CYBEREYE: Making sense of data protection laws
- By William Jackson
- Apr 28, 2006
Despite election year distractions, it is beginning to look like Congress might pass personal data security legislation this year. Both the public and industry are clamoring for a federal standard for protecting personal data and at least one House bill, the Data Accountability and Trust Act, has made it out of committee.
A rising tide of identity theft and a spate of high-profile cases of stolen or mishandled data by large organizations have raised the profile of the issue over the last two years. At least four more House bills and six Senate bills addressing personal data security are pending in committees.
'We need to get a bill out,' said Chris Voice, chief technology office of Entrust Inc. of Addison, Texas. 'The states are ahead of us on this.'
According to the National Conference of State Legislatures, at least 22 states have passed data protection laws since California passed the first one in 2002, most of them requiring public notification of breaches. So far this year, at least 26 more bills have been introduced in 13 states.
This is a problem, from industry's point of view.
'It's getting increasingly hard to keep track of the laws,' said Phillip Dunkelberger, president and CEO of PGP Corp. and a board member of the Computer Security Industry Alliance. In April the alliance sent a letter to congressional leaders, urging them to get busy and pass a data privacy law.
'We're not picking the legislation, we're just encouraging them to get moving,' Dunkelberger said.
Companies hate having to notify the public about breaches. But now that the notification genie is out of the bottle, companies are eager to exchange the headache of 50 state laws for a single federal law'especially if they can have a say in drafting it.
'We have to get the right bill out,' Voice said.
Industry agrees that the right bill would include a safe harbor protecting companies that take measures to protect their data. They would not have to notify consumers about breaches if the data was properly encrypted, and companies could avoid other liabilities by adopting best practices to secure data.
If a notification requirement is a stick, safe harbor is a carrot.
'This provides a very clear incentive for companies to take proactive steps to protect data,' Voice said.
This is reasonable and fair, if the language of whatever federal bill finally passes does not favor the interests of the companies over the consumer. Consumer and privacy advocates are worried that federal pre-emption will gut stringent state laws.
So here's a suggestion that will make everyone happy: Companies can pre-empt all the laws themselves by just doing the right thing. This includes:
- Collecting only data that is necessary to carry out a business, and purging any unneeded data.
- Inventorying their systems to find out just where that data is held and remove it from places where it doesn't belong, then filtering to control what enters and leaves your network.
- Establishing stringent policies on access to and use of this information and enforcing those policies with data encryption and access controls.
These controls may be neither easy nor cheap, but if they were put in place, it is unlikely a company would have to worry about state or federal privacy laws, and they would go a long way toward improving overall security postures.
Not to mention the money they'd save by not having to lobby Congress on the issue.Willam Jackson is a GCN senior writer. E-mail him at firstname.lastname@example.org.
William Jackson is freelance writer and the author of the CyberEye blog.