"If the U.S. government cannot stop a foreign government from stealing personal records, why should private companies be expected to do so?"
This is the question Brian Finch, partner at Pillsbury Winthrop Shaw Pittman, poses in a recent contributed piece in the Wall Street Journal.
The Office of Personnel Management reported a cyberattack on its computer system in early June, and two weeks later, government officials reported Chinese hackers gained access to employee security clearance information in another attack.
What's more, the hackers involved in the federal agency cyberattack appear to be linked to those who infiltrated the databases of Anthem and Premera Blue Cross earlier this year.
In his piece, Mr. Finch suggests cyberattacks on the private sector originating from other nation-states should not be held to the same degree of scrutiny.
"Congress should use the OPM cyberattack as a justification to limit the private sector's legal responsibility when it suffers a cyberattack from a foreign power or its cronies," he writes.
This shift, Mr. Finch says, would not require a massive shift in legislation; rather, it would only need some minor adjustments to bills floating in Congress.
Mr. Finch suggests Congress does not impose data breach penalties if a breach investigation reveals a foreign nation-state or hacker group supported by the nation-state is connected with the breach. He suggests this be applied to both state and federal laws. "The suspension of those penalties is justified by the aforementioned reality that no private company can stop a foreign nation-state's cyberattack. As a matter of public policy, Congress should not allow companies to be financially penalized for simply being the victim of such an attack," Mr. Finch wrote.
Additionally, Mr. Finch suggests modifying requirements for private companies bringing tort lawsuits. He writes that while tort lawsuits against private companies who have been attacked by foreign governments should still be allowed, those lawsuits should be entitled to be dismissed so long as the private company did not commit fraud, willful misconduct or gross negligence when implementing cybersecurity programs.
Finally, Mr. Finch says the U.S. government should maintain a list of state-sponsored or supported hacker groups. If one of these groups is discovered to have committed an attack, the master list would trigger penalty suspensions and/or tort limitations, he writes.
"Protecting Americans from enemies foreign or domestic represents the most fundamental obligation of the U.S. government. In today's world, that obligation extends to the digital domain, not just the physical world," Mr. Finch writes. "Penalizing American businesses for having been attacked by foreign powers is entirely antithetical to that basic mission, and so Congress and the president should step up and change the law to avoid that perverse outcome."
More articles on cyberattacks:
7 things to know about the anatomy of a cyberattack
Cybersecurity Information Sharing Act to be paired with defense bill: 6 things to know
50 things to know about healthcare data security & privacy