The past year has proven to be a contentious and disruptive time for the technology sector. The threat of home grown terrorism combined with the adroit usage of social media by terrorist groups, has forced the tech sector to come into far closer contact with the intelligence community than it would prefer – especially following the disclosures made by Edward Snowden. This was seen most significantly during the conflict between Apple and the FBI over breaking the encryption on a terrorist’s iPhone. The FBI attempted to use legal pressure to force compliance from Apple, but that attempt had, at best, mixed results. At the same time, it highlighted the rapidly changing legal landscape that technology firms must navigate in order to avoid running afoul of the government.
The legal and regulatory environment for technology companies is shaped primarily by two forces: legislation and judicial decisions. However, it appears to be very difficult for legislators to make effective laws when it comes to cyber issues. This is largely because the legislative process is, by design, slow and methodical, while technology is changing at an extremely rapid pace. The most recent piece of major federal legislation, the Cybersecurity Information Sharing Act (CISA), prompted a great deal of controversy – even though CISA was still benefiting from the shock generated by the Office of Personnel Management (OPM hack).
Beyond this, cybersecurity regulations and legislation at the state level varies wildly from state to state. This slow legislative pace at the national level, combined with the inconsistency at the state level, has created an extremely difficult environment for businesses. “We need to standardize the legislation, and have an overarching federal piece of legislation instead of 47 different patchwork pieces of legislation,” Chris Pogue, the Chief Information Security Officer at Nuix, told The Cipher Brief. “That will help organizations understand what their legal risk is and what their legal requirements are.”
Enter the judges. Because the legislative process takes so long, but legal challenges need to be addressed in a timely fashion, more and more often it is falling to judges to make important rulings on key cybersecurity issues. During the Apple-FBI case, two different judges on opposite sides of the country made two opposing rulings about the applicability of the All Writs Act in requiring tech companies to comply with government requests. Similarly, a judge in New Jersey radically changed businesses understanding of their own liability after being hacked when The United States Court of Appeals for the Third Circuit handed down its ruling on FTC v. Wyndham Worldwide Corporation.
Enterprise cybersecurity compliance is difficult, both because the legal and regulatory environment is innately challenging and because the technology itself keeps changing. Until greater cohesion is made on the regulatory side, or more robust legislation is passed on the legal side, this unfortunate state of affairs will continue.