From: RegBlog
David Thaw
Cybersecurity is a “hot topic” in U.S. politics. The White House issued an Executive Order earlier this year, the Department of Defense classified cyberspace as a war domain, Congress considered multiple pieces of legislation, and both the popular and trade press continue to report on numerous high profile incidents both in government and the private sector. Some leading experts have called for comprehensive cybersecurity regulation.
Such “comprehensive” regulation is misleading, though, as it risks applying a one-size-fits-all solution to a problem that is anything but uniform. The better way to approach cybersecurity is through the concept of Management-Based Regulatory Delegation (MBRD), a flexible approach to regulating that would employ aspects of delegation to private industry both on the front-end—in rulemaking—and on the back-end—in compliance and enforcement.
The MBRD approach to cybersecurity builds on the work of Ken Bamberger, Cary Coglianese, and David Lazer, and suggests a regulatory framework capable of harnessing private expertise to address complex and highly technical problems in heterogeneous industries. Whether intentionally or by accident, Congress experimented with this method for cybersecurity regulation of the healthcare and finance industries. This experiment provides us with valuable insight into leveraging private expertise.
A particular challenge to cybersecurity arises because it calls for the protection or regulation of four categories of information systems: military and defense operations, non-military government information systems, private sector critical infrastructure, and non-critical private sector information systems.
The competencies required to address threats faced within each of these categories differ in several ways. Military and defense operations, for example, must adopt a more stringent “risk prevention” approach, which they also are better suited to achieve because of the command-hierarchy backed by the threat of criminal punishment inherent in the military.
Private companies operating non-critical information systems, by contrast, have a fiduciary duty to their shareholders to apply the most efficient level of protection—which may differ widely from the “strongest” level of protection. They also lack the ability to enforce as rigid a hierarchy as the military.
Private companies operating critical infrastructure, such as utilities, telecommunications, financial systems, and healthcare systems, bear many of the same characteristics of other private organizations, but they possess a heightened protection obligation stemming from the substantial negative externalities if their systems fail or are compromised.
So where does this leave us in figuring out how to regulate information systems? How should government develop effective information security regulation in the context of private organizations?
Both healthcare entities—through HIPAA—and financial entities—through the Gramm-Leach-Bliley Act (GLBA)—have been subject to information security regulation since the early 2000s. With few exceptions besides critical infrastructure, however, most industrial sectors got their first taste of information security regulation with the spread of Security Breach Notification laws (SBNs) at the state level, much of which occurred in the latter half of the 2000s.
HIPAA and GLBA are both examples of Management-Based Regulatory Delegation, as their information security provisions employ hybrid rulemaking procedures requiring regulatory agencies to engage in pre-rulemaking consultation. In implementing these laws, both healthcare and financial regulators used this front-end consultation requirement to develop regulations setting forth aspirational goals, ultimately requiring that individual regulated entities develop and adhere to their own compliance plans to meet these goals. This form of regulation relies heavily on private expertise within regulated entities to determine the precise details of organizational regulatory compliance.