Senator to Businesses: Protect Data or Pay
Senator Richard Blumenthal, D-CT, says his newly-introduced legislation, the Personal Data Protection and Breach Accountability Act of 2011 will protect individuals' personally identifiable information from data theft and penalize firms that don't adequately secure their customers' information. Naturally, there are skeptics.
The bill would establish " appropriate minimum security plans" for businesses with 10,000 or more customers to safeguard their customer information and hold those businesses accountable through fines should they fail to meet those standards. The bill also calls for more public/private information sharing.
"My goal is to prevent and deter data breaches that put people at risk of identity theft and other serious harm both by helping protect consumers' data before breaches occur," Blumenthal said in a statement.
The security analysts we interviewed questioned whether the bill would be successful at reaching those goals. It's not the first time they've expressed skepticism over federal data protection legislation.
"Philosophically, companies ought to be doing this already," says Mark Rasch, director of cybersecurity and privacy consulting at Computer Sciences Corporation. "The devil is in the details with these laws. But there are a number of questions here. We've had regulations, from Gramm-Leach-Bliley to HIPAA, that purport to help protect consumer data. Second, these companies are already victims in these attacks, so why are we penalizing them after a breach? I think that's because it's easier to issue fines than it is to track down the criminals and go after them."
John Pescatore, security analyst and VP at research firm Gartner, agrees that the law would be redundant with many of the existing laws on the books, and adds that the existing costs associated with disclosure already exceeds the financial penalties in the bill. "Also, the Federal Trade Commission already seems to do a good job of punishing privacy violators -- and it doesn't seem to need yet another law," he says.
Pete Lindstrom, research director at Spire Security, questions whether the government can effectively legislate security standards. "Everyone has their own definition of what it means to be secure, and what these bills do not allow is organizations to apply common sense, or their own discretion, at mitigating risk," he says.
George V. Hulme writes about security and technology from his home in Minneapolis. He can be found on Twitter at @georgevhulme discussing security and business topics.
Read more about pci and compliance in CSOonline's PCI and Compliance section.