From: Charged Affairs
A single agency may help with coordination, but the major focus should be on the regulations and what the government is empowered to enforce. The state of New York is implementing a new set of cybersecurity regulations for major financial entities regulated by the Department of Financial Services. Compliance includes requirements for the appointment of a security officer responsible for data protection and the creation of a cybersecurity program. The problem is that the penalties for violating the law are unclear. The European Union (E.U.) has implemented the General Data Protection Regulation (GDPR), imposing privacy regulations on companies that seek to do business with or cover citizens of the E.U. Most importantly, penalties are strict, with fines of up to four percent of global annual revenue.
The policies above should serve as a basic framework for a U.S. federal policy. While details of who exactly should be covered must be decided, at a minimum, entities that deal with critical infrastructure, defense, and financial, medical, or other private data should all fall under the umbrella. Most importantly, strict penalties for non-compliance must be clear and enforced. The damage that can be done by failures in basic cybersecurity requires both severe and enforceable financial and criminal penalties.