High-profile data security breaches make headlines. That means that
in an election year you can expect to see plenty of politicians
proposing data security legislation. The last time headlines
spurred legislation aimed at regulating a business crisis, CIOs
found themselves spending millions on Sarbanes-Oxley compliance.
Every day it seems the media reveals another new nightmare. A
data tape is stolen from a truck. A hard drive is stolen from an
office. In May, thieves stole a laptop from the Maryland home of an
analyst with the US Department of Veterans Affairs. Although
officials claimed the laptop had been recovered and they were
confident no data was compromised, the theft still put 26.5 million
veterans and current military members at risk of identity
theft.
Washington, we have a problem.
Data security breaches have exposed nearly 88.8 million records
containing information that could be used for identity theft since
February 2005, according to the Privacy Rights Clearinghouse, a US
non-profit consumer rights organisation.
The US Congress has proposed about a dozen bills to address the
issue, including last week's announcement of the Data Security Act
of 2006, sponsored by Sens. Robert Bennett (R-Utah) and Thomas
Carper (D-Del.). All this rhetoric and gavel-pounding in the
Capitol building should justifiably make midmarket CIOs and
security executives nervous. Could a political response to this
slew of data breaches lead to another compliance spending spree
along the lines of
Sarbanes-Oxley?
"Congress has a track record of passing laws that create an
enormous amount of work and expense for companies," said Philip
Marzullo, senior vice president and CIO at Folksamerica Reinsurance
based in New York.
Marzullo said that while he knows data security breaches are
serious, he is concerned more legislation will result in increased
IT spending and resources with little payback in terms of fixing
the original problem.
"It seems that all conversations between CIOs today are
dominated by discussion about security and compliance and very
little about implementing applications and systems. It's a sad
state of affairs."
Khalid Kark, senior analyst at Forrester Research Inc.,
agrees.
"If it is legislation or a mandate that every company has to
strictly follow, I see it being a huge financial drain for
companies," he said.
Large companies typically have strong data security investments
already in place. Legislative mandates will probably not pose a
serious financial hit for them.
"The companies that suffer are the medium-sized companies who
don't have big security budgets," Kark said. "I've come across a
couple medium-sized companies that have consciously decided not to
do business in the U.S. because of the cost of compliance with
federal mandates."
Kark said any legislation that is passed should provide
guidelines on how to respond to data security breaches and should
set rules for when and how to notify people who are put at risk by
breaches.
But attempts by legislators to set requirements for the
technical implementation of data security would be too onerous and
complicated.
"If they were to pass legislation in response to high-profile
data breaches it should be simple, much like the California
Database Protection Act, which simply requires companies to notify
affected customers in a timely manner when data is stolen or
compromised," Marzullo said.
Avivah Litan, vice president and research director at research
firm Gartner, recently testified about data security in front of
the US House Committee on Veterans' Affairs. With 33 US states
having their own laws on data security, Litan said it makes sense
to have an overriding federal law that sets standards for
disclosing data breaches.
"I think the disclosure laws need to be standardized," Litan
said. "I don't think Congress should prescribe technology and
procedural rules. If Congress gets involved in technology it's a
recipe for disaster because technology changes so quickly."
Litan said legislation should empower an agency such as the
Federal Trade Commission with the power to set thresholds on risk
and disclosure.
"Legislation should prescribe how they disclose and when they
disclose," she said. "It would be monitored by the FTC, so they
[companies] know someone is watching. And if they do not disclose
properly, they would be fined appropriately."
Standards for disclosure would help improve security, Litan
said, since companies forced to disclose breaches would spend
millions of dollars to make sure it doesn't happen again.
However, Litan doubts Congress will pass anything more than a
diluted and ineffective bill.
"The financial services lobby has so much influence that the
resulting law might be a step down from what we have right now,"
Litan said. "Otherwise, why wouldn't [Congress] have passed
something already. If they took it seriously, they would have done
something last year. They're really not doing their job to protect
consumers and business interests by shirking on this issue."
Abe Kleinfield, CEO of San Francisco-based network security and
risk management firm nCircle Security Inc., agreed that Congress
should avoid prescribing data security methods. But he did say
Congress needs to pass legislation that helps companies measure the
effectiveness of their data security efforts.
"Security, there is no return on investment to it," Kleinfield
said. "It doesn't increase revenue or decrease costs. It increases
cost. Because you don't have a good way to consistently measure
[security], most people don't know what to spend their money on. A
lot of money gets spent on ineffective things."
Let us know what you think about the story; e-mail:
Shamus
McGillicuddy, News Writer
This article originally appeared on
SearchCIO.com.