To Fix Cybersecurity Law, Ask More Questions

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://techcrunch.com/2015/09/15/to-fix-cybersecurity-law-ask-more-questions/

When a company realizes that it may have been hacked, its first call often
is not to outside forensics consultants, security firms or even to law
enforcement.

Too often, the company first must consult with its lawyers. Lots and lots
of lawyers.

And for good reason. Our system of cybersecurity and privacy laws is
difficult to navigate, and exposes companies to large penalties for failure
to follow outdated rules. Unfortunately, the time that companies spend
parsing legal liability often leaves the door open for more damage to occur
to its systems and networks.

The seemingly endless cycle of high-profile computer hacks has caused
policymakers and front pages to focus more than ever on cybersecurity law.
Once a niche issue, cybersecurity now is in the national spotlight, as we
evaluate how to prevent and respond to high-stakes data security
compromises.

As a cybersecurity lawyer and professor, I am thrilled that the public is
fixated on security. But I worry that the debate is too narrow, and we have
not yet fully examined the incongruous and often inefficient patchwork of
federal and state cybersecurity laws.

We need to rethink all of our cybersecurity laws. The current system simply
is not working.

When Congress returns from recess, it is expected to debate a bill that
would allow cyberthreat information sharing among the public and private
sectors. Opponents criticize the bill for providing legal immunity to
companies that share threat information, while the bill’s proponents say
that sharing would be impossible without some legal protection.

The information-sharing debate is an important one. But it is only one
piece of the much broader framework that governs how companies prevent and
manage data breaches.

To understand the gaps in our cybersecurity laws, consider how companies
respond to data breaches. When companies learn that their users’ data has
been hacked, they cannot focus solely on shoring up their networks and
preventing further harm. That’s because 47 states and the District of
Columbia have passed laws that require companies to notify consumers,
regulators and credit bureaus of breaches.

The notification requirements might not sound like a significant burden,
but the laws each require different formats for notice, often under
different circumstances. For instance, some states only require
notification if highly sensitive information such as Social Security
numbers and credit card numbers are disclosed, while other laws apply to
disclosure of account passwords and birth dates. As any cybersecurity
lawyer will tell you, North Dakota has particularly quirky notification
rules.

The end result is that in the days following a hack, companies focus on
formalistic notification rules, lest they face heavy fines and lawsuits.
While notification of breaches can be useful, I question whether it should
play such a central role in breach response. It’s like a fire code that
focuses exclusively on when a blaze first was reported to the fire
department, rather than requiring building owners to take precautions that
prevent the fire in the first place.

About a dozen states also have enacted separate laws that require companies
to adopt “reasonable” data security plans for certain types of personal
information. But most of those laws do not define “reasonable.” At the
federal level, the Federal Trade Commission penalizes companies for
particularly egregious data security failures, but it, too, does not
provide binding compliance guidelines.

This murky system leaves well-intentioned companies unsure of what they
need to do to comply with data security laws.

I also question the need for state-level data security regulations. Very
few companies process information only belonging to the residents of a
single state. Unlike physical security issues, such as building safety and
vehicle regulations, data security is not limited to a single location. A
clear, nationwide standard would provide companies with the guidance and
flexibility necessary to prevent data breaches.

Missing from the current debate has been discussion of incentives for
companies to invest in cybersecurity. Federal law provides tax breaks for
companies to purchase manufacturing equipment, invest in research and
development and produce certain types of fuel. Why not cybersecurity? The
public would benefit if the tax code encouraged companies to make costly
investments in cybersecurity software and personnel.

We also should examine whether the increase in data breach-related class
action litigation actually results in better cybersecurity. Unlike
communications with attorneys, accountants, therapists and clergy,
communications with cybersecurity forensics professionals is not directly
covered by a privilege. So if a company hires a forensics team to help
remediate a data breach, the communications with that team could be
discovered in a lawsuit related to that breach. This could actually
discourage companies from hiring cybersecurity consultants when they are
needed most.

Many of our data security, hacking and privacy laws were enacted in the
’80s and ’90s, long before we ever could have imagined the cybersecurity
challenges that companies and other organizations face every day. Quite
simply, we need to evaluate all the laws based on the current threats to
determine how to make them most effective in preventing and remediating
breaches.

Cybersecurity is among the most complex and important legal issues that we
currently confront. I don’t think that any of us have the answers right
now, but I know that we should be asking as many questions as possible.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!