Media Coverage
Source: Law360
Media Coverage
02.04.15
News last month of U.S. President Barack Obama’s proposed national cybersecurity legislation could have huge implications for banks and retailers, though some say a lack of clear parameters may render the proposal difficult to implement. The cornerstone of Obama’s proposal would be a requirement that companies notify customers affected by a data breach within 30 days of the breach. But given the frequency and variety of cyber threats, the ambiguity in language about when a breach actually occurs and conflicting standards in existing state laws, the legislation would seemingly need many details clarified.
“That’ll be a difficulty, because there are all sorts of different definitions under state law,” said Global Security partner Brian Finch. “Every network is being attacked, and every network is being penetrated, but that doesn’t mean that any data was exfiltrated at any given time.”
There is also concern among cybersecurity authorities that any legislation would be unable to keep up with the pace at which new cyber threats are introduced.
“The threat morphs so rapidly that any time you establish a base, it will be outdated in months if not weeks,” Finch said.
Finch and others reiterated this concern when reacting to the Obama administration’s proposed $14 billion cybersecurity budget, announced this week as part of a fiscal year 2016 budget request.
“As always, the devil will be in the details,” Finch said. “What will be most important is that the money is actually spent on next-generation defenses rather than to refresh old signal-based defenses. … The government needs to be spending its money on advanced cyberdefenses that look for previously unseen developments in malware that pose a threat to both the government and private companies.”