US group calls for IT security breach notification law

• SearchSecurity.com Staff
• Published: 23 Apr 2007 15:34

In the CSIA's annual report, the group criticised US legislator for failing to pass a comprehensive data security law in 2006 requiring companies with data breaches to notify victims.

Currently 35 states require companies to publicly disclose security breaches involving personal information, such as credit card data and Social Security numbers. The group said it is too time consuming and costly for businesses to comply with the different laws.

The group is calling for a law that emphasises encryption and promotes higher security standards that could reduce the number of data breaches. The group said the law would apply equally to all government agencies and businesses that collect and maintain personal information of consumers.

Cyber Security Industry Alliance: Flurry of state disclosure laws creates confusion for CISOs: Now that nearly three dozen states have enacted breach disclosure laws, national companies face the challenge of reconciling a vast array of guidelines and their implications. Group gives government low marks on data protection: The Cyber Security Industry Alliance, a lobbying group of security vendors, gives the federal government and congress a D-grade for securing sensitive information. Heavyweight CEOs align on security: A dozen security hardware, software and services vendors announced their union at RSA Conference '04. The Cyber Security Industry Alliance (CSIA) is a formidable conglomerate of the CEOs of 12 security heavyweights, including Symantec and CA.

A number of highly publicized data breaches have made the news in recent months, including the largest ever recorded, which took place at retailer, TJX. Last year a laptop containing the names, Social Security numbers and dates of birth of up to 26.5 million military veterans and some spouses was stolen from an official at the Department of Veterans Affairs. Several other agencies reported similar incidents of stolen laptops containing sensitive data.

The top cybersecurity job at the Department of Homeland Security (DHS) also sat vacant for more than a year until Gregory Garcia took the post in the fall.

The group's annual report also identified other specific actions for Congress to focus on for improving information security. The group is lobbying to toughen the Federal Information Security Management Act (FISMA), to strengthen enforcement and require government contractors to comply with the requirements. The group also said a dedicated system should be set up within the Department of Homeland Security that can monitor the communication infrastructure in the event of a major attack or disruption.

Members of the CSIA include Application Security, Inc.; Bharosa Inc.; BSI Management Systems; Crossroads Systems, Inc.; Entrust, Inc.; F-Secure Corp.; IBM Internet Security Systems Inc.; iPass Inc.; MXI Security; PGP Corporation; Qualys, Inc.; RSA, a division of EMC; Secure Computing Corp.; Surety, Inc.; SurfControl; TechGuard Security; and Vontu, Inc.; Symantec Corp.; and CA Inc.