INDUSTRY INSIGHT
BY JAMES E. LEE
Closing the gap between cyber technology and public policy
IT AND PUBLIC POLICY
have always been out of sync, with new technologies often introducing societal issues that require govern- ment action. Whether steam locomotives or smartphones, every leap in technology has followed the same pattern: Invention first, public policy later.
In the 1980s, cybersecurity legislation almost exclusively focused on instituting crimi- nal statutes — first at the federal level and later in the states. Congress passed the Computer Fraud and Abuse Act in 1986, and it remains the core framework that guides virtually all criminal and civil actions taken by the federal government.
According to the National Conference of State Legis- latures, every state has a computer crimes statute, and half also have legislation aimed at denial-of-service attacks. Two states — Cali- fornia and Wyoming —
have enacted ransomware statutes.
In the early 2000s, states began to shift their attention to civil prosecution and con- sumer protection. Some laws and regulations continued to focus on punishing attack- ers while others sought to prevent attacks and encour- age organizations to improve cybersecurity.
In 2002, California en- acted a mandatory consumer
notice law when personal data is breached. In the in- tervening 15 years, 48 states and nearly 90 countries have passed similar regulations. Despite numerous attempts, however, the U.S. Congress has yet to pass a uniform breach notification law.
Today, the burden of responding to technology- driven policy issues falls
tions focus on prevention. Those regulations require banks, insurance companies
and other financial ser-
vices institutions overseen by the department to have a cybersecurity program that seeks to protect consumers through written policies and procedures, the appointment of a chief security officer and mandatory reporting within
Although state regulation offers definite advantages for consumers and businesses, there are three obvious downsides:
1. Complex compliance. Small companies that operate in multiple states must deal with a patchwork of laws and regulations. Beyond adding complexity, having to meet different
26 GCN MAY 2017 • GCN.COM
States are taking the lead on cybersecurity regulations, but are they equipped to address the complex issues involved?
primarily on state officials. However, state legislatures might not meet on an annual basis, and they often lack the time, staff resources and ex- pertise to quickly tackle com- plex issues like cybersecurity. Technology, on the other hand, measures advances
in hours, days and months. That is especially true with cybersecurity, where teams must address a nonstop stream of attacks that often pressure elected officials and regulators to act quickly.
Against this background, New York state regulators have created a model for ad- dressing cybersecurity issues that other states should con- sider adapting to their needs. Instead of focusing on the aftermath, the Department of Financial Services’ regula-
72 hours of any attacks that could harm the firm’s normal operations.
That approach puts the burden on companies to do more to prevent breaches rather than relying on incen- tives such as enlightened self-interest or broad federal guidelines to actively address cyberthreats.
State-based cybersecu-
rity regulations are also more likely to be enforced uniformly. State agencies tend to know more about
the businesses under their jurisdiction, and regulated companies have easier access to the state legislators who provide oversight. It’s also less complex and time-con- suming, generally speaking, to fix flawed legislation or regulation at the state level.
standards in different states is more expensive.
2. Narrow scope. New York’s Department of Finan- cial Services oversees a com- prehensive list of financial services firms, but it does not regulate all businesses in the state.
3. Political climate. State officials might lack the technical resources or politi- cal air cover to take action. Federal lawmakers are trying to address the resource issue, but the political calcula- tions needed to aggressively tackle cyber issues will vary from state to state. Just ask the residents of Alabama or South Dakota, who still lack the protection of a security breach notification law. •
— James E. Lee is executive vice president of Waratek.