Stuart M. Gerson, Member of the Firm in the Litigation and Health Care & Life Sciences practices, in the firm’s Washington, DC, and New York offices, was quoted in Inside Cybersecurity, in “Mueller Report Prompts Renewed Calls from Privacy Advocates for Security ‘Incentives,’” by Mariam Baksh. (Read the full version – subscription required.)
Following is an excerpt:
Privacy advocates are citing last week’s release of the Mueller report as the latest example of a lack of incentives for protecting data, while the policy implications of the report remain uncertain as the federal government struggles with whether and how to regulate cybersecurity. …
A Trump administration proposal for governing data privacy and security has identified the Federal Trade Commission as the lead regulatory agency for protecting consumer data. Advocates for such plans are calling for new FTC authority in issuing rules and fines to more clearly define private-sector expectations for protecting data from threats foreign and domestic.
But some stakeholders are pushing back, arguing the administration appears “schizophrenic” in its approach to data security and privacy.
While declining to comment directly on the Mueller report, Stuart Gerson of the law firm Epstein, Becker and Green, said the push for a punitive approach by giving the FTC to more power goes against efforts by the Department of Justice to have companies share information voluntarily with the government to thwart nation-state aggressors. That dichotomy in views was on display, Gerson said, at a recent event at the American Enterprise Institute where Peter Winn, DOJ’s director of the Office of Privacy and Civil Liberties and Republican FTC Commissioner Christine Wilson spoke.
“The comments of Pete Winn, understood national security interests and weren’t nearly the same as Commissioner Wilson’s,” Gerson said. “Everybody was very cordial about the whole thing, but the approach of DOJ is very different from that of the FTC. So when I talk about schizophrenia, that’s one example of it.”
Gerson said the Cybersecurity Act of 2015, or CISA, did not do enough to provide liability protections for companies who share information on threats and vulnerabilities with the government.
“The CISA law doesn’t address a whole lot of things,” he told Inside Cybersecurity. “It doesn’t deal with ultimate liability concerns. It deals with some but not all, and certainly the reaction in the private sector is that it didn’t do anywhere near enough to create the trust relationships that ought to be required.”