The Efficacy of Cybersecurity Regulation

• Publication year: 2013

The Efficacy of Cybersecurity Regulation

David Thaw

[Page 287]

THE EFFICACY OF CYBERSECURITY REGULATION

David Thaw^{* **}

Abstract

Cybersecurity regulation presents an interesting quandary where, because private entities possess the best information about threats and defenses, legislatures do—and should—deliberately encode regulatory capture into the rulemaking process. This relatively uncommon approach to administrative law, which I describe as Management-Based Regulatory Delegation, involves the combination of two legislative approaches to engaging private entities' expertise. This Article explores the wisdom of those choices by comparing the efficacy of such private sector engaged regulation with that of a more traditional, directive mode of regulating cybersecurity adopted by the

[Page 288]

state legislatures. My analysis suggests that a blend of these two modes of regulating is superior to either method alone.

Federal regulation of cybersecurity through HIPAA, Gramm-Leach-Bliley, and the Federal Trade Commission's enforcement heavily involves private organizations subject to the regulation in the establishment of the actual practices and standards to which those organizations are held. By contrast, the state cybersecurity laws—a form of disclosure-based regulation that de facto achieves directive regulation—detail specific standards developed without industry input.

This Article compares the efficacy of those two modes of regulating using a mixed-methods empirical approach. Qualitative data based on interviews with Chief Information Security Officers (CISOs) at leading multinational corporations details the practical effects of how regulation drives cybersecurity practices. Analysis of quantitative data describing security breach incidents reveals that a blend of the two types of regulation is substantially more effective at preventing such incidents than is either method alone. These results provide insight into ways to mitigate the risks of deliberate regulatory capture while still leveraging the unique knowledge private entities have about what are the most salient cybersecurity threats and defenses.

Table of Contents

Introduction.................................................................................290

I. Developing a Theory of Regulatory Classification........295

A. A Brief Summary of Information Security Regulations......295

1. Federal Information Security Regulation.....................296
2. State Information Security Regulation.........................297
3. Other Information Security Regulations......................297

B. Coglianese and Lazer's Model..........................................298
C. The Role of "Timing"........................................................300

1. The Information Security Production Lifecycle (ISPL)...........................................................................303

a. Design/Planning Stage...........................................304
b. Implementation/Maintenance Stage.......................305

[Page 289]

c. Efficacy/Output Stage.............................................305

D. Coglianese and Lazer's Model is Incomplete...................307
E. Reconsidering Regulatory Classification for Information Security...........................................................309

1. Directive Legislation....................................................310
2. Traditional Notice-and-Comment Rulemaking............311
3. Notice-and-Comment Rulemaking with Deference to Industry (Regulatory Delegation)................................313

II. Applying the Model to Information Security..................317

A. Directive Regulation..........................................................317
B. Management-Based Regulatory Delegation......................324

1. Health Insurance Portability and Accountability Act Security and Privacy Rules (HIPAA)...........................327
2. Gramm-Leach-Bliley Financial Modernization Act (GLBA) .........................................................................331

a. The FTC GLBA "Safeguards Rule".......................333
b. The GLBA Interagency Guidelines on Information Security..............................................335

3. FTC Enforcement Action/Jurisprudence......................336

a. Indirect Consequences of FTC Enforcement Actions ....................................................................340

III. Quantitative Comparisons: Tracking Security Breach Incidence..................................................................342

A. Tracking Breaches of Personal Information (2000-2010)...................................................................................343

1. Dataset and Variables..................................................345
2. Analysis Groups: Previously Regulated and Previously Unregulated Entities..................................346
3. (Three) Trends in Breach Incidence.............................348

B. Blended Regulation is Optimal at Preventing Breaches....351

1. Blended Regulation Compared to Directive Regulation Alone ..........................................................354
2. Blended Regulation Compared to Management-Based Regulation Alone ...............................................355

C. Analytical Limitations and Future Research.....................356
D. Conclusions from Quantitative Analysis...........................357

IV. Qualitative Accounts of Regulation as Driving Security..................................................................................359

A. Views from Chief Information Security Officers................359

[Page 290]

B. Effects of Regulation on Organizational Roles: Locking The Bank or Vault Door and Leaving the Back Window Open...................................................................................361

1. Directive Regulation: SBNs Decrease Reliance on Technical Professionals...............................................362
2. Management-Based Regulatory Delegation: HIPAA and GLBA Increase Reliance on Technical Professionals................................................................365

C. Unreasonable Deficiencies in "Reasonableness:" Lack of Clarity Impedes Compliance Efforts.............................367

Conclusion....................................................................................370

Introduction

Several years ago, while driving back from a job interview in Washington, D.C., I recall receiving (on my hands-free-enabled mobile phone) an "urgent" phone call from the issuing bank of my primary credit card. Upon returning the call, I learned that my credit card had been compromised and a new card needed to be issued—immediately. As a young cybersecurity scholar, I was curious and, inquiring further, was able to learn only that one of the payment processors with which the bank worked had experienced a massive security breach, and it was under investigation.

In 2008, payment card processor Heartland Payment Systems experienced a security breach¹ that resulted in the compromise of approximately 130 million consumer payment card records.² The compromise was the result of malicious software placed into Heartland's network that extracted the data describing payment card transactions and transmitted that information, including sensitive

[Page 291]

financial account information, to an outside hacker.³ The aftereffects of this breach included a substantial federal lawsuit and settlement fund,⁴ substantial negative media coverage, and millions of customers (including the author) having to go through the process of waiting for a new card to arrive, checking statements for fraudulent transactions, and updating their information with vendors and automatic payment systems.⁵ All because a vendor of very substantial size failed to employ reasonable security measures that could have prevented the hacker.

Cybersecurity is a complex topic in itself. Cybersecurity regulation, a topic of substantial policy and media attention over the past several years,⁶ involves a complex mixture of state and federal regulation including varying regulatory approaches and varying degrees of scope. This Article seeks to accomplish three tasks: 1) describe the existing framework of cybersecurity regulation and contextualize that framework within existing scholarship on regulation,⁷ 2) present the results of a mixed-methods empirical study evaluating the efficacy of the various regulatory approaches currently in use,⁸ and 3) discuss how particular innovations in cybersecurity regulation result in a new, hybrid form of regulation not yet well-described in the literature.⁹

Unpacking "cybersecurity regulation" begins first with understanding to what the term "cybersecurity" refers. Cybersecurity and cyber-attack are increasingly common terms in public discourse, but there is surprising disagreement as to what precisely they refer. The terms are too-often used broadly to include all of electronic crimes,¹⁰ military action,¹¹ domestic guard/homeland security

[Page 292]

activities,¹² corporate risk management,¹³ financial security,¹⁴ and a wide spectrum of other activities related to computers, the Internet, privacy, and other similar topics.¹⁵ I do not suggest the term is misapplied to any of these topics, but rather that more precise terms would be helpful. To that end, for the purposes of this Article, I discuss those aspects of cybersecurity which refer to the information security measures¹⁶ that custodians of consumer data¹⁷ take to protect such sensitive information. Thus the scope of this Article is private law and regulation, and uses the term information security to describe those administrative, technical, and physical methods and practices

[Page 293]

involved in maintaining the regulatory standards imposed on private data custodians.

This Article introduces the concept of Management-Based Regulatory Delegation.¹⁸ Cybersecurity presents an uncommon challenge in that the regulated entities—the private...