Cybersecurity has never been more important. The proliferation of digital services and connected devices, and the concomitant spread of personal information, has generated tremendous benefits for consumers and the economy. However, it has also fed a growing body of hackers and criminal enterprises who seek to profit by exploiting cybersecurity vulnerabilities in either the storage or transmission of sensitive data. Moreover, given our increasing reliance on digital technologies and services, even mere human error in cybersecurity practices can now cost real human lives.
While market forces can discipline cybersecurity practices to some degree, government regulation will likely still be necessary to ensure that certain areas, like emergency services, maintain adequate cybersecurity. Additionally, given the complex nature of cybersecurity and the difficulties many consumers have in understanding how to value security against other factors — like privacy, convenience and cost — the impact of market forces may be limited in this area, and government regulation may be necessary in order to protect consumers or competition from harmful practices, at least until the nascent cyber-insurance industry gets off the ground.
Of course, the cybersecurity practices maintained by the U.S. government are vitally important today, both in the context of data breaches and cyberattacks. However, the present study focuses on practices currently employed in the private sector, such as those maintained by broadband providers, websites, applications and other private actors in the internet ecosystem. Such commercial cybersecurity practices are overseen by the Federal Trade Commission (FTC), sometimes in coordination with sector-specific agencies like the Securities and Exchange Commission (SEC), the Department of Health and Human Services (HHS) and the Federal Communications Commission (FCC). While the FTC’s coordination with the SEC and HHS is generally well-defined, coordination between the FTC and FCC has been rendered murky by jurisdictional turf wars and shifting responsibilities between the two agencies.
The FTC is a general-purpose competition and consumer-protection agency, with broad jurisdiction, flexible legal standards, multiple enforcement tools and substantial experience regulating commercial cybersecurity practices. By contrast, the FCC is a sector-specific agency charged with regulating the communications industry. Compared to the FTC, the FCC’s jurisdiction is more limited, as are its enforcement tools, but it has more experience regulating cybersecurity in certain areas, and it has the authority to supplement its flexible legal standards with more specific rules. On balance, the FTC is better suited to regulate commercial cybersecurity practices, and ideally it would handle as much of that task as possible. However, given the overlap between the scope and expertise of the two agencies, the FCC also has a key role to play. For this reason, it is of the utmost importance for these roles to be clearly defined and for each agency to know precisely what responsibilities it has in order to avoid regulatory conflicts.
There are multiple options for how roles and responsibilities for commercial cybersecurity regulation could be divided between the FTC and FCC. For example, responsibilities could be divided based upon whether the data in question is “at rest” or “in transit.” Alternatively, the FCC could regulate the cybersecurity of all “common carriers,” while the FTC regulates everyone else. However, the most logical division of responsibilities is for the FCC to regulate the cybersecurity of all “common-carrier services,” including emergency services, while the FTC regulates all other commercial cybersecurity practices. This division could be achieved within existing law, but it may be advisable for Congress to step in and cement these roles via legislation.