Kirk J. Nahra is a partner with Wiley Rein LLP in Washington, D.C., where he represents companies in a broad range of industries in connection with privacy and data security laws and regulations across the United States and globally. He is chair of the firm’s Privacy Practice and co-chair of its Health Care Practice.
He is a nationally recognized expert on privacy and data security laws related to the health care and insurance industries. He assists companies in a wide range of industries in analyzing and implementing the requirements of privacy and security laws across the country and internationally. He provides advice on data breaches, enforcement actions, contract negotiations, business strategy, research and de-identification issues and privacy, data security and cybersecurity compliance. He advises companies in virtually all industries, ranging from Fortune 500 companies to start-ups.
LIFARS: Tell us some background on you and how you got where you are today.
Kirk: I have been a lawyer in private practice in Washington, D.C. for almost 30 years. I have spent the past 15 years focusing my work on privacy and data security issues, related to the growth in laws and regulations across the United States and the world addressing legal obligations related to the confidentiality and protection of personal data. This field of practice didn’t exist when I was in law school or in the early years of my practice. It began to develop, slowly, with the expansion of the Internet during the 1990s, the initial European Union guidelines in the mid-1990s, and then the creation of the Gramm-Leach Bliley Act and the Health Insurance Portability and Accountability Act. Today, there are significant laws covering all personal data in the European Union. Laws are cropping up in a growing range of countries around the world. In the United States, the law has tended to develop on a sectoral basis (e.g., health care and financial services), or related to specific practices (such as telemarketing or data collected from children), but there are now hundreds (and maybe thousands) of laws and regulations addressing compliance obligations, for different kinds of companies in different settings. The challenges these days range from very basic issues (do I need to have a privacy notice?) to substantially more challenging issues that involve business strategy, integration of multiple overlapping and often inconsistent laws and regulations, and overall data management across industry sectors and borders. These issues are affecting virtually any company that has personal data about employees, consumers or others. My clients range from hospitals and health insurers to a broad range of financial services entities, service providers around the world, start-up technology companies and basically any company that has to understand its legal obligations, responsibilities and rights in connection with the use of data. I work with companies on both practical legal issues (negotiating contracts, due diligence, government investigations, developing policies) but also on a broad range of strategic and public policy issues that are helping companies evaluate their appropriate place in a global market.
LIFARS: How would the new administration effect cybersecurity? Would there be any changes in regulations?
Kirk: Just as the world of privacy and data security has expanded to include a broader range of companies that use and disclose personal data, the concept of cybersecurity has expanded these obligations even more. Cybersecurity involves interconnections between entities, and the overall need to protect a broad range of activities related to the Internet and otherwise. Therefore, companies that haven’t had to be too worried about privacy issues – think power companies, chemical companies, defense contractors – now need to be very concerned about cybersecurity protections and the risks of cyberattacks. At the same time, with the growth in big data, we see more and more situations where personal data and the potential for cyberattacks are growing in places we have never thought of before – smart refrigerators, connected cars, a broad range of medical devices, etc. So, protecting cybersecurity is growing in importance on a daily basis. Companies across this broad range of industries are finding the need to think about these issues – whether because of specific legal and compliance requirements, market forces or overall strategic goals.
It’s not really clear yet where this administration will be going on these issues, both on privacy as well as cybersecurity. The government in general (starting with the Obama Administration) has been encouraging companies to improve their overall cybersecurity efforts. There have been government directives focused on information sharing and cooperation, but there have not been specific, detailed compliance obligations as a matter of law – there are lots of “best practices materials”, but not legal requirements. This new administration has made various statements about the poor state of cybersecurity (something it has been saying since the campaign, although usually without any real evidence), but so far we really haven’t seen anything specific from them at all. At the same time, it would be counter to some of the themes of this administration to impose new regulations on a broad range of businesses. So, we can expect to see some proclamations about the importance of improved cybersecurity, but it isn’t clear that there will be significant new guidance or compliance obligations coming from this administration.
LIFARS: President Donald Trump was expected to sign an executive order on cybersecurity. Could you tell us what this order is expected to initiate?
Kirk: The new administration’s cybersecurity executive order has been a subject of significant debate and discussion over the past few weeks. There have been several fits and starts, with statements that it was imminent, and then that it was being pulled, followed by publication of several drafts. So, there is obviously a lot of discussion going on within the administration about how to handle this issue and what an executive order should cover. The set of topics addressed by the draft EO also has been changing. For example, even though there is a general consensus that there are not enough trained cybersecurity experts, one draft of the EO removed a proposal to build up this expertise (which may face additional challenges if an immigration ban comes back). It also is clear that the administration is struggling to assign responsibility for development and oversight of a federal government cybersecurity program when they have not yet appointed the logical personnel to handle these roles.
What we can mainly expect to see is various efforts to review and evaluate cyber vulnerabilities and capabilities, along with a review of the capabilities of various adversaries. This has been done before, but this administration seems to want to do it again. There are various cross-governmental assignments which may end up changing various government agencies, or could also lead to agency overlaps, inefficiencies and tensions. There have been inconsistent statements about whether to develop appropriate deterrence efforts. But, in general, we will see (1) efforts to analyze the current state of affairs on cybersecurity; (2) some assignment of responsibility for overall cyber activities; (3) some kind of information sharing program to share threat information; (4) analysis of appropriate responses to cyber-threats; (5) efforts to improve the overall cyber capabilities of “critical infrastructure” entities; and, most likely, various broad statements about the importance of these goals without too much detail or specific actions. It is likely – based on the earlier drafts – to be a relatively modest order that will re-do prior assessments of capabilities and hope to propose solutions for better practices in the future. Whether we will see meaningful success from this order is very much an open question.
LIFARS: What are your recommendations to the new administration on cybersecurity issues? What can government do to improve cybersecurity?
Kirk: The government has three big picture responsibilities in connection with cybersecurity – the responsibility for the government itself, law enforcement investigations, and leadership obligations as a matter of law/regulation for other entities. The government needs to pay attention to its own house in the first instance – we continue to see reports of various “enemies” trying to attack government databases and government infrastructure, as well as reports about poor security practices both from various high ranking government officials and others. The government needs to make sure to protect its own house first.
The government also needs to improve its capabilities to engage in “normal” law enforcement investigations, to assist companies and consumers who have faced cyberattacks and cyber- crimes. This requires both improved technological skills and a thoughtful approach to investigation and prosecution of computer crimes. My concern is that some of the administration’s other priorities – such as reported efforts to access personal information as part of border and customs investigations – will distract from the need for improved law enforcement performance.
In terms of leadership and regulation, the government clearly can help by developing appropriate best practices for business entities, as NIST and other agencies are doing. This is critical. At the same time, for most companies, they should be motivated to engage in appropriate cybersecurity activities for their own selfish interests – to protect their businesses and their customers – rather than solely because the government tells them they have to. So, I am less concerned about the fact that there aren’t specific new laws or regulations coming out on these issues. We may see them – but it doesn’t seem to be a high priority of this administration and the real pressure for these actions must come from companies on their own. Providing better information and guidance can make this process easier and less expensive for any company interested in improving in these areas.
Connect with Kirk at KNahra@wileyrein.com & Follow Kirk on Twitter @Kirkjnahrawork