“What we’ve got here is a failure to communicate!” Since birth, my father quoted this to me from the 1967 Paul Newman film Cool Hand Luke when I neglected to inform him of something important. In childhood, my lack of communication usually involved situations like “Oh yea, I signed up to take my driver’s license test” (at the same time as my sister’s dance recital, in an ice storm).
In government, the same failure to communicate creates the following scenario presently plaguing the Cybersecurity Information Sharing Agency, National Security Agency, the Department of Defense, Federal Bureau of Investigation, and state fusion centers: No one wants to share cyber threat information with the government.
The reason for tight-lips across the private sector is easy to grasp, if you care think about it for more than a few minutes: in the race to regulate data and promote privacy, well-intentioned laws create opportunities to penalize the forthcoming. In 2018, the state of California passed its California Consumer Privacy Act (“CCPA”) nearly a month (almost to the day) after the European Union made its new General Data Protection Regulation (“GDPR”) effective. Both sets of laws desire to give consumers greater rights to personal data, prevent the unauthorized sale and use of the same, promote privacy, and permit fines against offending entities.
GDPR and CCPA are not the only punitive data control laws in existence. The state of Illinois has the Biometric Information Privacy Act (“BIPA”) and the Genetic Information Privacy Act (“GIPA”), both of which impose statutory penalties for each violation. Breach notification laws exist in all 50 states, almost all of which permit the state attorney general to impose fines against violators. And, in case monetary penalties and fear of class action law suits is insufficient to terrify a private entity, the Federal Trade Commission posts the names of offending entities online and the Department of Health and Hospitals maintains a “wall of shame” for health entities falling victim to breaches. For financial institutions and publicly traded entities, please welcome the Securities and Exchange Commission and Sarbanes Oxley to this chess match. Congress also annually introduces bills to create a federal Data Protection Agency for more consistent enforcement and require decryption for law enforcement purposes.
As previously discussed here, bad actors use these exact same laws against their victims to extort ransom payments, artfully playing the math: pay a ransom and keep the situation quiet or lose your data, expend funds on restoration experts, face regulatory fines, remediation costs for victims, loss of goodwill, and potential law suits. Accordingly, the federal government and state governments unknowingly created a catch-22 for victims of cyber-attacks.
The solution to present predicament is neither quick nor easy, again resting on the ability of states and the federal government to communicate. Without commenting on the legitimate purpose of well-intentioned consumer protection legislation (which I do appreciate), it is advisable for both sovereign entities to hit the pause button on new laws and regulatory requirements.
Instead, focus on the balance and campaign to promote information sharing by explaining the protections afforded those private entities who voluntarily disclose indicators of compromise. Mentioned by @LaCyberLawBlog on several occasion, the Cybersecurity Information Sharing Act preserves legal privileges, creates immunity from civil actions, and forbids responsive regulation in favor of public and private entities that share information with certain federal agencies. Sharing is easy, permitted through email and telephone calls to the CISA, FBI, and federal agencies. Indeed, the FBI’s online tip portal permits anonymous tips and can be used with a TOR browser. Information Sharing Analysis Organizations and Information Sharing Analysis Centers (distinctive entities – sort of) all provide respites for information sharing.
Before racing to the state house to copy a neighboring state’s regulations, consider investing in a non-penal campaign to ease private industry’s fears of information sharing.