Friend or Foe? State Attorneys General Start to Change Their Tune on Industry & Cybersecurity

Should businesses be thought of as victims or bad actors when it comes to data breaches? State attorneys general are embracing the idea that businesses are not necessarily adversaries in the struggle to protect sensitive consumer information. Over the past several years state attorneys general have exerted efforts to both educate businesses as to their data privacy responsibilities, and collaborate with businesses in constructing more robust cybersecurity policies. The spotlight now is on the Ohio Attorney General, who has taken the next major step in this increasingly cooperative effort.

This blog previously reported on the Massachusetts Attorney General’s 2016 Forum on Data Privacy, which brought together cybersecurity stakeholders both to discuss consumer data collection issues and to brainstorm potential solutions. We forecasted then that the Massachusetts forum could signal a shift in attorney general cybersecurity activity: Instead of merely prosecuting and punishing businesses for failing to secure and protect sensitive consumer information, attorneys general would begin to adopt a “team” approach to cybersecurity, working with, not against, industry to protect consumer information. Indeed, some state attorneys general have for years recognized the need to assist businesses in achieving this ever more complicated goal. For instance, in 2015 Mississippi Attorney General Jim Hood published a Cybersecurity guide in order to lend a hand to small businesses seeking to secure their data. The guide even identified small businesses as potential cybersecurity “victims” (as opposed to potential offenders) and suggested means for businesses, owners and employees to invest the time and resources necessary to ensure the safety and security of information assets.

The collaborative spirit of these attorney general actions foreshadowed what has recently occurred in Ohio. On September 29, 2016, Ohio Attorney General Mike DeWine announced the launch of CyberOhio, a collection of cybersecurity initiatives aimed at helping Ohio businesses fight back against cyber-attacks. The announcement expressly acknowledged the goal of building a “collaborative cybersecurity environment” to help Ohio’s businesses, and identified five primary initiatives: 1) creating a Cybersecurity Advisory Board, composed of industry experts and business leaders to provide guidance to the Attorney General’s Office on cybersecurity issues; 2) exploring draft legislation to improve the legal cybersecurity environment in Ohio for businesses and consumers; 3) providing cybersecurity training opportunities; 4) expanding the Attorney General’s Identity Theft Unit to assist businesses with cybersecurity and data privacy; and 5) encouraging more cybersecurity workforce personnel, including through the creation of collaborative internship opportunities between businesses and Ohio colleges and universities. These initiatives, in particular the creation of the Cybersecurity Advisory Board, have formalized and acknowledged the pivotal role industry will play in shaping cybersecurity policy in the coming years. The Cybersecurity Advisory Board draws from a multitude of industries, both public and private, including academia, retail, financial services, and health care. The Board’s diverse composition is recognition that strong and enforceable cybersecurity standards and policies will require input from and collaboration with all corners of the business world.

As the first step in implementing this initiative, Attorney General DeWine will host a Business Summit in Lewis Center, Ohio on March 31, 2017. This Summit is intended to provide business owners with practical, understandable, and actionable cybersecurity information, and will feature cybersecurity experts from across the country. The Summit will explore such topics as low-cost security measures for small businesses, various industry specific privacy and security laws, and what businesses should do post breach. Presumably this will be the first of multiple “cybersecurity training opportunities” under the CyberOhio umbrella.

Attorney General DeWine’s CyberOhio initiative and the recent undertakings of various other state attorneys general have welcomed, with open arms, industry’s perspective on future cybersecurity policy. Given the ever-increasing complexity and cost of protecting sensitive consumer information, it only makes sense that regulators would turn to industry for guidance and support in crafting effective policies. Other state attorneys general will likely follow suit and embrace businesses as partners in guarding against serious consumer data misuse. We will make you aware of any new developments.