Congress fails to pass cybersecurity legislation that would have bolstered energy and transport sector defenses

It should surprise no cybersecurity professional that the U.S. Congress has failed to pass legislation that would have required organizations in critical sectors like energy and transportation to alert the government when they were hit with online incidents.

In a poll of the Washington Post expert group, 93% favored such mandates.

So, businesses in the U.S. should relax, right? Unlike the burdensome GDPR (General Data Protection Regulation) in the EU, organizations in the U.S. don’t need to comply with onerous government cybersecurity regulations.

They can go about their business as they see fit. Cyber criminals only attack big organizations anyway and would never bother with small and medium-sized entities. Right?

Nothing could be further from the truth. Criminal hackers are a real problem for all organizations everywhere. These are the most successful criminals ever. They steal more money than all other threat actors combined.

Just because your organization hasn’t suffered a ransomware attack doesn’t mean there isn’t malware on your system. The attackers may simply be using your information for other purposes. Information is no longer ancillary to your business. It is your business. 

But it isn’t only criminal hackers. U.S. state and federal government are filled with cybersecurity laws. This may come as a surprise to our federal legislators, but every state has a breach notification statute.


Ride-sharing company Uber was sued by the attorney generals of all 50 states and had to pay $148 million in settlement of the claims. You don’t need to ask if you are subject to a U.S. cybersecurity regulation. You are.

It doesn’t stop there. You must think about what you do. Are you in health care? It doesn’t matter if you are treating patients, collecting the bills, or writing software. You are still subject to the HIPAA (Health Insurance Portability and Accountability Act). This law not only has cybersecurity provisions but also reporting and privacy requirements.

Does your organization handle money? Anything from a pawn shop to cryptocurrency are subject to requirements. Everything from the GLBA (Gramm–Leach–Bliley Act) to SEC (Security and Exchange Commission) regulations require organizations that handle finance to have cybersecurity programs in place.

The SEC is also concerned with any “public company” – generally a company that lists its securities. It requires the public company to report a cybersecurity incident, and recently fined two organizations for failing to disclose a cybersecurity weakness.

Does your company bid on DOD contracts? Then it will become subject to the requirements of the CMMC (Cybersecurity Maturity Model Certification). These have been cut back in CMMC version 2.0, but they are still there. Indeed, the requirements are expected to grow beyond DOD suppliers to cover suppliers for any federal or state entity.

Is your organization regulated by your state’s insurance commissioner? Then it might be subject to the NAIC (National Association of Insurance Commissioners) model cybersecurity law as well as the GLBA.

Half of the country’s states have cybersecurity standards. Most of these require reasonable cybersecurity, but two, Massachusetts and New York, have complete lists of requirements.

The new thing is privacy. Are you located or do business in California, Colorado, or Virginia? Then your organization is subject to those states’ privacy laws. Last year, 21 state legislatures introduced privacy laws – a 30% increase on 2020.


January usually starts the season for state legislatures’ sessions, so there will probably be more states added to the tally. This does not include the list of BIPA (Biometric Information Privacy Act) statutes, which are the subject of a lot of litigation. One cost Facebook $650 million.

Last but not least, there is good old common law negligence. This tort works just as well with a cybersecurity breach as it does with a car accident. Like any other cause of action, negligence has elements that must be proved before the case is successful.

The stumbling block for negligence actions in the U.S. has been damages. This is changing. Like product liability before it, courts are finding damages from the fact of a hack, rather than any specific plaintiff out-of-pocket payment. With the extra advantage of the statutory damages in the California law, these types of lawsuits could be especially destructive.

If your organization is relying on the lack of a federal mandate to avoid creating a cybersecurity plan, it’s time you reconsider.

Free PDF download: Cybersecurity 101 – A guide for SMBs

Cybersecurity requires careful coordination of people, processes, systems, networks, and technology. However, many SMBs (small and medium-sized businesses) don’t know where to begin, and are at a disadvantage due to a lack of expertise and resources.

Download Cybersecurity 101 – A guide for SMBs to find out how to get started with the basics of cybersecurity while keeping costs to a minimum.