We Need Sensible Cybersecurity Regulations – More Is Not Necessarily Better

June 12, 2019

by Larry Clinton

When the ISA published the Cybersecurity Social Contract three years ago, one of the facts we documented was that some in critical industries were being forced to divert between 30%-40% of their scarce cybersecurity resources to largely redundant regulatory compliance. This fact highlights the twin maladies of undermining efforts to strengthen cybersecurity without improving either the security or privacy regimes.

Two years ago, the Senate Homeland Security Committee held a hearing that reinforced this finding. Yet as the need to take steps to address growing security and privacy concerns becomes ever more apparent, we seem determined to keep shooting ourselves in the foot (feet?) by piling on costly requirements without demonstrating their effectiveness and ignoring their counterproductive impact on securing organizational or personal data.

Case in point is the enactment of the European Union’s General Data Protection Regulation (GDPR), which aims to standardize data privacy across the EU, including potentially massive fines for non-compliance, and the California Consumer Privacy Act, which establishes new consumer privacy rights and also provides government penalties to ensure compliance.

Now after a two-year transition and one year of actual GDPR implementation, EU regulators are still reporting that they are receiving privacy complains at a rate of nearly 10,000 a month, calling into question the effectiveness of the intended deterrent effect of the regulation. Meanwhile, as companies preparing to comply with growing international and state cybersecurity laws, legal experts point out that the laws differ in key ways. For example, Stuart D. Levi—who co-leads Skadden’s Intellectual Property and Technology Group—compared the two laws and warned that, “While companies that have become GDPR-compliant may have an approach to data protection that will be useful in adapting to the CCPA’s requirements, GDPR compliance cannot be seen as dispositive for CCPA purposes as they differ in certain key aspects.”

The dynamic global data protection regulatory environment poses a significant challenge for companies, and compliance has implications for companies’ cybersecurity and bottom line.

The Ponemon Institute published the results of a global survey that included representatives from 53 multinational companies. According to their report The True Cost of Compliance with Data Protection Regulations, the average cost of compliance before GDPR was “$5.47 million or a 43% increase from 2011.”

But that investment doesn’t necessarily improve security:

Moreover, Ponemon reported that “indirect costs, such as administrative overhead, account for 40% of compliance cost activities,” and further found that compliance costs roughly average about 14% of organization’s total IT budget.

The Ponemon Survey also found that 90% of surveyed companies responded that complying with GDPR is difficult to achieve, and that half of respondents believed U.S. state laws would be difficult to achieve regulatory compliance (even before California’s law).

Perhaps the two areas of nearly universal agreement in the cybersecurity/privacy communities are that 1) the security/privacy issues are growing increasingly to critical levels and 2) we ,both industry and government, do not have sufficient resources to address these problems.

To the extent that regulations are required to address these issues, we need, at long last, to begin to assure that our prescriptions actually achieve their desired goals and that they do so in a cost-effective way, lest they be unsustainable and counter-productive.

The global policy community should keep these costs and survey findings in mind when establishing new cybersecurity and data security laws.