#alternate TechCrunch » Feed TechCrunch » Comments Feed TechCrunch » To
Fix Cybersecurity Law, Ask More Questions Comments Feed Accel Partners
Looks To Map The Marketing Technology Ecosystem Trello Launches
Revamped Business Offering With Third-Party Integrations alternate
alternate TechCrunch WordPress.com
Menu TechCrunch Search
* Follow Us
* Facebook
* Instagram
* Twitter
* Youtube
* Flipboard
* LinkedIn
* Google+
* RSS
* More
+ Youtube
+ Flipboard
+ LinkedIn
+ Google+
+ RSS
Got a tip? Let us know.
* News
+ Channels
+ Startups
+ Mobile
+ Gadgets
+ Enterprise
+ Social
+ Europe
+ Asia
+ Old Crunch Network
+ Unicorn Leaderboard
+ Gift Guides
All Topics All Galleries
Video
Shows
* Apps
* Breaking News
* Bullish
* Crunch Report
* CES 2016
* Gadgets
* Interviews
* Reviews
* TC Cribs
* TC Features
All Shows
All Videos
Events
* TechCrunch Events
* Disrupt
* Startup Battlefield
* Crunchies
* Meetups
* International City Events
* Hackathon
* Include
* NFL’s 1ST and Future
* TC Davos 2016
* News About
* CES
All Events
CrunchBase
* Trending
* Apple
* Google
* Samsung
* News
* Startups
* Mobile
* Gadgets
* Enterprise
* Social
* Europe
Search TechCrunch
Search TechCrunch ____________________ (BUTTON) Search (BUTTON) Search
9th Annual CrunchiesFind Out Who Will Win The Crunchie For Best Mobile
App - Citymapper, Messenger, Periscope, Robinhood or Wish Get Your
Tickets Today
Security
* Why Cloud Computing Will Shake Up Security
Why Cloud Computing Will Shake Up Security
* The Tor Project Raised Over $200,000 From Its First
Crowdfunding Campaign
The Tor Project Raised Over $200,000 From Its First Crowdfunding Campaign
* MariaDB Raises $9M More, Michael Howard Named New CEO, Monty
Widenius CTO
MariaDB Raises $9M More, Michael Howard Named New CEO, Monty Widenius CTO
*
Browse more...
hacking
Lawyers
* YC-Backed Ironclad Is An Automated Legal Assistant For Companies
YC-Backed Ironclad Is An Automated Legal Assistant For Companies
* Inside Jobs: What Loudr’s In-House Attorney Loves About Digging
Into Legal Docs
Inside Jobs: What Loudr’s In-House Attorney Loves About Digging Into
Legal Docs
* Dude emails AT&T CEO, offered a Cease and Desist for his troubles
Dude emails AT&T CEO, offered a Cease and Desist for his troubles
*
Browse more...
cybersecurity
* Why Cloud Computing Will Shake Up Security
Why Cloud Computing Will Shake Up Security
* Cockroaches Versus Unicorns: The Golden Age Of
Cybersecurity Startups
Cockroaches Versus Unicorns: The Golden Age Of Cybersecurity Startups
* Where Are All The Women In White Hats?
Where Are All The Women In White Hats?
*
Browse more...
Crunch Network
To Fix Cybersecurity Law, Ask More Questions
Posted Sep 15, 2015 by Jeff Kosseff (@jkosseff)
* 0
SHARES
*
*
*
*
*
*
*
*
*
Next Story
Accel Partners Looks To Map The Marketing Technology Ecosystem
[shutterstock_157028330.jpg?w=738]
Jeff KosseffCrunch Network Contributor
Jeff Kosseff is an assistant professor of cybersecurity law at the
United States Naval Academy.
More posts by this contributor:
* Should Tech Companies Be Subject To The Fourth Amendment?
* The Biggest Cybersecurity Risk Is Not Identity Theft
* Can Decency Be Legislated?
How to join the network
When a company realizes that it may have been hacked, its first call
often is not to outside forensics consultants, security firms or even
to law enforcement.
Too often, the company first must consult with its lawyers. Lots and
lots of lawyers.
And for good reason. Our system of cybersecurity and privacy laws is
difficult to navigate, and exposes companies to large penalties for
failure to follow outdated rules. Unfortunately, the time that
companies spend parsing legal liability often leaves the door open for
more damage to occur to its systems and networks.
The seemingly endless cycle of high-profile computer hacks has caused
policymakers and front pages to focus more than ever on cybersecurity
law. Once a niche issue, cybersecurity now is in the national
spotlight, as we evaluate how to prevent and respond to high-stakes
data security compromises.
As a cybersecurity lawyer and professor, I am thrilled that the public
is fixated on security. But I worry that the debate is too narrow, and
we have not yet fully examined the incongruous and often inefficient
patchwork of federal and state cybersecurity laws.
