[BreachExchange] Cybersecurity legislation may do more harm than good

Fri Feb 17 08:10:18 EST 2017

http://www.virginiabusiness.com/opinion/article/
cybersecurity-legislation-may-do-more-harm-than-good

A paramount concern for the commonwealth’s businesses — large and small —
is cybersecurity. During the current session of the General Assembly, state
Sen. Glen Sturtevant proposed an update to Virginia’s cyber crime statute.
The amendment would have made it a felony for cyber criminals to use
ransomware. This was a worthwhile bill considering the explosion of
ransomware crimes during the past year, which can hit Virginia’s small
businesses hard. Although the legislature jettisoned the bill this session,
it is a sign that Virginia lawmakers are beginning to seriously consider
regulations in the area of cybersecurity. However, we urge caution.

Cybersecurity laws are quickly becoming complex and fragmented as more and
more are being passed around the country and at the federal level. In
addition, governmental agencies also issue guidance on what each expects
from businesses they regulate, such as the Securities and Exchange
Commission (SEC). Finally, there are even private regulations that can
impose cybersecurity requirements on Virginia’s business community. This
jumble of laws, regulations and rules are making it increasingly difficult
for businesses to comply without an undue burden. For example,
approximately 48 states and the District of Columbia have separate
cyber-breach notification laws. Lawmakers should move cautiously in
proposing any cybersecurity regulations in Virginia to avoid further
confusion and the creation of  “just another cybersecurity requirement.”
 It is critical that states work together to bring uniformity to their
respective cybersecurity laws. The National Governors Association has the
ability to take the lead on this issue, and we urge it to do so.

Lawmakers should proceed with great care before adopting new cybersecurity
rules.  Technology and the associated threat landscape is rapidly evolving.
“Ransomware,” for example, is a relatively recent addition to the
cybersecurity lexicon. Legislation that is excessively prescriptive may
find itself obsolete or emphasizing risks of yesteryear. Effective
regulations are principle-based, specifying outcomes, rather than
targeting, specifying methods of action.   For example, a requirement to
operate anti-virus software on users’ computers does not adequately address
the ransomware risk, and a requirement to protect email alone does not
address the many new ways companies use technology to communicate
internally and externally.

Regulations also should respect a business’s right to make informed,
risk-based decisions about what behaviors to allow, what protections to
implement and how to implement them. After all, there is no such thing as
“perfect security,” and risk acceptance in favor of convenience has always
been a key element of cybersecurity. For example, nearly all businesses use
email despite it being the favored attack vector for most cyber criminals
because of the incredible difficultly of protecting users from ransomware,
phishing campaigns, wire fraud and other scams. Further, no two businesses
are the same, and cybersecurity needs vary from one company to the next
based on size, geographical footprint and industry sector.  For instance, a
small landscaping company probably does not need an enterprise-grade
intrusion detection system.  However, a cloud-based service platform which
processes large volumes of sensitive data should be able to rapidly detect
network intrusions.  One size fits all legislation will not work for
Virginia’s business community in terms of mandating proactive steps
companies must take to defend against cyber threats.

Legislators also should be wary of who is providing advice to them.  Large
businesses are known to favor regulations that make it difficult for
smaller competitors to grow.  Technologies that transform business,
democratize speech  and change the way we communicate all started small.
Uber, for example, saves lives each year by making it incredibly convenient
for revelers to find a safe ride home.  Overloading young organizations
with burdensome requirements may stifle the innovation that is improving
the world. Virginia must be a place that encourages innovation, rather than
smothers it.

In many respects, the General Assembly should focus on instituting some
basic and uniform legislation to protect victims of a data breach.
Technical, legal and regulatory landscapes, with respect to cybersecurity,
are evolving incredibly fast.  Due to this complexity and pace,
well-intentioned but ultimately ill-conceived regulations have the
potential to do more harm than good. Businesses and their trade
associations are in a far better position to address these issues in
real-time. However, it is incumbent that they do so now, and demonstrate to
lawmakers that they are taking action to protect their business and
industry customers. If they do not, they can be sure that legislators will
step into the breach with mandates. Should the commonwealth proceed to
implement regulations, we recommend that it does so with extreme care.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170217/e9502a0d/attachment.html>