Cybersecurity and Privacy Laws and Regulations Shouldn’t Be Punitive

Cybersecurity and privacy laws and regulations are necessary to deter negligence and protect national economies. However, it is high time we shifted from punishment to enablement.

In a recent conversation with a colleague, a question about the punitive nature of cybersecurity and privacy laws and regulations came up. His question, “Shouldn’t federal and local governments be subject to the same cybersecurity regulations they make when they suffer a cyber incident?” For a moment, I paused to wrap my head around the response to give. As a proponent of appropriate legislation to ensure businesses maintain the right security controls, I could not but agree with his view. Afterall, in 2022, globally, governments experienced the highest number of data breaches.

It is the time of the year for governments to pass new laws and regulations which require businesses to implement adequate cybersecurity and privacy controls to protect systems and customer data. In the United States, at the federal level, a suite of new regulations is beginning to roll out. At the state level, four states, Colorado, Connecticut, Utah and Virgina, join California to enact data protection statuses. According to the National Conference of State Legislatures, in 2022, at least 40 states introduced more than 250 cybersecurity bills or…