Should Cybersecurity be regulated?

14 09 2012

by Will Liu


This past year has seen representatives from both sides of the aisle present multiple Cybersecurity bills. The numerous bills highlight the differences in philosophies in regulating Cybersecurity in America. Unable to resolve their differences and reach a compromise there has been limited progress made so far this year in getting legislation passed. The most recent Cybersecurity bill was filibustered by a Republican Senate this past summer. (SCHMIDT) The failures of bills presented in the House and Senate highlight the struggle in finding a delicate balance between too much regulation and too little regulation. Should Cybersecurity be regulated and to what extent should the government get involved in the activities in private enterprise?

Existing regulation

A majority of states in the United States have passed laws governing disclosure to customers in the event of an information breach. The analysis of such laws can provide sample data and case studies to analyze the effectiveness of legislation to regulate Cybersecurity at the national level. Companies are hesitant to publicly disclose incidents of information breaches due to the negative press and devaluation of their companies that occur. Furthermore, executive compensation is often tied to stock performance. Managers may have financial incentives to keep incidents under wraps especially if they have an equity stake in the company.

A majority of states have responded by enacting laws to require companies disclose to customers whenever their personal information is compromised.  California was one of the first states to enact legislation pertaining to data breaches and most states have modeled their laws based on California’s. An analysis of state data breach laws provides a good extrapolation on whether Federal Cybersecurity legislation will be beneficial as a whole or merely increase costs to businesses, and society as a whole. Since state data breach laws have been around for some time researchers have already begun analyzing data regarding the success of such laws. Researchers at the Heinz College in Carnegie Mellon have found that the “adoption of data breach disclosure laws reduce identity theft caused by data breaches by 6.1 percent, on average.” (Romanosky, Telang, and Acquisti) The laws also helped to “reduce the number of consumer records lost per breach, by about $800 on average, a change of 34 precent.” (Romanosky, Telang, and Acquisti) The researchers have also found that the additional benefits derived from society as a whole from the regulation outweighs the additional costs borne by the companies.

The unknown costs of Cybercrime

In order to fully analyze the cost of Cybersecurity regulation and the possible positive or negative externalities to the public, it is important to have accurate figures. An investigation conducted by pro publica revealed that the $1 Trillion and $250 Billion cost to cybercrime often cited by politicians, and government officials have been based on studies with poor methodologies. (Maass and Rajagopalan) Those studies were conducted by McAfee and Symantec companies who have a financial interest in inflating the numbers. Researchers questioned the methodologies taken to extrapolate the figure and mentioned that the corporate reports published by Symantec and McAfee would not pass the rigor of academia. (Maass and Rajagopalan) Government officials also have an incentive to inflate the numbers, government leaders and officials at agencies such as the NSA, or FBI often cite such large costs to Cybercrime as a means to support larger budgets for their respective agencies. Since important decision makers are citing poorly constructed numbers, it is not surprising that companies are worried that politicians will draft Cybersecurity bills that have a huge regulatory burden, especially if the lawmakers drafting such bills are basing their decisions on incorrect figures that maybe multiples higher than the actual cost of cybercrime.

With high profile incidents such as the information breaches at Linkedin, and Sony, it is easy to support additional Cybersecurity regulation to help reduce the occurrence of such incidents. However, Cybersecurity is a complex issue that cannot be solved through regulation only. The private industry and government face different priorities. Government agencies and law enforcement may devote tremendous resources towards conducting an effective and fair investigation that catches the criminals, or preventing classified information from stolen. In the private sector, it may be fine for occasional information security breaches to occur as long as the risks are managed and costs minimized.

With regards to Cybersecurity regulations governing breaches on information, there should be a Federal bill enacted to standardize information disclosure to customers. Currently there is a hodgepodge network of laws enacted by states each with a slight variation. Enforcing a Federal law superseding state disclosure laws will help companies standardize response procedures. The law should also take one further step and create a mandatory reporting mechanism for companies to disclose whenever there are Cybersecurity incidents, including the costs of responding to such incidents, attack methods, and the damage caused. Increased transparency will enable researchers more data to produce better economic models to predict the aggregate cost of cybercrime to the United States.  Furthermore, the additional information disclosed will allow other companies awareness of the current exploits and attack methods utilized by hackers. Such regulation would only impose a minimal cost to companies; it only requires that companies disclose Cybersecurity incidents by mandating such reporting. It also motivates enterprises to secure their systems to prevent such public embarrassments.


Maass , Peter and Megha Rajagopalan. “Does Cybercrime Really Cost $1 Trillion?” 1 August 2012. Pro Publica. Electronic. 11 September 2012.

Romanosky, Sasha, Rahul Telang, and Alessandro Acquisti. “Do Data Breach Disclosure Laws Reduce Identity Theft?” Journal of Policy Analysis and Management (2011): 256-286. Electronic.

SCHMIDT, MICHAEL S. . “Cybersecurity Bill Is Blocked in Senate by G.O.P. Filibuster.” 2 August 2012. New York Times. Electronic. 10 September 2012.




Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: