Cybersecurity legislation may do more harm than good
A paramount concern for the commonwealth’s businesses — large and small — is cybersecurity. During the current session of the General Assembly, state Sen. Glen Sturtevant proposed an update to Virginia’s cyber crime statute. The amendment would have made it a felony for cyber criminals to use ransomware. This was a worthwhile bill considering the explosion of ransomware crimes during the past year, which can hit Virginia’s small businesses hard. Although the legislature jettisoned the bill this session, it is a sign that Virginia lawmakers are beginning to seriously consider regulations in the area of cybersecurity. However, we urge caution.
Cybersecurity laws are quickly becoming complex and fragmented as more and more are being passed around the country and at the federal level. In addition, governmental agencies also issue guidance on what each expects from businesses they regulate, such as the Securities and Exchange Commission (SEC). Finally, there are even private regulations that can impose cybersecurity requirements on Virginia’s business community. This jumble of laws, regulations and rules are making it increasingly difficult for businesses to comply without an undue burden. For example, approximately 48 states and the District of Columbia have separate cyber-breach notification laws. Lawmakers should move cautiously in proposing any cybersecurity regulations in Virginia to avoid further confusion and the creation of “just another cybersecurity requirement.” It is critical that states work together to bring uniformity to their respective cybersecurity laws. The National Governors Association has the ability to take the lead on this issue, and we urge it to do so.
Lawmakers should proceed with great care before adopting new cybersecurity rules. Technology and the associated threat landscape is rapidly evolving. “Ransomware,” for example, is a relatively recent addition to the cybersecurity lexicon. Legislation that is excessively prescriptive may find itself obsolete or emphasizing risks of yesteryear. Effective regulations are principle-based, specifying outcomes, rather than targeting, specifying methods of action. For example, a requirement to operate anti-virus software on users’ computers does not adequately address the ransomware risk, and a requirement to protect email alone does not address the many new ways companies use technology to communicate internally and externally.
Regulations also should respect a business’s right to make informed, risk-based decisions about what behaviors to allow, what protections to implement and how to implement them. After all, there is no such thing as “perfect security,” and risk acceptance in favor of convenience has always been a key element of cybersecurity. For example, nearly all businesses use email despite it being the favored attack vector for most cyber criminals because of the incredible difficultly of protecting users from ransomware, phishing campaigns, wire fraud and other scams. Further, no two businesses are the same, and cybersecurity needs vary from one company to the next based on size, geographical footprint and industry sector. For instance, a small landscaping company probably does not need an enterprise-grade intrusion detection system. However, a cloud-based service platform which processes large volumes of sensitive data should be able to rapidly detect network intrusions. One size fits all legislation will not work for Virginia’s business community in terms of mandating proactive steps companies must take to defend against cyber threats.
Legislators also should be wary of who is providing advice to them. Large businesses are known to favor regulations that make it difficult for smaller competitors to grow. Technologies that transform business, democratize speech and change the way we communicate all started small. Uber, for example, saves lives each year by making it incredibly convenient for revelers to find a safe ride home. Overloading young organizations with burdensome requirements may stifle the innovation that is improving the world. Virginia must be a place that encourages innovation, rather than smothers it.
In many respects, the General Assembly should focus on instituting some basic and uniform legislation to protect victims of a data breach. Technical, legal and regulatory landscapes, with respect to cybersecurity, are evolving incredibly fast. Due to this complexity and pace, well-intentioned but ultimately ill-conceived regulations have the potential to do more harm than good. Businesses and their trade associations are in a far better position to address these issues in real-time. However, it is incumbent that they do so now, and demonstrate to lawmakers that they are taking action to protect their business and industry customers. If they do not, they can be sure that legislators will step into the breach with mandates. Should the commonwealth proceed to implement regulations, we recommend that it does so with extreme care.
Christopher Moschella is a manager with Keiter’s Risk Advisory Services focusing on cybersecurity. He can be reached at 804-419-2902 or [email protected]. Collin Hite is the practice leader of Hirschler Fleischer’s Data Privacy & Security Group. He can be reached at 804-771-9595 or [email protected]