Footnotes (185)



The Efficacy of Cybersecurity Regulation

David Thaw

University of Pittsburgh - School of Law; University of Pittsburgh - School of Information Sciences; Yale University - Information Society Project

October 4, 2013

Georgia State University Law Review, Vol. 30, 2014

Cybersecurity regulation presents an interesting quandary where, because private entities possess the best information about threats and defenses, legislatures do – and should – deliberately encode regulatory capture into the rulemaking process. This relatively uncommon approach to administrative law, which I describe as Management-Based Regulatory Delegation, involves the combination of two legislative approaches to engaging private entities' expertise. This Article explores the wisdom of those choices by comparing the efficacy of such private sector engaged regulation with that of a more traditional, directive mode of regulating cybersecurity adopted by the state legislatures. My analysis suggests that a blend of these two modes of regulating is superior to either method alone.

Federal regulation of cybersecurity through HIPAA, Gramm-Leach-Bliley, and the Federal Trade Commission's enforcement heavily involves private organizations subject to the regulation in the establishment of the actual practices and standards to which those organizations are held. By contrast, the state cybersecurity laws – a form of disclosure-based regulation that de facto achieves directive regulation – detail specific standards developed without industry input.

This Article compares the efficacy of those two modes of regulating using a mixed-methods empirical approach. Qualitative data based on interviews with Chief Information Security Officers (CISOs) at leading multinational corporations details the practical effects of how regulation drives cybersecurity practices. Analysis of quantitative data describing security breach incidents reveals that a blend of the two types of regulation is substantially more effective at preventing such incidents than is either method alone. These results provide insight into ways to mitigate the risks of deliberate regulatory capture while still leveraging the unique knowledge private entities have about what are the most salient cybersecurity threats and defenses.

Number of Pages in PDF File: 73

Keywords: cybersecurity, regulation, regulatory capture, information security, hybrid rulemaking, regulatory delegation

Open PDF in Browser Download This Paper

Date posted: March 31, 2013 ; Last revised: October 5, 2013

Suggested Citation

Thaw, David, The Efficacy of Cybersecurity Regulation (October 4, 2013). Georgia State University Law Review, Vol. 30, 2014. Available at SSRN: http://ssrn.com/abstract=2241838 or http://dx.doi.org/10.2139/ssrn.2241838

Contact Information

David Thaw (Contact Author)
University of Pittsburgh - School of Law ( email )
3900 Forbes Ave.
Pittsburgh, PA 15260
United States
HOME PAGE: http://www.davidthaw.com

University of Pittsburgh - School of Information Sciences ( email )
Pittsburgh, PA 15260
United States
Yale University - Information Society Project ( email )
P.O. Box 208215
New Haven, CT 06520-8215
United States

Feedback to SSRN

Paper statistics
Abstract Views: 1,271
Downloads: 294
Download Rank: 76,380
Footnotes:  185

© 2016 Social Science Electronic Publishing, Inc. All Rights Reserved.  FAQ   Terms of Use   Privacy Policy   Copyright   Contact Us
This page was processed by apollobot1 in 1.203 seconds