The federal government has been dragging its feet when it comes to addressing cybersecurity concerns. Federal legislation has been slow to come, and state governments have been developing their own approaches. Several bills have been introduced and co-sponsored by members of Congress on both sides of the aisle. However, all efforts to address cyber law on a national level have stalled and many states just aren’t waiting around any longer.
Clearly, the gravity of the situation surrounding cybersecurity measures must be taken seriously given the amount of data and network breaches the country has already experienced in recent years. As a nation, we must appear strong and show leadership in the cybersecurity realm, which so far, we have failed to do. Thus, individual states, such as California and Ohio, have taken it upon themselves to create and enact cybersecurity laws.
To many people, this makes sense as a lot of citizens believe in state determination. However, a hodge-podge and mixed bag of law will eventually create more seems benefiting the hacker. Business loses when they must meet the requirements of 50 different jurisdictions. Assuring these types of issues don’t minimize the growth of the nation or its security is a role of the federal government. It seems in this time of partisan politics security has become another area of contention. However, the only thing we should be arguing about is “to what extent” and not should a law be put in place.
In August of 2018, a California Senate bill, No. 327, was passed by both Houses of the California State Legislature and it is awaiting Governor Jerry Brown’s signature to enact the bill. The bill is meant to update the current state law that demands a company discard a client’s record that contains personal information, if it is no longer of use to the said business, by shredding the documents or making them illegible. In addition to this, the bill would create a new provision within the California Civil Code titled, Security of Connected Devices. The main goal of this provision is to safeguard both the device and the information it manages from unlawful access and nefarious agents. This means that anything (sensors) capable of connecting to the Internet of Things (IoT) requires manufacturers to equip the device with a reasonable amount of security. At least, secure the device for reasonable protection against data theft.
Similar to California’s bill, Ohio also enacted a new law surrounding the issue of cybersecurity-related to IoT. The law is directed at protecting all Ohioans by requiring businesses to create and abide by their own cybersecurity programs. The state is hopeful that corporations will invest more resources in protecting their networks, which as a result, will greatly help secure sensitive information of customers. To make things easier for those who are unfamiliar who security protocols, the state intends to provide businesses with different industry-recognized cybersecurity frameworks. The goal is to promote cyber planning and the execution of cybersecurity measures. The legislation will also provide an affirmative defense to a lawsuit that claims a security breach occurred as a result of a companies’ failure to devise satisfactory security measures – making everyone accountable for their actions or lack thereof.
There is no time to waste when it comes to securing cyberspace. Security starts at the local level. However, national security requires assistance from the federal government. A variety of threats are visible on the horizon and they will not go away. There are too much money and power to be gained from hacking and the spoils of data theft. If national legislators simply turn a blind eye to the threats, we will continue to witness the massive data breaches occurring every day. We will continue to provide a highway for hackers to drive in and load enabling data into their vehicle are cart it off to their bank.
Cybersecurity is a business process like accounting and limiting liability. Holding hackers and thieves responsible should be one of the government’s top priorities. Holding businesses responsible is just as important. It is evident that we lack the leadership to move the ball in this dangerous game. Even as the European Union (EU) implemented the General Data Protection Regulation (GDPR) earlier this year, Congress still doesn’t realize that cyber leadership is not an option. The GDPR addresses data privacy laws and regulations that entail serious penalties if broken and apply to users both within and outside of the EU. Conversely, this nation’s lack of law allows access and cybersecurity ambivalence to businesses inside and outside of the U.S.
If the U.S. wants to maintain its superpower hold on the global stage, it is imperative that the federal government creates and enacts laws that will protect the American people, infrastructure, and economy from cyber-related attacks. This starts with creating a culture of cybersecurity underpinned with law. Not only will this prove to American businesses that there is no tolerance for weak cybersecurity application, but also let other countries, and enemies, know that we mean business.