There is currently one bill before the Senate, S. 773, the Cybersecurity Act of 2009, which would create a Cybersecurity Advisory Panel and attempt to inform the public about cybersecurity issues. It is aimed more at education and training cybersecurity professionals than at punishing the offenders. Because criminal law is inherently reactive instead of proactive, this kind of law is likely to be helpful. However, the Cybersecurity Act also contains elements that may be objectionable. For example, it "appears to permit the president to seize temporary control of private-sector networks during a so-called cybersecurity emergency."
Additionally, this method is far from non-controversial. In 2005, the then-president of the Information Technology Association of America (now called TechAmerica) Harris Miller voiced his opposition to government regulation, saying that it would create a barrier to innovation. Because companies innovate faster than the law can keep up,
It would also be helpful to unify the notification laws discussed here. As it stands, although they are similar, the laws are difficult to unify. Should a security breach occur, the notification process may be so onerous that a company may forgo it and attempt to hide the breach.
Laws Can't Do It All
Image Source: http://www.foolproofsoftware.com/
Simply put, no matter how much we legislate, it will not be enough. It is simply impossible to create a completely secure system. The best thing to do to make sure your data is secure is to secure it yourself. Some service providers will allow you to completely encrypt your data before it leaves your computer and only allow your computer to access it. The problem with this plan is that it is difficult to access your data from any other computer or device without specialized software. You would therefore use some of the convenience and utility of the cloud. As with most things in the law, it's all a matter of balancing.
A user needs to be sure to pick a reputable service provider that will patch its systems for security updates quickly, and should pick a strong password or key. For more "self-help" information, see our page on this topic.
- Bill Brenner, RSA 2005: A Chat with Harris Miller, SearchSecurity.com, Feb. 10, 2005, http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1056380,00.html
- Declan McCullagh, Bill Would Give President Emergency Control of Internet, CNET News, Aug. 28, 2009, http://news.cnet.com/8301-13578_3-10320096-38.html.
- Joby Warrick and Walter Pincus, Senate Legislation Would Federalize Cybersecurity, Washington Post, Apr. 1, 2009, at A4, available at http://www.washingtonpost.com/wp-dyn/content/article/2009/03/31/AR2009033103684.html.
- Maxim May, Federal Computer Crime Laws, SANS Institute (Jun. 1, 2004), http://www.sans.org/reading_room/whitepapers/legal/federal-computer-crime-laws_1446.