Last updated: 21 March 2014
Our lives are increasingly online, making work and play more convenient and efficient. At the same time, the attacks on our computers and networks continue to increase.
It seems like every day we read of a new data breach that has put personal identity information and corporate data in the hands of criminals. Most recently, Diginotar was compromised, opening up a whole new debate on online trust. The Sony breach, where the personal data of 77 million consumers was compromised is another example of data breaches happening on almost a daily basis that affect millions of people.
This hasn’t gone unnoticed in Congress, where online privacy and security are the focus of several new bills. In September, three bills were approved, by Senators Dianne Feinstein, Richard Blumenthal and Chairman Patrick Leahy. What are the bills? Here are the facts:
The Data Breach Notification Act, from Feinstein, would require that companies holding data that is sensitive and personally identifiable to disclose any breaches. Businesses that would fall under the bill are federal agencies and businesses that “engage in interstate commerce.”
The Personal Data Protection and Breach Accountability Act, from Blumenthal, would attempt to stop breaches before they happen. A process would be set to help companies implement appropriate security standards to keep private data safe. The Act would also require companies to notify those compromised in a data breach.
The Personal Data Privacy and Security Act, from Leahy, would also set standards for companies to report data breaches. Like Blumenthal’s bill, Leahy’s would require businesses to implement data privacy and security procedures to protect data and individuals. Also, concealing a data breach would be a crime with serious penalties under this legislation.
One of the most important aspects of all three of these bills is that they will require companies nationwide to notify individuals when their data is breached. This is an important change from the extremely varied reporting requirements within each state in the United States.
The second important thing to note is that Senators Leahy and Blumenthal both recognize that data breaches can be prevented by implementing sound security practices. As quoted by Blumenthal in the New York Times: “The goal of the proposed law is essentially to hold accountable the companies and entities that store personal information and personal data and to deter data breaches. While looking at past data breaches, I’ve been struck with how many are preventable.”
Overall it looks like Congress is on the right track: make data breaches preventable first, and then make organizations more accountable for any loss of data. This brings together two very fundamental aspects of security – having the right technology (like strong identities) and an appropriate level of focus on the companies’ security policies and practice. There is additional action that companies can take to avoid data breaches and you would like to think that the carrot would be preferred to the stick, but in the case of IT security it seems the stick – in the form of legislation – will be the way forward.