Legislative Application to Cybersecurity
Cybersecurity is vital to the environment in all cases. This ranges from the utilities to retail stores. This has been especially noted recently with the DDoS attacks crippling several websites. The tools used for this and other attacks have been the IoT devices. There is no easy fix with the IoT devices.
To discourage directly this activity, there have been a number of federal statutes put into place. There certainly, when applied, provide for years in prison post-adjudication. On the state level, there are statutes being proposed to dis-incentivizing this behavior. One of the recent propositions has been in New York with the Department of Financial Services. The focus here is the financial institutions having substantial cybersecurity actively in place. This is a rather broad idea, but looks to policies to procedures, staff training, vulnerability assessment, breach reporting, etc.
This rule, while very expansive, has been written to provide a baseline of protection for the data itself and private information of consumers. Although this is pertinent to all entities in this industry, a bit of common sense has been applied for the size of the entities. When SOX was being proposed, there was initially a concern that it would force small businesses out of business due to the costs. At that point this was a distinct possibility. The regulation added sections that modified its applicability to these smaller businesses. The Department of Financial Services took this and excluded the smaller entities. For certain entities, the proposition if approved would have provided a rather substantial burden. For the larger entities this cost could be absorbed and passed onto the consumers. With the smaller entities, this would not have been the case.
Overall in the industry, the general consensus is not to add mounds of new regulations. There has been in certain instances for this to be counter-productive and add another layer, where one is not necessarily needed. The states are becoming more involved with the fight against cyber-crime to secure society and decrease the opportunity for our data to be stolen or sold.
About the Author - Charles Parker, II has been working in the info sec field for over a decade, performing pen tests, vulnerability assessments, consulting with small- to medium-sized businesses to mitigate and remediate their issues, and preparing IT and info sec policies and procedures. Mr. Parker’s background includes work in the banking, medical, automotive, and staffing industries.