To Fix Cybersecurity Law, Ask More Questions

When a company realizes that it may have been hacked, its first call often is not to outside forensics consultants, security firms or even to law enforcement.

Too often, the company first must consult with its lawyers. Lots and lots of lawyers.

And for good reason. Our system of cybersecurity and privacy laws is difficult to navigate, and exposes companies to large penalties for failure to follow outdated rules. Unfortunately, the time that companies spend parsing legal liability often leaves the door open for more damage to occur to its systems and networks.

The seemingly endless cycle of high-profile computer hacks has caused policymakers and front pages to focus more than ever on cybersecurity law. Once a niche issue, cybersecurity now is in the national spotlight, as we evaluate how to prevent and respond to high-stakes data security compromises.

As a cybersecurity lawyer and professor, I am thrilled that the public is fixated on security. But I worry that the debate is too narrow, and we have not yet fully examined the incongruous and often inefficient patchwork of federal and state cybersecurity laws.

We need to rethink all of our cybersecurity laws. The current system simply is not working.

When Congress returns from recess, it is expected to debate a bill that would allow cyberthreat information sharing among the public and private sectors. Opponents criticize the bill for providing legal immunity to companies that share threat information, while the bill’s proponents say that sharing would be impossible without some legal protection.

The information-sharing debate is an important one. But it is only one piece of the much broader framework that governs how companies prevent and manage data breaches.

To understand the gaps in our cybersecurity laws, consider how companies respond to data breaches. When companies learn that their users’ data has been hacked, they cannot focus solely on shoring up their networks and preventing further harm. That’s because 47 states and the District of Columbia have passed laws that require companies to notify consumers, regulators and credit bureaus of breaches.

We need to evaluate all the laws based on the current threats to determine how to make them most effective in preventing and remediating breaches.

The notification requirements might not sound like a significant burden, but the laws each require different formats for notice, often under different circumstances. For instance, some states only require notification if highly sensitive information such as Social Security numbers and credit card numbers are disclosed, while other laws apply to disclosure of account passwords and birth dates. As any cybersecurity lawyer will tell you, North Dakota has particularly quirky notification rules.

The end result is that in the days following a hack, companies focus on formalistic notification rules, lest they face heavy fines and lawsuits. While notification of breaches can be useful, I question whether it should play such a central role in breach response. It’s like a fire code that focuses exclusively on when a blaze first was reported to the fire department, rather than requiring building owners to take precautions that prevent the fire in the first place.

About a dozen states also have enacted separate laws that require companies to adopt “reasonable” data security plans for certain types of personal information. But most of those laws do not define “reasonable.” At the federal level, the Federal Trade Commission penalizes companies for particularly egregious data security failures, but it, too, does not provide binding compliance guidelines.

This murky system leaves well-intentioned companies unsure of what they need to do to comply with data security laws.

I also question the need for state-level data security regulations. Very few companies process information only belonging to the residents of a single state. Unlike physical security issues, such as building safety and vehicle regulations, data security is not limited to a single location. A clear, nationwide standard would provide companies with the guidance and flexibility necessary to prevent data breaches.

Missing from the current debate has been discussion of incentives for companies to invest in cybersecurity. Federal law provides tax breaks for companies to purchase manufacturing equipment, invest in research and development and produce certain types of fuel. Why not cybersecurity? The public would benefit if the tax code encouraged companies to make costly investments in cybersecurity software and personnel.

We also should examine whether the increase in data breach-related class action litigation actually results in better cybersecurity. Unlike communications with attorneys, accountants, therapists and clergy, communications with cybersecurity forensics professionals is not directly covered by a privilege. So if a company hires a forensics team to help remediate a data breach, the communications with that team could be discovered in a lawsuit related to that breach. This could actually discourage companies from hiring cybersecurity consultants when they are needed most.

Many of our data security, hacking and privacy laws were enacted in the ’80s and ’90s, long before we ever could have imagined the cybersecurity challenges that companies and other organizations face every day. Quite simply, we need to evaluate all the laws based on the current threats to determine how to make them most effective in preventing and remediating breaches.

Cybersecurity is among the most complex and important legal issues that we currently confront. I don’t think that any of us have the answers right now, but I know that we should be asking as many questions as possible.

Note: The views expressed in this op-ed are those only of the author, and not of the Naval Academy or Department of Navy.