Potential US data security law causes concern

Experts say any attempt by the US Congress to prescribe data security procedures in legislation would be a disaster.

High-profile data security breaches make headlines. That means that in an election year you can expect to see plenty of politicians proposing data security legislation. The last time headlines spurred legislation aimed at regulating a business crisis, CIOs found themselves spending millions on Sarbanes-Oxley compliance.

Every day it seems the media reveals another new nightmare. A data tape is stolen from a truck. A hard drive is stolen from an office. In May, thieves stole a laptop from the Maryland home of an analyst with the US Department of Veterans Affairs. Although officials claimed the laptop had been recovered and they were confident no data was compromised, the theft still put 26.5 million veterans and current military members at risk of identity theft.

Washington, we have a problem.

Data security breaches have exposed nearly 88.8 million records containing information that could be used for identity theft since February 2005, according to the Privacy Rights Clearinghouse, a US non-profit consumer rights organisation.

The US Congress has proposed about a dozen bills to address the issue, including last week's announcement of the Data Security Act of 2006, sponsored by Sens. Robert Bennett (R-Utah) and Thomas Carper (D-Del.). All this rhetoric and gavel-pounding in the Capitol building should justifiably make midmarket CIOs and security executives nervous. Could a political response to this slew of data breaches lead to another compliance spending spree along the lines of Sarbanes-Oxley?

"Congress has a track record of passing laws that create an enormous amount of work and expense for companies," said Philip Marzullo, senior vice president and CIO at Folksamerica Reinsurance based in New York.

Marzullo said that while he knows data security breaches are serious, he is concerned more legislation will result in increased IT spending and resources with little payback in terms of fixing the original problem.

"It seems that all conversations between CIOs today are dominated by discussion about security and compliance and very little about implementing applications and systems. It's a sad state of affairs."

Khalid Kark, senior analyst at Forrester Research Inc., agrees.

"If it is legislation or a mandate that every company has to strictly follow, I see it being a huge financial drain for companies," he said.

Large companies typically have strong data security investments already in place. Legislative mandates will probably not pose a serious financial hit for them.

"The companies that suffer are the medium-sized companies who don't have big security budgets," Kark said. "I've come across a couple medium-sized companies that have consciously decided not to do business in the U.S. because of the cost of compliance with federal mandates."

Kark said any legislation that is passed should provide guidelines on how to respond to data security breaches and should set rules for when and how to notify people who are put at risk by breaches.

But attempts by legislators to set requirements for the technical implementation of data security would be too onerous and complicated.

"If they were to pass legislation in response to high-profile data breaches it should be simple, much like the California Database Protection Act, which simply requires companies to notify affected customers in a timely manner when data is stolen or compromised," Marzullo said.

Avivah Litan, vice president and research director at research firm Gartner, recently testified about data security in front of the US House Committee on Veterans' Affairs. With 33 US states having their own laws on data security, Litan said it makes sense to have an overriding federal law that sets standards for disclosing data breaches.

"I think the disclosure laws need to be standardized," Litan said. "I don't think Congress should prescribe technology and procedural rules. If Congress gets involved in technology it's a recipe for disaster because technology changes so quickly."

Litan said legislation should empower an agency such as the Federal Trade Commission with the power to set thresholds on risk and disclosure.

"Legislation should prescribe how they disclose and when they disclose," she said. "It would be monitored by the FTC, so they [companies] know someone is watching. And if they do not disclose properly, they would be fined appropriately."

Standards for disclosure would help improve security, Litan said, since companies forced to disclose breaches would spend millions of dollars to make sure it doesn't happen again.

However, Litan doubts Congress will pass anything more than a diluted and ineffective bill.

"The financial services lobby has so much influence that the resulting law might be a step down from what we have right now," Litan said. "Otherwise, why wouldn't [Congress] have passed something already. If they took it seriously, they would have done something last year. They're really not doing their job to protect consumers and business interests by shirking on this issue."

Abe Kleinfield, CEO of San Francisco-based network security and risk management firm nCircle Security Inc., agreed that Congress should avoid prescribing data security methods. But he did say Congress needs to pass legislation that helps companies measure the effectiveness of their data security efforts.

"Security, there is no return on investment to it," Kleinfield said. "It doesn't increase revenue or decrease costs. It increases cost. Because you don't have a good way to consistently measure [security], most people don't know what to spend their money on. A lot of money gets spent on ineffective things."

Let us know what you think about the story; e-mail: Shamus McGillicuddy, News Writer

This article originally appeared on SearchCIO.com.

Read more on IT risk management