Why Security and Legal Need to Work Together

This three-part blog series explores the relationship between law and security, as it pertains to vulnerability management. In part one, we’ll look at how the changing field of cybersecurity requires legal and security teams to work together more closely than ever. 

Instead of merely being an issue for IT and security teams, cybersecurity has become a primary concern across the business – especially for the legal team. As the field of cybersecurity continues to evolve, legal and security teams will need to work together to create cohesive cybersecurity measures. 

The laws security teams need to know 

From Europe’s General Data Protection Regulation (GDPR) to its Californian counterpart, it’s evitable that laws will affect the work of the security team. Determining which regulations apply is only the first step, as cybersecurity practitioners also need to decide how those regulations should be interpreted within their specific organization. A close working relationship between legal and security teams is imperative for organizations to maintain compliance and avoid hefty fines or reputational damage. 

Here are some critical components of current cybersecurity and data laws that your legal team can help explain to your security team: 

U.S. federal law

The U.S. has no overarching federal cybersecurity laws. However, there may still be federal regulations that businesses must comply with. Government contracted workers have specific cybersecurity rules to follow. For example, the Department of Defense requires contractors to comply with set cybersecurity standards or risk losing their contract. There are also industry-specific federal laws to be aware of (e.g., HIPAA, GLBA). Depending on what industry your organization operates in, you may have specific regulations to follow. 

Questions to ask your legal team:

• Are there industry-specific privacy or data regulations that our security measures must comply with? 
• If so, what sort of protections and security measures will we need to put into place to both comply with federal law and prevent security breaches?
• To maintain compliance, how can the legal and security teams work together to continuously monitor changes to existing laws and implementation of new laws?

State law

Cybersecurity and privacy laws can vary on a state-by-state basis. For example, in the instance of a data breach, different states have different requirements for data collection or notification timelines. Knowing the different regulations for each state could save your organization from fines or reputational risk. The National Conference of State Legislatures provides an overview of data security laws for each state. 

Some states are stricter than others when it comes to cybersecurity. New York, for example, has special laws in place to regulate the financial sector. The state of California has the most stringent information security regulations in place. The California Consumer Privacy Act (CCPA) gives consumers many rights, such as the right to know if their personal data is being collected and whether or not that data is sold. It also allows consumers to access their personal data. 

On January 1, 2020, California will enact SB-327 Bill for IoT Security, making it the first state to pass a law concerning IoT. The bill requires that internet-connected devices be equipped with “reasonable” security features. This piece of legislation is particularly powerful because vendors selling devices in other states as well as California must comply. 

Questions to ask your legal team: 

• How should we be thinking about varying state laws when building security measures?
• Are we operating in any states that may have stricter cybersecurity laws than others?
• If one state has more stringent laws, what does that mean for our operations in other states? 

International law 

In 2018, the European Union (EU) implemented GDPR, which applies not only to EU businesses, but to any businesses that provide services to individuals in the EU or monitor the behavior of EU individuals. GDPR is a sweeping regulation intended to give individuals more control over their personal information. Businesses can be hit with heavy fines for non-compliance. 

Questions to ask your legal team: 

• What aspects of GDPR affect our company’s security measures? 
• If we were to collect personal information from individuals, how should we notify them – or do we need to obtain their consent before doing so?
• Should we minimize the amount of data we process in order to comply? 

It’s a two-way street

For both parties to work cohesively, security teams need to work with the legal team to understand different laws that may impact a security policy. On the other hand, legal teams need to learn from the security teams how data is collected and used, and what technologies are being implemented. The legal team should understand not only how an organization uses its data, but how that data transfers throughout the organization. By understanding how data is used and transferred within an organization, the legal team is better equipped to understand the specific laws and regulations that apply in specific scenarios. 

When security and legal work together to take an interdisciplinary approach to cybersecurity measures, an organization is better poised to manage cyber risk in the modern era. 

Disclaimer: This post does not seek to give legal advice nor delve into the finer points of data protection legislation. Due to the complex nature of information security law, it is critical that legal and security teams work together to understand which laws apply to them and ensure they are engaging in industry best practices. The laws and regulations discussed above will provide a critical groundwork from which cybersecurity practitioners can build upon in order to create compliant security plans and understand their legal risk.