between
the competing interests of individuals' privacy in their
data and communications
and broader government and corporate interests in ensuring security.
Information sharing
The US Senate recently passed the Cybersecurity Information Sharing Act (CISA), which provides legal authority
for companies to monitor information systems and take specific defensive measures. Private entities that share cyber threat information with each other and with the federal government are given protection from liability.
In the EU, proposals are being finalised in the draft Network and Information Security Directive to create obligations for operators of critical infrastructure to report data breaches and for greater co-operation between competent authorities.
This is important since companies that are seeing cyber threats unfold on their networks could help others better defend against such threats through sharing information with other companies (under CISA) or through competent authorities in the EU.
CISA also has potential benefits for government agencies by providing them
with real-time awareness of the threats faced by the private sector. While the government receives threat data from myriad sources, many of them classified, the information it could learn from private sector entities
is information it might not otherwise have.
At the same time, private entities can learn a lot about active and potential threats from the government. Encouraging the flow of information in both directions by providing liability protections is critical for providing an accurate and up-to-date threat picture
across government and private networks. Of course, if Congress makes the process for sharing information with the government difficult to navigate, or further limits the liability protections, companies are not likely to make such sharing a priority.
CISA has attracted some controversy and challenges based on concerns about the nature and extent of the information which federal government agencies may receive. However, CISA also recognises that individual privacy interests must be protected. It is important to remember that CISA is not a surveillance Bill and there is
no requirement for a company
to provide the government
with any information.
Further, it does not generally contemplate the sharing
of private communications,
and it does afford clear privacy protections to limit the sharing of personal information that is not cyber threat-related.
Government powers
Meanwhile, in November the UK published the draft Investigatory Powers Bill (IPB), a major piece of legislation intended to govern the powers available to
state bodies to access communications data. It aims
to clarify the statutory basis for access to and storage of information and the purposes for which such information may be used, and sets out a system of authorisations for acquiring communications data.
Most controversially, the
IPB provides powers for the home secretary to require communications service providers to retain internet communications records for
up to 12 months. This covers the services to which an individual has connected (for example,
the main internet domain) rather than the individual's full internet browsing history, and is intended to provide investigative leads.
However, it allows a fairly accurate picture to be built of an individual's browsing habits. In addition to concerns about the uses to which such data may be put, there is also the obvious concern about the extent to which such data can be kept secure in the light of recent data losses suffered by communications providers.
Cybersecurity incidents and constantly evolving threats are placing new pressures on companies to prevent and respond to such harm.
New laws, like CISA and the IPB, can bring clarity to the ongoing cyber debate. How companies, individuals, and governments ultimately respond remains to be seen. SJ
Kathleen Rice, pictured, is counsel at Faegre Baker Daniels, Washington DC, and Huw Beverley-Smith is a partner at the firm, based in London