52 Pages Posted: 28 Aug 2018 Last revised: 24 Apr 2019
Date Written: August 19, 2018
Cyberattacks present existential challenges for U.S. national security and economic interests, yet Congress has failed to adopt a comprehensive regulatory framework to secure private-sector information and systems. To fill that gap, state legislatures have passed many laws that regulate data security, data breaches, and protection of personal data. The requirements of these laws vary significantly, are outdated, and sometimes conflict. This Article explains why this state-centric approach to cybersecurity is inadequate. First, the Article examines the Framers’ desire for a uniform approach to commercial regulations, and explains how the U.S. approach is scattered, outdated, and decentralized. A comprehensive federal cybersecurity statute would help to realize the Framers’ vision. Second, the Article asserts that, given this prudential argument, the state approach to cybersecurity and data protection regulations may be unconstitutional under the Dormant Commerce Clause, which prohibits state laws that unduly burden interstate commerce or impose inconsistent regulations.
Keywords: cybersecurity, regulation, federalism, privacy, data protection
Suggested Citation: Suggested Citation