Can Congress get data security law right?
May 24, 2010 by Steve HannafordPosted in: In this week's e-newsletter, Latest News & Views, Regulations & Compliance
A surprising 70% of data security professionals in a recent survey urged the federal government to pass national data security laws. But are the feds up to the task?
The survey, conducted for security audit toolmaker nCircle, talked to 257 experts nationwide.
One of the key reasons for a federal law is that state after state is now passing data collection and breach laws with different provisions, giving national companies an increasingly tangled set of requirement for customer consent, notification and liability when a data breach occurs.
“Security professionals know that allowing private industry to ‘self-regulate’ on security issues hasn’t worked so far,” stated nCircle CEO Abe Kleinfeld, and it’s unlikely to improve without some external stimulus. “A federal data breach law could become a catalyst for increased security investment and awareness for businesses of every size.”
But…
The big problem is passing any meaningful legislation in a U.S. Congress that is riven with partisan strife, powerful interest groups and vast technical ignorance.
The latest attempt at such a bill, the so-called Boucher Bill, drafted by several congressmen from both parties, deals with companies that gather and store information about consumers online, The draft bill has been submitted to get conversation started. Has it ever! The proposal has been strongly attacked by both corporate interests and by consumer groups.
Here’s a sample of the reactions:
- The Direct Marketing Association is going ballistic over requirements that before companies collect marketing information on consumers, that they get the consent of that consumer.
- The Progress and Freedom Association, an industry trade group, claimed that the bill would be the death of the “free” Internet.
- The Electronic Privacy Information Center declared that the law doesn’t do anything but maintain the unsatisfactory status quo.
- Consumer Action is complaining that the privacy provisions of the law are actually far weaker than those already in place for some states, and that the law would limit liability in cases where critical personal information leaks out and harms a consumer.
Companies like Microsoft and Google are holding their fire, “welcoming” the chance to discuss the bill. But you know that they and many others who have built a business on collecting such data have lobbyists lining up to write in exceptions to the already mild provisions of the bill.
Count us as cynical, but even if a law gets passed, it will be so watered-down and filled with loopholes that it will create more problems than it solves.
DocuCrunch.com delivers the latest IT and Imaging news once a week to the inboxes of over 200,000 IT and Imaging professionals.
Click here to sign up and start your FREE subscription to DocuCrunch!
Tags: Boucher Bill, Congress, data security
Loading ...
May 26th, 2010 at 9:27 am
In the US, we have sector-specific regulations, like HIPPA and GLBA. In England and the EU, there are more comprehensive laws such as the Data Protection Act (DPA-1998)
The DPA covers all uses of consumer information, called “personal data”, and maintains that the consumer OWNS information about them. In addition, the DPA specifies a comprehensive and consolidated list of requirements for handling or storing personal data.
All sectors, including universities, banks, hospitals, etc… must adhere to the same set of rules, and must implement similar controls. This makes exchanging information much easier because you have one set of controls to assess, as opposed to various controls and requirements for different types of information (as in the US today, where HIPPA and GLB requirements for medical and financial data, respectively, may be completely different)
Moreover, all members of the EU are required to have laws enacting the DPA, or equivalent to the DPA. The DPA is also the model for most non-EU countries.
Today, for US-based companies to do business with the EU, there is a “Safe Harbour” provision, stating that any US-based company can “self-attest” to DPA controls and practices — obviously not an ideal situation.
If the US were to adopt a version of the DPA, this would greatly simplify the need for sector-specific regulation, interaction with EU countries, and information exchange.
The problem is that credit reporting companies, who make tons of money buying and selling personal information, would be forced out of business, or their business model would have to drastically change. The problem with getting everyone on board with DPA-like laws is that lobbyists and special interest groups have more control over legislation than the voters….