Cybersecurity Legislation May Do More Harm Than Good
Posted on 02.16.17
This article, written by Chris Moschella (Keiter) and Collin Hite (Hirschler Fleischer), is featured in the February 2017 issue of Virginia Business.
"A paramount concern for the commonwealth’s businesses — large and small — is cybersecurity. During the current session of the General Assembly, state Sen. Glen Sturtevant proposed an update to Virginia’s cyber crime statute. The amendment would have made it a felony for cyber criminals to use ransomware. This was a worthwhile bill considering the explosion of ransomware crimes during the past year, which can hit Virginia’s small businesses hard. Although the legislature jettisoned the bill this session, it is a sign that Virginia lawmakers are beginning to seriously consider regulations in the area of cybersecurity. However, we urge caution.
Cybersecurity laws are quickly becoming complex and fragmented as more and more are being passed around the country and at the federal level. In addition, governmental agencies also issue guidance on what each expects from businesses they regulate, such as the Securities and Exchange Commission (SEC). Finally, there are even private regulations that can impose cybersecurity requirements on Virginia’s business community. This jumble of laws, regulations and rules are making it increasingly difficult for businesses to comply without an undue burden. For example, approximately 48 states and the District of Columbia have separate cyber-breach notification laws. Lawmakers should move cautiously in proposing any cybersecurity regulations in Virginia to avoid further confusion and the creation of “just another cybersecurity requirement.” It is critical that states work together to bring uniformity to their respective cybersecurity laws. The National Governors Association has the ability to take the lead on this issue, and we urge it to do so."