Advertisement

Header Utility Menu

  • Subscribe
  • Advertise
  • Contact Us
  • Events

LinkedIn Facebook Twitter Instagram Get Our App

  • Login

Virginia Business

Mobile Menu

  • Issues
  • Industries
    • Banking/Finances
    • Law
    • Real Estate
    • Economic Development
    • Education
    • Energy/Green
    • Federal Contracting
    • Government
    • Healthcare
    • Hotels/Tourism
    • Insurance
    • Ports/Trade
    • Small Business
    • Startups
    • Technology
    • Transportation
  • Regions
    • Central Virginia
    • Eastern Virginia
    • Northern Virginia
    • Roanoke/New River Valley
    • Shenandoah Valley
    • Southern Virginia
    • Southwest Virginia
  • Reports
    • Best Places to Work
    • Business Person of the Year
    • CEO Pay
    • COVID-19
    • Generous Virginians Project
    • Legal Elite
    • Most Influential Virginians
    • Maritime Guide
    • Site Locator
    • The Big Book
    • Virginia CFO Awards
  • Company News
    • For the Record
    • People
  • Opinion
  • Lists
  • Awards/Events
    • Nominate a Virginia financial professional
    • Nominate A Woman in Leadership Today
    • 2022 Virginia Business Political Roundtable
    • Women in Leadership
    • Diversity Leadership Series
    • Virginia 500
    • Legal Elite
    • CFO Awards
    • Big Book of Lists
    • 100 People To Meet
    • Best Places To Work
  • Virginia 500
    • Read The Issue
    • Power Up Virginia 500
    • Buy an award plaque
    • Suggest execs for 2023

Advertisement

Header Primary Menu

  • Issues
    • March 2023
    • February 2023
    • January 2023
    • December 2022
    • November 2022
    • Issues Archive
  • Industries
    • Banking/Finances
    • Law
    • Real Estate
    • Economic Development
    • Education
    • Energy/Green
    • Federal Contracting
    • Government
    • Healthcare
    • Hotels/Tourism
    • Insurance
    • Ports/Trade
    • Small Business
    • Startups
    • Technology
    • Transportation
  • Regions
    • Central Virginia
    • Eastern Virginia
    • Northern Virginia
    • Roanoke/New River Valley
    • Shenandoah Valley
    • Southern Virginia
    • Southwest Virginia
  • Reports
    • Best Places to Work
    • Business Person of the Year
    • CEO Pay
    • COVID-19
    • Generous Virginians Project
    • Legal Elite
    • Most Influential Virginians
    • Maritime Guide
    • Site Locator
    • The Big Book
    • Virginia CFO Awards
  • Company News
    • For the Record
    • People
  • Opinion
  • Lists
  • Awards/Events
    • Nominate a Virginia financial professional
    • Nominate A Woman in Leadership Today
    • 2022 Virginia Business Political Roundtable
    • Women in Leadership
    • Diversity Leadership Series
    • Virginia 500
    • Legal Elite
    • CFO Awards
    • Big Book of Lists
    • 100 People To Meet
    • Best Places To Work
  • Virginia 500
    • Read The Issue
    • Power Up Virginia 500
    • Buy an award plaque
    • Suggest execs for 2023

Home Opinion Cybersecurity legislation may do more harm than good

Cybersecurity legislation may do more harm than good

Published February 16, 2017 by Christopher Moschella / Collin Hite

A paramount concern for the commonwealth’s businesses — large and small — is cybersecurity. During the current session of the General Assembly, state Sen. Glen Sturtevant proposed an update to Virginia’s cyber crime statute. The amendment would have made it a felony for cyber criminals to use ransomware. This was a worthwhile bill considering the explosion of ransomware crimes during the past year, which can hit Virginia’s small businesses hard. Although the legislature jettisoned the bill this session, it is a sign that Virginia lawmakers are beginning to seriously consider regulations in the area of cybersecurity. However, we urge caution.

Cybersecurity laws are quickly becoming complex and fragmented as more and more are being passed around the country and at the federal level. In addition, governmental agencies also issue guidance on what each expects from businesses they regulate, such as the Securities and Exchange Commission (SEC). Finally, there are even private regulations that can impose cybersecurity requirements on Virginia’s business community. This jumble of laws, regulations and rules are making it increasingly difficult for businesses to comply without an undue burden. For example, approximately 48 states and the District of Columbia have separate cyber-breach notification laws. Lawmakers should move cautiously in proposing any cybersecurity regulations in Virginia to avoid further confusion and the creation of  “just another cybersecurity requirement.”  It is critical that states work together to bring uniformity to their respective cybersecurity laws. The National Governors Association has the ability to take the lead on this issue, and we urge it to do so.