We need to rethink all of our cybersecurity laws. The current system
simply is not working.
When Congress returns from recess, it is expected to debate a bill that
would allow cyberthreat information sharing among the public and
private sectors. Opponents criticize the bill for providing legal
immunity to companies that share threat information, while the bill’s
proponents say that sharing would be impossible without some legal
protection.
The information-sharing debate is an important one. But it is only one
piece of the much broader framework that governs how companies prevent
and manage data breaches.
To understand the gaps in our cybersecurity laws, consider how
companies respond to data breaches. When companies learn that their
users’ data has been hacked, they cannot focus solely on shoring up
their networks and preventing further harm. That’s because 47 states
and the District of Columbia have passed laws that require companies to
notify consumers, regulators and credit bureaus of breaches.
We need to evaluate all the laws based on the current threats to
determine how to make them most effective in preventing and
remediating breaches.
The notification requirements might not sound like a significant
burden, but the laws each require different formats for notice, often
under different circumstances. For instance, some states only require
notification if highly sensitive information such as Social Security
numbers and credit card numbers are disclosed, while other laws apply
to disclosure of account passwords and birth dates. As any
cybersecurity lawyer will tell you, North Dakota has particularly
quirky notification rules.
The end result is that in the days following a hack, companies focus on
formalistic notification rules, lest they face heavy fines and
lawsuits. While notification of breaches can be useful, I question
whether it should play such a central role in breach response. It’s
like a fire code that focuses exclusively on when a blaze first was
reported to the fire department, rather than requiring building owners
to take precautions that prevent the fire in the first place.
About a dozen states also have enacted separate laws that require
companies to adopt “reasonable” data security plans for certain types
of personal information. But most of those laws do not define
“reasonable.” At the federal level, the Federal Trade Commission
penalizes companies for particularly egregious data security failures,
but it, too, does not provide binding compliance guidelines.
This murky system leaves well-intentioned companies unsure of what they
need to do to comply with data security laws.
I also question the need for state-level data security regulations.
Very few companies process information only belonging to the residents
of a single state. Unlike physical security issues, such as building
safety and vehicle regulations, data security is not limited to a
single location. A clear, nationwide standard would provide companies
with the guidance and flexibility necessary to prevent data breaches.
Missing from the current debate has been discussion of incentives for
companies to invest in cybersecurity. Federal law provides tax breaks
for companies to purchase manufacturing equipment, invest in research
and development and produce certain types of fuel. Why not
cybersecurity? The public would benefit if the tax code encouraged
companies to make costly investments in cybersecurity software and
personnel.
We also should examine whether the increase in data breach-related
class action litigation actually results in better cybersecurity.
Unlike communications with attorneys, accountants, therapists and
clergy, communications with cybersecurity forensics professionals is
not directly covered by a privilege. So if a company hires a forensics
team to help remediate a data breach, the communications with that team
could be discovered in a lawsuit related to that breach. This could
actually discourage companies from hiring cybersecurity consultants
when they are needed most.
Many of our data security, hacking and privacy laws were enacted in the
’80s and ’90s, long before we ever could have imagined the
cybersecurity challenges that companies and other organizations face
every day. Quite simply, we need to evaluate all the laws based on
the current threats to determine how to make them most effective in
preventing and remediating breaches.
Cybersecurity is among the most complex and important legal issues that
we currently confront. I don’t think that any of us have the answers
right now, but I know that we should be asking as many questions as
possible.
Note: The views expressed in this op-ed are those only of the author,
and not of the Naval Academy or Department of Navy.
