Jim Dempsey and John Carlin on U.S. Cybersecurity Law and Policy: There’s a Lot Going On
Apr 8, 2024
auto_awesome
Jim Dempsey and John Carlin discuss U.S. cybersecurity law and policy on the podcast. They cover topics such as the SEC's cyber disclosure rule, preventing access to sensitive personal data, and disruption efforts like LockBit and Volt Typhoon.
Different regulatory approaches in US cybersecurity law pose challenges and complexities.
SEC's new rule emphasizes timely and transparent reporting of cyber incidents by publicly traded companies.
I.E.P.A. grants broad regulatory power for the president in addressing cybersecurity threats and enforcing sanctions.
Deep dives
Regulatory Competing Currents in Cybersecurity
There are competing currents in US cybersecurity law and policy, with various regulatory regimes focusing on different aspects. Some emphasize reporting cyber incidents privately to government agencies like the FBI, while others stress public reporting. These differing approaches pose challenges and complexities within the cybersecurity landscape.
SEC's Cyber Disclosure Rule Impact
The Security Exchange Commission's new rule on cybersecurity disclosure aims to ensure timely and transparent reporting of cyber incidents by publicly traded companies. The rule requires determining the materiality of incidents and disclosing them within four days. While concerns exist about enforcement and specifics of what needs to be reported, the rule emphasizes the importance of responsible disclosure to shareholders.
I.E.P.A. and National Security Authorities
The podcast delves into the International Emergency Economic Powers Act (I.E.P.A.) and its role in regulating transactions involving foreign interests. I.E.P.A. provides a broad regulatory power for the president to block transactions in national security emergencies. The podcast discusses how I.E.P.A. has been utilized to address cybersecurity threats and enforce sanctions on ransomware gangs.
FTC Enforcement in Data Security
The Federal Trade Commission (FTC) has taken strong enforcement actions against companies failing to protect personal data, citing violations of the FTC Act. Cases like Blackboard and Global Tel Link highlight the FTC's focus on data security and breach notifications. The FTC's efforts aim to hold companies accountable for safeguarding sensitive information and providing transparency to the public.
Disruption Efforts and Future Challenges
The podcast outlines the Department of Justice's and FBI's disruption efforts against cyber threats like botnets and ransomware. Strategies such as obtaining encryption keys and recovering ransom payments have been employed to counter cybercriminal activities. Looking ahead, key issues include software liability, state-level actions on data security, and the evolving regulatory landscape to address cybersecurity challenges.
There is a lot to keep up with in U.S. cybersecurity law and policy these days. To talk about the current regulatory landscape and the progression of the DOJ’s strategy relating to takedown and disruption efforts, Lawfare Senior Editor Stephanie Pell sat down with Jim Dempsey, Senior Policy Advisor at the Stanford Program on Geopolitics, Technology, and Governance, and John Carlin, Partner at Paul Weiss. They talked about the SEC’s cyber disclosure rule, the new executive order focused on preventing access to Americans’ bulk sensitive personal data, the LockBit and Volt Typhoon disruption efforts, and more.
