This June, six years after the European Union enacted the General Data Protection Regulation (GDPR), U.S. Senator Roger Wicker of the Senate Committee on Commerce, Science, and Transportation and U.S. Representatives from the House Committee on Energy and Commerce finally released a draft bill for national data privacy and data security framework.
This bipartisan and bicameral proposal for a federal data privacy law came three months after the director of the FBI, Christopher Wray, announced that the FBI was actively seeking collaboration with the private sector to combat cyberattacks that cost U.S. organizations at least $602 million in cryptocurrency last year alone.
The FBI has already deepened its relationship with state and local law enforcement through its Joint Terrorism Task Forces and is now targeting private businesses and institutional entities to protect national security, economic security, and public health and safety.
The biggest difference between the model the FBI built to combat terrorism after 9/11 (and we all know how that changed our lives) and the way they approach cyber threats is the imposed collaboration with the private sector, on whose acceptance of the FBI’s authority their entire strategy rests.
Right now, I can identify at least two main obstacles to the FBI’s cyber strategy. The first is the focus on the foreign threat from the historic enemy countries of the U.S. (China, Russia, the Middle East – why not just call it the “Eastern threat”?), which excludes good patriotic hackers who keep dollars in the U.S. as well as small cyber criminals who can still cost your company millions of industry dollars.
And the second obstacle is the most obvious: the reluctance of the private sector to report cyber attacks and deal with the FBI. There are many reasons for this, which I will try to break down.
Why Don’t Companies Report Cybercrime To Law Enforcement?
I’ve heard from many clients and partners that the legal environment is becoming (or has become?) an adversary in itself. I also know that law enforcement agencies estimate that the number of unreported cybercrimes by companies is in the millions, which means they don’t know the exact proportions of cyber threats.
According to the CyberEdge 2022 Cyberthreat Defense Report (CDR), more than 80% of UK businesses experienced a successful attack in 2021/2022, with the average cost of ransomware attacks being $1.08 million.
In the U.S., a record 47 percent of Americans were victims of financial identity theft in 2020, according to Aite-Novarica Group. Currently, approximately 4,000 cybercrime attacks occur in the U.S. every day.
The 2021 Cost of a Data Breach Report, a global study sponsored by IBM Security and conducted by the Ponemon Institute, found that the average cost of data breaches increased from $3.86 million in 2020 to $4.24 million in 2021.
At the same time, the UK imposed fines of 44 million euros under the GDPR. And Amazon received a fine of 746 million euros (i.e., about $831 million) in response to violations of the GDPR, according to the company’s June 30, 2021, SEC report.
That alone answers some questions about reporting to law enforcement. However, companies are only legally required to report security incidents such as data breaches to regulators.
Companies in the United Kingdom, for example, are legally required under the GDPR to notify the Information Commissioner’s Office (ICO) when a breach of customer or employee personal data occurs. Similar obligations exist under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) in the US or the Personal Information Protection and Electronic Documents Act (PIPEDA) in Canada.
But there is no such restriction on reporting cybercrime to law enforcement, which has led authorities in both the United Kingdom and the United States to warn of a massive, multibillion-dollar gap between the number of actual incidents and reported cybercrime.
A key reason for this discrepancy is that identifying threat actors, especially when the attacks come from abroad, is extremely difficult. Although the FBI’s Recovery Asset Team (RAT) says it has a high asset recovery rate, recovering money can be arduous if action is not taken quickly.
So Where Does That Leave Hacked Companies?
Most companies believe that the incident does not justify the time and expense of involving law enforcement and would be better handled internally. Some companies are concerned that bringing in law enforcement could further disrupt business operations while they investigate the incident.
And if it’s a major data breach with significant public impact, the company does not want to face many inquiries from the FBI when it really just wants to focus on fixing the incident internally and meeting its legal obligations externally. Not to mention the threat of expensive fines for violating numerous data regulations.
Furthermore, because recovering the stolen money or information takes precedence over imprisoning the perpetrator, companies may wish to litigate the matter in the civil courts rather than the criminal courts. Companies can bring civil and criminal claims in parallel, but the courts will usually give priority to the criminal claims, and the criminal case must be completed before a company can attempt to recover the stolen money.
Another reason companies do not report is concern that an incident will make the headlines and they will lose the trust of both their clients and their partners.
And so my experience has shown that the best remedy is to invest in your data protection and cybersecurity rather than hoping that you will not end up in the statistics. Remember, half of Americans show up in cybercrime statistics, and that’s half that has reported cyberattacks.
In the next article, I will take a closer look at the new draft of the U.S. Data Privacy and Protection Act and compare it to existing data laws in the U.S. and the EU. That’s because part of the GDPR applies to US companies whose employees log in from the EU.
Tricky, I know.
Come to rescue at TLIC Worldwide, Inc.
Follow me on Medium