by Marisel Gamez
Technological innovations are advancing rapidly, yet cybersecurity[1] measures are lagging behind. As a result, malicious cyberattacks have become commonplace for private companies. Recently, anonymous hackers breached Home Depot’s,[2] Target’s,[3] and Sony Pictures Entertainment’s[4] private information, which exposed the personal data of thousands and credit card information of millions to unauthorized individuals. Advanced cybersecurity is greatly needed to prevent the theft and exposure of consumer information. The following will briefly discuss the developments of federal laws advancing greater cybersecurity, executive efforts currently promoting implementation of cybersecurity practices to respond to breaches of private information, and whether more government regulation of cybersecurity standards in the private sector is a viable option.
Congress enacted legislation that regulates cybersecurity measures for the handling of consumer information. Such legislation includes the Health Insurance Portability and Accountability Act[5] and the Gramm-Leach-Bliley Act.[6] These statutes codify regulations for securing private information within healthcare and financial institutions. However, these federal statutes do not codify a standard for all private entities to secure consumer information.
There are also federal laws regarding the prosecution of anonymous hackers, such as the Computer Fraud and Abuse Act,[7] the Identity Theft and Assumption Deterrence Act,[8] and the federal wire fraud statute.[9] These laws apply to prosecuting hackers who breach information held within private companies.
The federal government has attempted to develop and promote better cybersecurity practices in the private sector. In 2015, Congress passed the Cybersecurity Information Sharing Act,[10] in which Title IV’s provisions include “requiring government studies and development of voluntary best practices for cybersecurity.”[11] In 2016, President Obama implemented the Cybersecurity National Action Plan,[12] which established an executive commission to enhance national cybersecurity. Additionally, former President Bill Clinton established the National Infrastructure Protection Center,[13] which “seeks to protect from cyberattacks the United States’ critical infrastructures including: telecommunications, energy, transportation, banking and finance, water systems, emergency services, and government operations.”[14] However, it is important to note that none of these developments mandate a standard level of cybersecurity for private companies.
While cybersecurity has substantially increased, there will always be a need for the most current and capable systems to combat cyberattacks. All internet users have an interest in protecting their personal information from unauthorized access and exposure. However, should the federal government regulate cybersecurity standards for all private companies involved in e-commerce, especially with regard to private consumer information?
Implementing a sophisticated cybersecurity system capable of combatting breaches of consumer information will undoubtedly be a costly endeavor to pursue.[15] Moreover, other challenges to consider include establishing cybersecurity standards suitable for each individual private company and specifically tailored to each company’s industry and scale, whether it be a multinational software corporation or a small independent business. It would be impractical for the federal government to establish a general cybersecurity standard for all private entities because of the high cost and risk involved in applying a general law regulating cybersecurity standards to a multitude of private companies. The federal government should continue to encourage private companies to implement better cybersecurity protecting consumer information.
[1] Jeff Kosseff, Positive Cybersecurity Law: Creating a Consistent and Incentive-Based System, 19 Chap. L. Rev. 401, 404–05 (2016) (quoting the National Initiative for Cybersecurity Careers and Studies’ definition of cybersecurity: “‘[t]he activity or process, ability or capability, or state whereby information and communications systems and the information contained therein are protected from and/or defended against damage, unauthorized use or modification, or exploitation.’”).
[2] Melvin Backman, Home Depot: 56 Million Cards Exposed in Breach, CNN Money (Sept. 18, 2014, 5:56 PM), http://money.cnn.com/2014/09/18/technology/security/home-depot-hack/.
[3] Ahiza Garcia, Target Settles for $39 Million over Data Breach, CNN Money (Dec. 2, 2015, 5:48 PM), http://money.cnn.com/2015/12/02/news/companies/target-data-breach-settlement/.
[4] Ben Fritz & Danny Yadron, Sony Hack Exposed Personal Data of Hollywood Stars, Wall St. J. (Dec. 5, 2014, 9:36 AM), http://www.wsj.com/articles/sony-pictures-hack-reveals-more-data-than-previously-believed-1417734425.
[5] Health Insurance Portability and Accountability Act of 1996, Pub. L. No. 104-191, 110 Stat. 1936 (codified as amended at 45 C.F.R. §§ 160, 162, 164 (2016)). More information can be found on the U.S. Department of Health and Human Services’ website at: The HIPAA Privacy Rule, U.S. Dep’t Health & Hum. Servs., https://www.hhs.gov/hipaa/for-professionals/privacy/ (last visited Oct. 3, 2016).
[6] Gramm–Leach–Bliley Act, Pub. L. No. 106-102, 113 Stat. 1338 (1999) (codified as amended at 15 U.S.C. § 94 (2016)). More information can be found on the Federal Trade Commission’s website at: Gramm-Leach-Bliley Act, Fed. Trade Comm’n, https://www.ftc.gov/tips-advice/business-center/privacy-and-security/gramm-leach-bliley-act (last visited Oct. 3, 2016).
[7] Computer Fraud and Abuse Act, 18 U.S.C. § 1030 (2016).
[8] Identity Theft and Assumption Deterrence Act, 18 U.S.C. § 1028 (2016).
[9] 18 U.S.C. § 1343 (2016).
[10] Cybersecurity Information Sharing Act, S. 754, 114th Cong. (2015). More information can be found on Congress’s website at: S. 754 – Cybersecurity Information Sharing Act of 2015, Cong., https://www.congress.gov/bill/114th-congress/senate-bill/754 (last visited Oct. 8, 2016).
[11] David J. Bender, Congress Passes the Cybersecurity Act of 2015, Nat’l L. Rev. (Dec. 20, 2015), http://www.natlawreview.com/article/congress-passes-cybersecurity-act-2015.
[12] Press Release, Office of the Press Sec’y, Fact Sheet: Cybersecurity National Action Plan (Feb. 9, 2016), https://www.whitehouse.gov/the-press-office/2016/02/09/fact-sheet-cybersecurity-national-action-plan.
[13] Exec. Office of the President, Presidential Decision Directive/NSC-63 (1998), https://fas.org/irp/offdocs/pdd/pdd-63.pdf (last visited Oct. 8, 2016).
[14] Peter Lichtenbaum & Melanie Schneck, The Response to Cyberattacks: Balancing Security and Cost, 36 Int’l Law. 39, 41 (2002).
[15] Id. at 42, 48.