Insurance Journal reports on a potential cyber security law being discussed in Congress that could protect consumers and businesses from the risks of lost data.
Of course, in Congress, nothing is ever easy. One bill has been approved in the House, but Senate leaders are debating a revised version of their bill, hoping to find middle ground so that it will pass both houses.
The bill hasn't been finalized, but it looks like it will offer some liability protection for businesses that adopt data security practices and share data breach information with the Department of Homeland Security.
Why the emphasis on sharing? As you know, cyber security threats change all the time. In "Re: Your Recent Spear Phishing Attack," we profiled how spear phishing attacks have evolved to target small businesses with highly customized campaigns.
Lawmakers hope that by sharing more information about cyber attacks, businesses will be better able to guard their data against the always-changing volley of digital attacks.
Could Sharing Data Help Small-Business Data Security?
It might be useful to think about cyber security experts as if they were doctors. Doctors working at different hospitals all have to cure and prevent the same illnesses. Some years, the flu is particularly strong. If these doctors don't share information about their practices, they won't know about yearly trends in illnesses and new techniques to combat them.
Cyber security isn't too far off from that. Congress hopes that by encouraging businesses to share their cyber attack data, Homeland Security and other law enforcement agencies will be able to get a better picture of what attacks are targeting businesses and how to fight them.
How Will Cyber Attack Data Be Shared between Businesses?
If Congress can work out its differences and pass a version of this bill, it will require businesses to strip cyber attack data of any personally identifying information and send it to the Department of Homeland Security, which will then disseminate it to relevant law enforcement agencies.
In the wake of the Edward Snowden saga, privacy advocates are nervous about sending data to government law enforcement agencies, so this remains a significant hurdle for Congress to clear.
How Will IT Liability Be Affected by a New Cyber Security Bill?
One of the most intriguing components of this new cyber security bill is that it would limit the cyber liability of IT contractors and security professionals, potentially protecting them from some data breach lawsuits. To get this protection, IT contractors would have to…
- Share cyber attack information with federal agencies.
- Monitor their networks for cyber attacks.
It's unclear exactly what network admins would have to do to fulfill the second requirement. Given how much data security can change from month to month, it could be hard to standardize these requirements.
Why a New Cyber Security Bill Might Not Pass
This new cyber security legislation – and bills like it – faces two significant sources of opposition:
- Data privacy advocates who are concerned about sharing consumer data (even if it is anonymous) with government agencies.
- Consumer rights advocates who are leery of giving businesses liability protection from data breach lawsuits.
Because of this opposition, the bill might not pass or might be so watered down that it won't offer the same protection to IT contractors. Congress only has a few weeks to pass the bill, so the clock is ticking.
How to Protect Your Business When No Cyber Security Law Will
Unfortunately, IT professionals can't rely on the law to protect them from lawsuits – they need to invest in business insurance to cover their IT liability.
Professional Liability Insurance (also called E&O Insurance) pays for data breach lawsuits as well as other lawsuits about professional errors, missed deadlines, and other issues a client might have with your work.
For a free quote on insurance for IT professionals, submit an online insurance form.