Stopping Data Breaches Will Require Help from Governments

Not a month goes by without a major corporation suffering a cyber attack.  Often state-sponsored, these breaches are insidious, difficult to detect, and may implicate personal information relating to millions of individuals. Clearly, the current approaches to safeguarding sensitive data are insufficient. We need to reorient expectations for the role of the private sector in cybersecurity.  As the risk of cyberattacks has become better appreciated, we see an increasingly punitive focus on holding corporate America solely responsible.

Multiple, overlapping laws at the national and state level require companies to have “reasonable” security, a concept that is largely undefined and elusive, especially given that threats and available defensive measures constantly evolve. And regulatory enforcement actions and lawsuits in the wake of cyberattacks declare any exploited security vulnerability to be de facto “unreasonable,” without a meaningful assessment of the company’s overall security program or acknowledgement that the company has been the victim of a crime.

Read this article in the Harvard Business Review written by Samir C. Jain and Lisa M. Ropple, partners at Jones Day. This article represents the personal views and opinions of the authors and not necessarily those of the law firm with which they are associated.