- Drawing an analogy to the fears expressed in “The Wizard of Oz,” the article underscores how companies grapple with varied and sometimes conflicting legal obligations across different jurisdictions.
- Under the “lions” category, the article discusses mandatory incident notification obligations. The “tigers” category refers to legal restrictions on data collection, use, and transfer during the investigation of a cyber incident. Lastly, the “bears” category covers potential conflicts of law for disclosures to home law enforcement or other authorities.
- Thoughtful planning and incorporating legal complexities into incident response plans and exercises can help reduce concerns and manage the risks associated with global legal obligations in cybersecurity attacks.
This article by Brian Hengesbaugh delves into the complex global legal challenges companies face during cybersecurity investigations, particularly in the context of global ransomware and cyberattacks. Drawing an analogy to the fears expressed in “The Wizard of Oz,” the article underscores how companies grapple with varied and sometimes conflicting legal obligations across different jurisdictions. These obligations impact the timing and content of mandatory notifications about cyber incidents and the very nature of the cybersecurity investigation itself. The article categorizes these legal risks into three broad areas: lions, tigers, and bears.
Under the “lions” category, the article discusses mandatory incident notification obligations. These include data protection and privacy breach notices, public company notice obligations, and sector-specific regulatory notices, such as those in the financial, healthcare, and telecommunications sectors. These obligations vary significantly in purpose, scope, and timing, adding complexity to the incident response process. For example, data protection laws in over 35 jurisdictions require notification within 72 hours. In contrast, the U.S. Securities and Exchange Commission requires public companies to notify within four days if a serious cyber incident occurs.
The “tigers” category refers to legal restrictions on data collection, use, and transfer during the investigation of a cyber incident. This involves ensuring compliance with data protection and privacy laws, including issues related to cross-border data transfer and special considerations for sensitive personal data. The article also highlights the need to address local wiretapping, electronic communications laws, and labor and employment laws, particularly in jurisdictions with stringent rules like Germany and Brazil.
The “bears” category covers potential conflicts of law for disclosures to home law enforcement or other authorities. This includes anti-investigatory or “blocking” statutes, local bank secrecy or professional confidentiality duties, and restrictions related to “state secrets.” For example, French and Swiss laws prohibit certain types of data sharing that might be relevant in an investigation, and Chinese law imposes restrictions on data related to sensitive sectors or government officials.
The article concludes with recommendations for companies to prepare for these legal challenges. It suggests conducting pre-incident assessments to identify applicable legal obligations and aligning data compliance frameworks to mitigate risks. Thoughtful planning and incorporating legal complexities into incident response plans and exercises can help reduce concerns and manage the risks associated with global legal obligations in cybersecurity attacks.
Leave a Reply
You must be logged in to post a comment.