Page 108 - Privacy in a Cyber Age Policy and Practice
P. 108
96 PRIVACY IN A CYBER AGE
standards for companies would impede their flexibility by forcing them to
introduce cumbersome or inefficient cybersecurity measures.
Third, private sector representatives have suggested that cybersecurity
regulations would impose substantial costs, which the private sector would
be incapable of meeting profitably. A company would need to spend
19
millions in order to develop effective cybersecurity systems. Given that
about 82,000 strains of malware were created daily in 2013, it would take
20
large sums of money to “stay ahead of the curve.” Furthermore, “busi-
nesses consider it unfair and inappropriate for the government to impose
on private industries security requirements that businesses consider a
public-sector responsibility. Such requirements are viewed as ‘unfunded
21
mandates.’” That is, corporate leaders argue that the provision of secu-
rity is the job of the government; thus, they hold that if the government
requires others to do part of the job by adding security measures above
and beyond those they would already independently introduce, the corpora-
tions should be compensated for the related costs. However, these claims
are hard to justify when one considers the sheer bulk of many private sec-
tor corporations’ budgets: Target, the object of a notorious December 2013
breach, had a $1.6 million cybersecurity system in place, true, but their
revenues that year topped $72 billion—making their investment in cyber-
security roughly 0.0002 percent of their revenue. 22
Fourth, the private sector has expressed concern that regulations mandat-
ing that corporations report cybersecurity breaches to the federal govern-
ment and share news of cyber threats with their industry peers would cause
them damaging publicity or lead to lawsuits alleging liability for damages
to private citizens. One law office that provides corporate counsel wrote
that Target’s “potential total costs could reach over $1 billion” following a
major cybersecurity breach in December 2013. Another source estimates
that the cost of Target’s failure could top $18 billion once lost revenues
23
due to negative publicity are factored in. When retailer Neiman Marcus
suffered a similar security breach a few weeks later, it—and three other
retailers—waited a month to notify customers, presumably in an effort to
minimize negative publicity. 24
In April 2014, the U.S. Senate introduced a bill that would incentivize
private sector sharing of cybersecurity data by providing liability protection
25
against lawsuits. Senator Dianne Feinstein, chair of the Senate Intelligence
Committee, stated that the bill “allows companies to monitor their computer
networks for cyber-attacks, promotes sharing of cyber threat information
26
and provides liability protection for companies who share that information.”
However, this bill has not been adopted.
Moreover, not everyone agrees that the protection of corporations from
liability will properly incentivize the private sector to adopt cybersecurity
