25 August 2015

Federal cyber failure

By PATRICK N. FORREST  
8/24/15 

The most fundament purpose of government is to protect the nation against outside attacks and to ensure the safety of its citizens. Our federal government is failing in this foundational duty. This month we learned of yet another federal failure to adequately secure American's private information. A hack of the Internal Revenue service first reported in May was nearly three times as large as previously stated, with hackers stealing information from as many as 334,000 taxpayer accounts.

This comes on the heels of the largest hack of Americans information in history with over 20 million individuals' records stolen from the U.S. Office of Personnel Management. If the government cannot defend itself against cyberattacks, it should not demonize the private sector when, after good faith efforts, it cannot either. A private sector data breach is the only crime for which we punish the victim rather than the perpetrator. Business needs a robust government defender and adequate liability safeguards to protect free enterprise and cultivate innovation.

American business is on the frontline of modern warfare. Companies of all sizes are responsible for defending against cyberattacks from the most sophisticated nation states and large-scale criminal and terrorist enterprises. Cyber warfare, unlike conventional military capabilities, does not have a high cost of entry, and many actors are rapidly developing sophisticated operations.

Further, cyberattacks on large companies shot up by 44 percent from 2013. Lloyd's of London estimates that cybercrime costs businesses more than $400 billion a year. For the first time in history, our private sector is tasked with defending itself against direct attacks from our nation's enemies. However, there is an emerging threat to American companies in this war, a coming barrage of costly state court cyber litigation that will place the very existence of American manufacturing at risk.

The focus of cyberattacks has spread from one economic sector to the next as evolving technologies provide new opportunities for penetration. Traditionally, we think of data breaches targeting large retailers and financial institutions, although small and medium-sized businesses made up approximately 60 percent of all cyberattacks last year. The rapid rise of the Internet of Things (IoT) — the increasing interconnectedness of devices with the ability to gather, store process, and send data — means the amount of data and number of devices attackers can target is exploding. Nearly 40 percent of manufacturers already embed sensors in their products to allow customers to gather sensor-generated data. This radical change in where and how we incorporate interconnected technology will mean that manufacturing is about to become one of the most targeted economic sectors for cyber-attacks.

The security and legal landscape has not kept pace with changing technology. In the absence of clear federal authority, state governments are filling the enforcement role. Despite calls from manufacturers to create a uniform national standard, Congress has been unable to agree on federal data breach notification and protection legislation. Companies of all sizes are forced to navigate a patchwork of state data security and privacy laws that fail to provide important guidance and establish clear lines of responsibility when an individual is harmed as a result of a breach. State attorneys general are stretching the limits of general consumer protection laws to make companies pay up when a data breach occurs despite the companies' best efforts to thwart breaches. Since no company wants to litigate in all 50 states, the attorneys general are pushing for settlement terms through consent decrees. The result is inadequate and unintended industry standards, resulting in regulation through litigation.

Trial lawyers will take advantage of this unknown legal landscape by becoming increasingly aggressive in finding new ways to pursue class action litigation against companies for failing to meet a security standard that even the federal government seems unable to. For example, the plaintiffs' bar is already working to promote vague and flexible IoT standards at the state level where courts have more lenient requirements for standing and class certification. Specifically, they have been seeking to seed state privacy laws with private rights of action, limited or no harm thresholds for suite and per se violations on an almost strict liability bases with statutory damages.

We have not yet seen the full extent of this type of liability on manufacturers and the private sector. If the trend continues, we will find ourselves in a world where the threat and cost of legal action stifles our innovation economy and stops manufacturers from developing new products that will improve, and many times even save, lives.

Manufacturers are already preparing for what is to come by building cybersecurity solutions through their products and processes. Government must deliver forward-looking policies that plan for where we will be five years from now and not just deal with today's or — as is more commonly the case — yesterday's threats.

The IoT stands to revolutionize manufacturing and benefit consumers more so than anything since the assembly line and interchangeable parts. Without better security and liability protection for the private sector and consumers alike, however, the coming onslaught of litigation costs may become a greater threat to innovation and free enterprise than cyberattacks themselves.

Patrick N. Forrest is vice president & deputy general counsel at the National Association of Manufacturers. Thinking of submitting an op-ed to the Washington Examiner? Be sure to read our guidelines on submissions.

No comments: