Yes, I’m late to the party. President Obama signed the Cybersecurity Act of 2015 into law over a month ago. Plenty of ink has already been spilled about it. The act encourages, but does not require, companies to share information about data breaches and responses with each other and with the federal government. Most of the ‘controversy’ has centered on the act’s perceived lack of privacy protections for individuals whose information is shared.
Privacy is important. Measures should be taken to protect individuals’ data, and the act does include at least some level of protection. Whether it’s enough remains to be seen.
The more interesting issue is whether the act can even be effective at preventing data breaches. Somehow, that issue seems to have been largely lost in the shuffle. Many on the tech side doubt that the act can have a significant impact. “Cybersecurity through information sharing is like driving a car by looking in the rearview mirror,” explained Brett Helm, CEO of cybersecurity firm DB Networks. Because threats are rapidly evolving, and because most of the biggest breaches are caused by unique types of attacks, gathering information about past attacks may be only marginally beneficial, like studying physical diseases that people just don’t get anymore.
The effectiveness of the act should drive the privacy protection debate. If the act is effective, shouldn’t the concern over privacy be abated by the fact that additional data breaches were prevented, resulting in the compromise of fewer individuals’ data? If the act is not effective, the problem isn’t the information exchange. It’s the fact that massive amounts of data remain vulnerable.
The Cybersecurity Act of 2015 is certainly not going to be the last federal word on cybersecurity. We can expect to see attempts to standardize breach notification, to impose security standards and possibly even to standardize liability exposure. As these new laws are debated, however, we should not lose focus on the primary goal of preventing breaches in the first place, with the aftermath of the breach being a secondary concern.