As the risk of cyberattacks has become better appreciated, we see an increasingly punitive focus in holding corporate America solely responsible.
Multiple, overlapping laws at the national and state level require companies to have “reasonable” security, a concept that is largely undefined and elusive. And regulatory enforcement actions and lawsuits in the wake of cyberattacks declare any exploited security vulnerability “unreasonable,” without a meaningful assessment of the company’s overall security program or acknowledgment that the company has been the victim of a crime.
It is simply not possible, at present, for every company in America to have sufficient internal cyber-expertise to manage the risk. The challenge is compounded by the resources and sophistication that state and criminal cyber attackers can bring to bear.
Companies that suffer cyberattacks are, and should be treated primarily as, victims. Yet a company that suffers a breach faces a substantial risk of multiple regulatory investigations and class action lawsuits, all focused on assigning blame to the organization for having inadequate security measures, no matter the strength of the company’s overall security program or the investment made.
That perspective is not only unfair, but counterproductive. Instead of focusing on remediating the incident, restoring operations, improving security and mitigating potential harms, a company in the midst of a cyber breach also needs to worry about the record that is being created, what is being written down, whether lawyers are sufficiently involved in the forensic investigation and other considerations bearing only on protecting against liability.
Government has a number of comparative advantages over the private sector, such as the ability to collect and exploit intelligence and to coordinate internationally with other governments and law enforcement agencies. It should do more to give the private sector the benefit of these advantages.
Companies that meet a defined set of risk-based requirements, which could be developed through a collaborative, multi-stakeholder process, should have a safe harbor from liability, recognizing that they are victims, not perpetrators, of malicious cyberactivity.
(Samir C. Jain and Lisa M. Ropple are partners at Jones Day. This article represents the personal views and opinions of the authors.)
