There is no federal rule governing how a company must report a cyberattack. While that needs to change, freedom of speech and personal privacy must not be infringed upon
Last January, President Barack Obama’s State of the Union address focused on the need to forge federal cybersecurity legislation in light of the breaches suffered by Sony and Target. I applaud the intent behind these measures to establish a national mechanism for how cybersecurity attacks on companies are reported to the authorities, but we need to be careful as to what the fine print is on any new laws of this kind before they are introduced.
Inarguably, good legislation is required to unify the efforts of all of the states in the union to create a holistic approach to dealing with cybersecurity attacks no matter from where they originate. As reported in The Federal Times last January, the Obama administration wants to create a single federal statute governing how and when information on cyberattacks must be released. The intent is to ease confusion in the private sector and improve online security.
Currently, there is no federal rule governing how a company must report a cyberattack. If a company is operating in several states, and, for instance, it suffers a security breach in California and one in Massachusetts, it has two different mechanisms it must contend with to report these breaches. In some states, like Florida, it doesn’t have to be reported at all. For companies, this creates all sorts of problems as they try to comply with the varying laws they’re subjected to.
In addition to creating an overarching framework for organizations to abide by in order to communicate to the authorities upon suffering a cyberattack, some people fear involving Congress in this particular type of legislation will create issues in other areas such as personal privacy. It’s been suggested Congress could use this opportunity to slip in additional measures to provide federal intelligence agencies with more flexibility to potentially violate individuals’ personal privacy that could in turn impact free speech.
There are also questions pertaining to taxpayer-funded cybersecurity insurance for organizations that is raising eyebrows. It seems profoundly unfair to ask taxpayers to foot the bill for this kind of insurance.
After all, we hear about major breaches on large corporations like Sony, but we don’t hear about the true number of attacks that happen to businesses of all sizes daily across the nation that don’t report the attacks because they fear if they do it will ruin their businesses, or open them up to lawsuits. We’re a litigious society, so anything that makes for a good lawsuit is fair game.
What the Obama administration’s proposed legislation aims to do is give those companies leeway to report a cyberattack without being subjected to frivolous lawsuits. It’s an important point. We need to be able to openly communicate when these types of attacks happen, but not at the expense of personal freedoms and privacy.
Is your business in need of top-tier IT security, consulting, and support? Give us a call at (831) 753-76-77 or email us at [email protected]. Alvarez Technology Group is the leading IT consulting firm for computer and business IT support throughout Monterey, Salinas, and the Bay Area.
