Last week, the entire world witnessed a farcical display of the complete lack of understanding that our Congress has about technology. Google CEO Sundar Pichai – the man who brought the world a better web browser – sat before Congress answering ridiculous – almost laughable – questions from our congressional representatives. The same representatives are the people in charge of creating legislation around cyber security. How can they pass laws on a subject about which they are so woefully ignorant? The unfortunate answer to that question is simple: just like they make laws about everything else. That’s bad, but the real problem is in the enforcement of such legislation. That’s where Federal Agencies like the FTC enter the picture. It is their job to enforce cyber security legislation that Congress passes.
Bad Law Makes for a Big Mess
When Congress passes cyber security legislation directed at corporate entities, those entities, most of which are small businesses, have the burden of compliance. This burden creates both danger and opportunity.
Lawyers, associations, and compliance law firms like that there are compliance issues, because there is opportunity in that mess to make money. Someone has to teach businesses how to be compliant and validate that they are indeed in compliance. However, “compliance”, especially in the area of cyber security, is unclear. Congress mandates that certain organizations “must be secure”. However, Congress does not dictate the definition of “secure”. There are no standards for compliance with cyber security legislation until a precedent is set. The enforcing agency creates a baseline by its chosen level of enforcement. So agencies like the FTC get free reign to determine the “standards” of compliance.
Congress doesn’t direct agencies to educate or collaborate, but simply to enforce cyber security legislation. Enforcement in the area of cyber security does not solve problems or create actual security. Instead, it creates money in the form of billable hours for law firms and compliance agencies.
cyber security legislation: Constantly Moving Goalposts
The current cyber security regulatory framework is a failure because, having no standards for compliance or enforcement, the agencies simply make up the rules as they go along. Questioning the authority of the Federal Government requires years and millions of dollars. Before the LabMD case, nobody had taken on the burden of risk involved in challenging the authority of the Federal Government in such an enforcement environment.
LabMD did not have the money to defend itself, so the company had to raise the funds for defense. The ordeal destroyed the business because being attacked by a Federal Agency created so much anxiety among the employees. However, it also exposed the fact that that agreeing to a consent decree is not actually justice. Instead, it is, practically speaking, paying for the FTC to go away. Most businesses are fine with that, because it would remove the 900lb gorilla from the back of the business. However, when it comes to cancer patients in a healthcare facility, the FTC went too far, even for a federal agency. In the final ruling, a Federal Court determined that the FTC lied about what they found, and lied about what LabMD had in place for cyber security protocols, practices, and policies. It took years to prove.
Justice is Expensive
The mountain to justice is steep and expensive, and the vast majority of people will not climb that mountain. Federal agencies understand this fact, so they are very good at intimidation, bullying small organizations into submission. However, because very few organizations ever challenge the authority of the Federal Government, Federal agencies are not good at being challenged and questioned in court. It never happens because it’s so expensive, so these agencies are not prepared for such.
If private organizations are not willing or able to hold federal agencies accountable, regulators will continue to be rogue and unaccountable.