Lawmakers should proceed with great care before adopting new cybersecurity rules.  Technology and the associated threat landscape is rapidly evolving. “Ransomware,” for example, is a relatively recent addition to the cybersecurity lexicon. Legislation that is excessively prescriptive may find itself obsolete or emphasizing risks of yesteryear. Effective regulations are principle-based, specifying outcomes, rather than targeting, specifying methods of action.   For example, a requirement to operate anti-virus software on users’ computers does not adequately address the ransomware risk, and a requirement to protect email alone does not address the many new ways companies use technology to communicate internally and externally.

Regulations also should respect a business’s right to make informed, risk-based decisions about what behaviors to allow, what protections to implement and how to implement them. After all, there is no such thing as “perfect security,” and risk acceptance in favor of convenience has always been a key element of cybersecurity. For example, nearly all businesses use email despite it being the favored attack vector for most cyber criminals because of the incredible difficultly of protecting users from ransomware, phishing campaigns, wire fraud and other scams. Further, no two businesses are the same, and cybersecurity needs vary from one company to the next based on size, geographical footprint and industry sector.  For instance, a small landscaping company probably does not need an enterprise-grade intrusion detection system.  However, a cloud-based service platform which processes large volumes of sensitive data should be able to rapidly detect network intrusions.  One size fits all legislation will not work for Virginia’s business community in terms of mandating proactive steps companies must take to defend against cyber threats.

Legislators also should be wary of who is providing advice to them.  Large businesses are known to favor regulations that make it difficult for smaller competitors to grow.  Technologies that transform business, democratize speech  and change the way we communicate all started small.  Uber, for example, saves lives each year by making it incredibly convenient for revelers to find a safe ride home.  Overloading young organizations with burdensome requirements may stifle the innovation that is improving the world. Virginia must be a place that encourages innovation, rather than smothers it.

In many respects, the General Assembly should focus on instituting some basic and uniform legislation to protect victims of a data breach. Technical, legal and regulatory landscapes, with respect to cybersecurity, are evolving incredibly fast.  Due to this complexity and pace, well-intentioned but ultimately ill-conceived regulations have the potential to do more harm than good. Businesses and their trade associations are in a far better position to address these issues in real-time. However, it is incumbent that they do so now, and demonstrate to lawmakers that they are taking action to protect their business and industry customers. If they do not, they can be sure that legislators will step into the breach with mandates. Should the commonwealth proceed to implement regulations, we recommend that it does so with extreme care.

Christopher Moschella is a manager with Keiter’s Risk Advisory Services focusing on cybersecurity.  He can be reached at 804-419-2902 or [email protected] Collin Hite is the practice leader of Hirschler Fleischer’s Data Privacy & Security Group. He can be reached at 804-771-9595 or [email protected]

Related Stories

No related posts.

Trending

Naval operations building in Suffolk sells for $33M

Virginia ABC to hold Secretariat bourbon lottery

UR alumni couple donates $25M for student learning center

German electronics manufacturer to add 100 Va. jobs

Four Richmond-area distribution centers sell for $105.6M

Sponsored Stories

Working at Pinnacle Financial Partners

What Logistics issues will have the biggest impact on you in 2023?

In the New Year, Aim for Better Cybersecurity

Advertisement

Advertisement

Trending

Naval operations building in Suffolk sells for $33M

Virginia ABC to hold Secretariat bourbon lottery

UR alumni couple donates $25M for student learning center

German electronics manufacturer to add 100 Va. jobs

Four Richmond-area distribution centers sell for $105.6M

Sponsored Stories

Working at Pinnacle Financial Partners

What Logistics issues will have the biggest impact on you in 2023?

In the New Year, Aim for Better Cybersecurity

Get Virginia Business directly on your tablet or in your mailbox!

Subscribe to Virginia Business

Advertisement

Advertisement

Footer Primary Menu

  • virginiabusiness.com
  • Subscribe
  • Advertise
  • About Us
  • Contact Us

Footer Secondary Menu

  • Industries
  • Regions
  • Reports
  • Company News
  • Events

Sign Up For Our Newsletter

Sign Up

LinkedIn Facebook Twitter Instagram Get Our App

Privacy Policy Cookie Policy

Footer Utility Menu

Copyright © 2023 Virginia Business. All rights reserved.

Site Maintained by TechArk