How do you advise clients to navigate all these new cybersecurity laws that vary by jurisdiction?
The problem is that because the internet is at the very heart of interstate and international trade, such a fractured approach to cybersecurity policy will ultimately lead to companies in all states having to change their policies and processes to satisfy every single law that will exist in every single state in the US. There will eventually become a de facto, or pseudo national law that is simply the agglutination of every state law... And, I know for a fact that this will be the case, because it already is the case.
So far, there are no obvious conflicts in the laws of the different states, and we are able to advise our clients on how to construct their ISMS to conform to the synthesized state laws with little added difficulty. However, this will not necessarily always be the case. Conflicts may arise down the road, and keeping up with new laws, amended laws, articles about laws, etc. from each state will eventually get overwhelming.
I think it’s obvious that the Federal government should step in with a standard complete set of cybersecurity laws and regulations, based on a fair and realistic balancing of economic interests and privacy interests. These Federal laws should be supreme, and completely override all state legislation on the subject matter (The states should not be allowed to supplement). Only then will citizens and companies alike be protected by a clear, well-reasoned cybersecurity approach and isn’t unduly burdensome.
While it is extremely difficult to imagine the current administration enacting legislation that puts even a modest burden on private industry (The President signed an Executive order requiring two regulations to be revoked for every one enacted as one of his first acts in office), it is equally difficult to image that a possible Biden or Warren administration would not push for rather expansive legislation. So when it will happen is still very much up in the air, but I have no doubt that eventually it will happen.
My advice is to start making improvements now based on best practices and respected industry standards such as ISO and NIST, because any enacted law will follow the same principles. In the not so long run, it will add value to your business, and being proactive over a period of time wont shock the system.