In the course of preparing the Mid-Year Review for Trade Secrets law for the AIPLA’s Spring Meeting, I had an opportunity to step back and evaluate what is really going on from a legal standpoint in the burgeoning area of cybersecurity. And while cybersecurity is exploding from an IT and data management standpoint, the law remains in its infancy. Why is that?
The Absence of Clear Cybersecurity Legal Standards: Gibson Dunn issued a white paper entitled “Cyber-security and Data Privacy Outlook and Review: 2013” in early May and I thought it would be a good resource as I prepared the “Cybersecurity Law” portion for my presentation (it proved to be, by the way, and I would recommend it as a resource).
While the report was very comprehensive, what was revealing to me was the absence of any true over-arching cybersecurity law or standard. Rather, the report detailed developments in related statutes and areas — the Computer Fraud & Abuse Act, HIPAA, state and federal privacy statutes, the standards in class actions over data breaches, etc. — but it could not identify any defining rules or guidelines for what, if any, legal standards surrounding the security for data and information. That is because they don’t exist.
So the question arises, in a nation known for its ability to legislate over anything and everything, why is there no federal or state laws regarding cybersecurity, an issue that is so dominating the national and business dialogue? I think there are four primary reasons for the absence of that legal standard.
First, the government cannot reach a consensus or does not fully understand the problem. Congress and the Obama Administration continue to bicker over what standards and carve outs for liability should be in place so that companies have the confidence to partner with the federal government to disclose cyber risks. The inability to trust anyone to properly manage or safeguard this information — public or private — compounds the problem. Some might argue that this is a good thing, that the less of a role that the government has, the better; however, once the financial consequences of these breaches become apparent, the need for some legal standard will arise.
Second, this is really a phenomena that emerged in the public eye last year. There is always a natural lag between the emergence of a problem and the ability to meaningfully evaluate that problem and arrive at a satisfactory compromise that can be reflected in legislation or judicial opinions.
Third, except in a few instances (to be discussed in my next post), the losses associated with a cyberbreach have not become apparent yet. Until a plaintiff can come forward with concrete proof of tangible loss against a defendant against whom recovery is likely, the perceived need for a cybersecurity standard will not be an urgent one worthy of judicial or legislative attention.
Finally, development of a standard is complicated by the fact that cybersecurity is inherently an issue of technology and highly involved technology at that. Very few of us fully understand the intricacies involved in transmitting, storing and securing information, particularly as those processes evolve so quickly. And frankly the IT community has contributed to the confusion by failing (or perhaps even refusing) to adopt and communicate in a vernacular more accessible to the public at large.
So Where are We Headed? In my next post, I will discuss recent efforts by the federal government to impose standards in this vacuum as well as those few legal cases that have begun to emerge in this area.