Digital Mountain Cybersecurity Thoughts with Dan Lungren

As the former Congressional House Chairman on Cybersecurity, a subcommittee of the Homeland Security Committee, cyber security is a topic in which I continue to be deeply involved.

The cyber world is ubiquitous, directly affecting each of us in personal and global ways, yet it is little understood or appreciated; as a result, the nature of cyber threats, from the mundane to the critically serious, are ignored or given insufficient attention. The threat needs to be addressed by all, but particularly companies needing to protect their intellectual property, privacy and security.

The recent security breach at Target should serve as a wake-up call for many. In addition to the loss of private information for as many as 70 million individuals, the evident breach has serious, real consequences for the companies involved. Already there have been indications that a number of investigations on the federal and state levels are imminent. Additionally, there is the specter of private litigation on behalf of those individuals negatively affected. Finally, there is the adverse impact on consumer confidence.

Those who seek to hack into, and or otherwise disrupt, the various elements of e-commerce are nearly unlimited in number – both in terms of their identities and their unique approaches – making it impossible to mount a perfect or failsafe defense.

So what to do? What is the appropriate stance for companies situated such as Target? Obviously doing nothing is not the answer. Defense and mitigation strategies must be established and implemented. The fact is that there are many approaches available. At a minimum, a comprehensive program is necessary, starting with a company culture of good computer hygiene extending all the way to a robust cyber security regimen endorsed and enforced at the highest corporate levels. In today’s environment, cyber security must be part of a company’s DNA.

But then how to judge how much protection is enough? And whose protected interests are paramount?

While the final answers are likely to be played out in many different venues, the resolution of the matter should center on whether the company faithfully followed the contemporary industry standards for protecting their clients’/customers’ confidential information. Here, the challenge is how to appropriately and fairly ascertain such standards.

Some suggest that this should be a product of happenstance – allowing the underlying legal standard to be determined by many individual judges or juries in the context of active and endless litigation. Others argue that the determination should be made by the various state legislatures. I would argue that such uncertainty is neither in the interest of the ultimate consumers nor the companies involved. It is for this reason that I continue to argue for legislation on the federal level that would accommodate the twin necessities of market dynamism and legal certainty implicated in a deft regulatory scheme. As envisioned, voluntary industry standards developed with the cooperation of the private and public sectors, would, if followed, afford certain legal immunities. Such standards would be performance-based rather than prescriptive and would necessarily bring the insurance industry to bear on the equation.

These, and many other questions, have been raised and discussed at meetings and conferences throughout the United States, and abroad. In November, I participated in two such conferences, one hosted by the University of Notre Dame Law School and another by the University of Pennsylvania. These types of conferences, along with many other organizations, bring together cyber security thought-leaders for enhancing guidelines and preemptive procedures for data protection.

To work with one of Digital Mountain’s cyber security experts to address your company’s data protection plan, contact us at 866.DIG.DOCS or info@digitalmountain.com.