Featured Image: Shutterstock
* 0
SHARES
* 0
Share
* 0
Tweet
* 0
Share
* 0
* 0
* 0
*
*
Advertisement
Advertisement
TechCrunch Newsletters
[ ] TechCrunch Daily Our top headlines Delivered daily
[ ] TC Week-in-Review Top stories of the week Delivered weekly
[ ] CrunchBase Daily The latest startup funding announcements Delivered
daily
[ ] TC Europe The top European tech stories Delivered weekly
[ ] TC Gadgets Top stories about gadgets Delivered weekly
[ ] TC Mobile & Apps Top stories about apps Delivered weekly
[ ] TC Startups Top stories about startups Delivered weekly
[ ] TC Social Media Top stories about social Delivered weekly
[ ] TC Asia The top Asian tech stories Delivered weekly
[ ] Crunch Network The best from our contributors Delivered weekly
View More
Enter Address ____________________ (BUTTON) Subscribe
Latest Crunch Report
* Facebook Sports Stadium Wants to Be Your New Sports Hub | Crunch
Report
Facebook Sports Stadium Wants to Be Your New Sports Hub | Crunch Report
Watch More Episodes
* hacking
* Lawyers
* cybersecurity
* Security
* Popular Posts
Featured Stories
* To Fix Cybersecurity Law, Ask More Questions
Don Baer On Politician's Approach To Technology
VIDEO | 12:03 | Breaking News
* Werner Herzog On His Documentary Lo And Behold, Cockroach Movies
And Moving To Mars
Werner Herzog On His Documentary Lo And Behold, Cockroach Movies And Moving
To Mars
1 hour ago | Matthew Panzarino
* Get Ready For A Smaller iPhone 6s Mini
Get Ready For A Smaller iPhone 6s Mini
4 hours ago | Romain Dillet
* Netflix Makes Good On Promises To Crack Down On VPNs, But Blocks
Are Short-Lived
Netflix Makes Good On Promises To Crack Down On VPNs, But Blocks
Are Short-Lived
5 hours ago | Sarah Perez
* Forthcoming Samsung Galaxy S7 Benchmarks Leak
Forthcoming Samsung Galaxy S7 Benchmarks Leak
11 hours ago | Natasha Lomas
Latest From TechCrunch
* Gravit Lets You Illustrate In Your Abode Or On The Road
Gravit Lets You Illustrate In Your Abode Or On The Road
1 hour ago | John Biggs
* Apple Has A New Apple TV Ad, And It’s All About Apps
Apple Has A New Apple TV Ad, And It’s All About Apps
1 hour ago | Romain Dillet
* Werner Herzog On His Documentary Lo And Behold, Cockroach Movies
And Moving To Mars
Werner Herzog On His Documentary Lo And Behold, Cockroach Movies And Moving
To Mars
1 hour ago | Matthew Panzarino
* A Day After Launch, “Exploding Kittens” Tops The App Store
A Day After Launch, “Exploding Kittens” Tops The App Store
1 hour ago | Sarah Perez
Up Next
Accel Partners Looks To Map The Marketing Technology Ecosystem
Posted Sep 15, 2015
CrunchBoard
Job Listings
*
Principal Analyst - Marketing Technology
CarMax
*
Architect - Enterprise Information
CarMax
*
Senior Software Developer - Web Development
CarMax
*
Online Systems Platform Manager
CarMax
*
Team Manager- CRM
CarMax
More from CrunchBoard
Advertisement
TechCrunch
[crunch-network.jpg]
* News
* TCTV
* Events
* CrunchBase
About
* Staff
* Contact Us
* Advertise With Us
* Send Us A Tip
International
* China
* Europe
* Japan
Follow TechCrunch
* Facebook
* Twitter
* Google+
* LinkedIn
* Youtube
* Pinterest
* Tumblr
* Instagram
* StumbleUpon
* Feed
TechCrunch Apps
* iOS
* Android
* Windows 8
Subscribe to TechCrunch Daily
Latest headlines delivered to you daily
[X]
Subscribe to Subscribe to TechCrunch
Daily
Enter Email Address ____________________ (BUTTON) Subscribe
© 2013-2016 AOL Inc. All rights reserved. Aol Tech Privacy Policy About
Our Ads Anti Harassment Policy Terms of Service
Powered by WordPress.com VIP
Fonts by
[b?c1=2&c2=6036210&c3=&c4=&c5=&c6=&c15=&cv=1.3&cj=1]
* TechCrunch (BUTTON)
*
News
+ Startups
+ Mobile
+ Gadgets
+ Enterprise
+ Social
+ Europe
+ Asia
+ Old Crunch Network
+ Unicorn Leaderboard
+ Gift Guides
+ All Galleries
Videos
* Apps
* Breaking News
* Bullish
* Crunch Report
* CES 2016
* All Shows
* All Videos
Events
* Disrupt
* Startup Battlefield
* Crunchies
* Meetups
* International City Events
* Hackathon
* Include
* NFL’s 1ST and Future
* TC Davos 2016
* All Events
CrunchBase
____________________ (BUTTON)
(BUTTON)
Most Popular
Get Ready For A Smaller iPhone 6s Mini
4 hours ago by Romain Dillet
A Day After Launch, “Exploding Kittens” Tops The App Store
1 hour ago by Sarah Perez
Forthcoming Samsung Galaxy S7 Benchmarks Leak
11 hours ago by Natasha Lomas
Netflix Makes Good On Promises To Crack Down On VPNs, But Blocks
Are Short-Lived
5 hours ago by Sarah Perez
Why Cloud Computing Will Shake Up Security
2 hours ago by Tom Gillis
Apple Has A New Apple TV Ad, And It’s All About Apps
1 hour ago by Romain Dillet
SpaceX Tested Its Capsule That Will Send Humans To Space
1 hour ago by Emily Calandrelli
These Are The Most-Watched Vines Of The Year
5 hours ago by Jordan Crook
Google Reportedly Paid Apple $1B In 2014 To Remain Default Search
Engine On iOS
17 hours ago by Jon Russell