Small businesses can struggle with the vagueness of “reasonable protection” requirements that Federal laws and regulations establish for personal data, according to experts who testified Wednesday at a House Small Business Committee hearing.
“Reasonableness is shifting all the time, and it’s hard to tell when you’re a small business where the bar has moved to,” said Charles Rowe, president and CEO of America’s Small Business Development Centers. “The problem is that bar keeps shifting as technology changes.”
Rep. Nydia Velázquez, D-N.Y., said that while 60 percent of all targeted cyberattacks strike small businesses, only about 31 percent of those businesses take active measures to prevent such attacks, largely because the business owner is personally responsible for cybersecurity.
“While they may never make headlines, the majority of attacks target small and midsized companies,” said Maureen Ohlhausen, acting chairman of the Federal Trade Commission. She added that laws like the Children’s Online Privacy Protection Rule, Fair Credit Reporting Act, Federal Trade Commission Act, and Gramm-Leach-Bliley Act address the reasonable security requirements for a variety of industries.
“The core requirement under each of these laws is that companies maintain reasonable security,” said Ohlhausen. “The commission has made clear that it does not require perfect security, that there is no one-size-fits-all data security program, and that the mere fact that a breach occurred does not mean that a company has violated the law.”
Rowe, however, expressed concern that the larger and more technologically adept businesses may drive what is reasonable in the industry.
“On the commercial side, large businesses are going to place growing demands on their small business suppliers,” said Rowe. “We know that small businesses can be a back door. Does that mean the rules will be set by the biggest firms at the expense of the small firms?”
Rep. Stephanie Murphy, D-Fla., was also concerned that evolving cybersecurity requirements may edge out smaller firms in competition for Federal contracts in favor of bigger companies with wider capabilities.
“The hardest thing any of them have facing them is just knowledge of the Federal Register,” Rowe responded, explaining that the biggest companies can hire professionals to understand and respond to the full scope of regulatory changes. “To date, it hasn’t really become horrible.”
Rowe noted that challenges arise when small businesses try to work with multiple agencies and must fulfill disparate and uncoordinated cybersecurity requirements for the same service.
“I think that there needs to be an interagency coordinating committee for cybersecurity,” Rowe said.
