How Washington is Impacting Small Business and IT
Small and medium sized businesses (SMBs) in the technology and IT sectors have an important role to play in getting the economy back on track — assuming they are able to play in it. SMBs compete directly with larger and more highly capitalized companies by using the Internet to level the playing field. All you need is a laptop, an internet connection and a great idea to compete head-to-head with bigger companies around the world. Unfortunately, the Internet also makes it much easier for bad actors to conduct illegal activity.
We have seen a record number of security threats and breaches in the last twelve months. In fact, McAfee recently reported that there were more malware attacks during the first quarter of 2011 than at any other time since malware was created. The increasing reports of hackings and compromised data security have attracted the attention of media, consumers and policymakers, causing cybersecurity to emerge as a very serious and challenging public policy issue.
There is no denying that legislation around this issue is important to protect consumers. But lawmakers must not over-regulate the Internet in a way that stifles opportunities for American SMBs. Legislation that appears as pro-consumer may have unintended consequences, such as limiting innovation, competition, and increasing compliance and regulatory costs. This in turn will ultimately harm the consumer through reduced technological innovation, fewer jobs created and diminished competition in the IT sector.
The three areas that have received the most attention from Congress - cybersecurity, data breach, and privacy - must be handled carefully, with both business and consumers in mind.
The security of critical infrastructures is vitally important to the nation’s economy. So far in the Senate, Majority Leader Harry Reid (D-NV) has introduced the Cyber Security and American Cyber Competitiveness Act of 2011 to safeguard critical infrastructure, including the electric grid, military assets, the financial sector and telecommunications networks. In the House, Congressman Jim Langevin (D-RI) has introduced a comprehensive proposal for cyber security reform. Earlier this year, the White House also released its cyber security framework for legislation.
These are all good starts for cyber security reform. First, the federal government should enable information sharing and best practices between the private and public sectors. A clearinghouse should be established to share information on real time security threats and use incentives such as safe harbors to promote good cyber security governance.
Secondly, the Federal Information and Security Management Act (FISMA) should be updated to reflect real world threats to information security systems. An approach of continuous monitoring reflects the realities of the current security environment.
Finally, the government should develop educational pathways to foster and create new cyber security professionals through educational and certifications programs in the federal IT sectors. Although the above referenced cyber security legislative proposals contain many of these provisions, it’s important that they survive the legislative process.
On the issue of privacy, the House is beginning to hold hearings on how information is collected, protected, and utilized in an increasingly interconnected online ecosystem. While these efforts may produce results for consumers, it is critical that any new privacy legislation contains provisions that are technology neutral, that the government takes the role of convener of the various stakeholder groups and that the policies be adopted in such a way that they can be modified as the technology changes. A best practices model that contains enforceable promises makes sense because it can be adjusted to take care of privacy while also granting the Federal Trade Commission (FTC) greater enforcement authority and resources to ensure that promises are met.
With regards to data breach, both Houses have introduced versions of legislation. Policymakers point to the ongoing threats to consumers and the need to hold the industry accountable for maintaining robust and current security practices. This is particularly challenging because there are currently more than 46 states and US territories with state data breach notification laws. This patchwork of state laws imposes unnecessary costs on SMBs. Thus, it is critically important that any data breach law pre-empt all state data breach laws. It is also critical that the preemption provision apply to every aspect of the law— such as what triggers a notice and the timeframe under which notice must be provided to consumers.
Next on data breach, there should be incentives for companies to engage in good behavior by providing safe harbor provisions. The FTC should be empowered with the resources to go after bad actors. Furthermore, the FTC and the States Attorney General should be granted exclusive authority to litigate cases involving data breaches.
One thing everyone can agree on is that our existing framework for Internet governance is outdated. Future legislation must take into account the rapid pace of change in this economy and strike a delicate balance between taking care of American citizens and allowing businesses the flexibility to innovate and remain ahead of the technology curve to ensure that the US remains a leader in the Internet economy.