Cyber Regulation: No Coke, Pepsi

By Phil Reitiner

Businesses may be sighing in relief that the new U.S. administration is opposed to additional regulation and has imposed a “regulatory moratorium.”  This will almost certainly slow the pace of additional federal regulation on cybersecurity and privacy in the United States.  But it doesn’t mean the end of regulation.  Indeed, a combination of factors will often lead to the same result – imposition of additional mandates – but in a less efficient and more burdensome way.  Mandates will be imposed but from a greater diversity of sources, with less clarity on what the actual requirements are.  If you recall the Saturday Night Live skit about the Olympia Restaurant, the “Cheeseburger” skit, and if cyber regulation is “Coke,” what you are going to get is “No Coke, Pepsi.”  You can still have a carbonated, sweet beverage but with a slightly different taste and maybe not what you wanted.

Cybersecurity and privacy regulation will arise from at least three sources:

First, the lack of new mandates from the U.S. government doesn’t mean less regulation from non-U.S. entities.  The most significant of these may be the European Commission’s General Data Protection Regulation (GDPR), which will have significant effects for most international businesses and allows fines of up to 4% of “global annual turnover.”   That’s a significant amount.  Also of import is the Commission’s Directive on the Security of Network and Information Systems (the “NIS Directive”).  China – an important market – is adopting cybersecurity regulation too.  Keep in mind that there are about 200 countries, along with additional international bodies with significant authority, such as the International Telecommunications Union.

Second, U.S. states may charge in where the federal government fears to tread.  New York State is proceeding down this path with additional regulatory mandates for financial institutions.  Many of you will also be familiar with the plethora of state breach disclosure regulation that developed when California first adopted SB 1386.  The diversity of those breach disclosure requirements has led to repeated calls from industry for imposition of a harmonized U.S. federal breach disclosure requirement, because federal regulation would be less burdensome.

Third, the lack of clear requirements will lead quasi-regulators, including the Federal Trade Commission in the U.S. and others (e.g., privacy commissioners) around the world to impose prospective entity-specific requirements and after-the-fact fines, resulting in de facto regulation.  In the case of the FTC, an allegation that a company was negligent in failing to take “reasonable” practices, and therefore engaged in unfair trade practices, may lead to imposition of a 20-year consent decree (which is entity-specific regulation) with regular reporting to the FTC.

It’s hard to say if this mélange will result in stronger, or weaker, mandates.  Some privacy advocates have opposed a single U.S. federal law because a mix of state laws likely results in companies having to comply with the maximum set of requirements.  There is one certain result, however: cybersecurity spending for consultants and lawyers will increase.

And regardless of your view of additional regulation, I hope most of you will agree with the need for clarity, transparency, and technology neutrality in any set of mandates.  If governments want companies to do more to protect themselves – which they both should want and actually do want – then it is incumbent upon government to make clear what that is and how it can be determined if a mandate is to be imposed.

Enjoy your beverage.  I hope you like Pepsi.

The author, Phil Reitinger, is the President and CEO of the Global Cyber AllianceYou can follow him on Twitter @CarpeDiemCyber.