In the CSIA's annual report, the group criticised US legislator for failing to pass a comprehensive data security law in 2006 requiring companies with data breaches to notify victims.
Currently 35 states require companies to publicly disclose security breaches involving personal information, such as credit card data and Social Security numbers. The group said it is too time consuming and costly for businesses to comply with the different laws.
The group is calling for a law that emphasises encryption and promotes higher security standards that could reduce the number of data breaches. The group said the law would apply equally to all government agencies and businesses that collect and maintain personal information of consumers.
A number of highly publicized data breaches have made the news in recent months, including the largest ever recorded, which took place at retailer, TJX. Last year a laptop containing the names, Social Security numbers and dates of birth of up to 26.5 million military veterans and some spouses was stolen from an official at the Department of Veterans Affairs. Several other agencies reported similar incidents of stolen laptops containing sensitive data.
The top cybersecurity job at the Department of Homeland Security (DHS) also sat vacant for more than a year until Gregory Garcia took the post in the fall.
The group's annual report also identified other specific actions for Congress to focus on for improving information security. The group is lobbying to toughen the Federal Information Security Management Act (FISMA), to strengthen enforcement and require government contractors to comply with the requirements. The group also said a dedicated system should be set up within the Department of Homeland Security that can monitor the communication infrastructure in the event of a major attack or disruption.
Members of the CSIA include Application Security, Inc.; Bharosa Inc.; BSI Management Systems; Crossroads Systems, Inc.; Entrust, Inc.; F-Secure Corp.; IBM Internet Security Systems Inc.; iPass Inc.; MXI Security; PGP Corporation; Qualys, Inc.; RSA, a division of EMC; Secure Computing Corp.; Surety, Inc.; SurfControl; TechGuard Security; and Vontu, Inc.; Symantec Corp.; and CA Inc.