More Legislation? Hmmm.
Posted in National and State Privacy/Security Law on September 13th, 2011 by Paul – Be the first to commentSenator Richard Blumenthal, D-Conn, introduced new legislation aimed to prevent data breaches. The proposed legislation includes federal requirements for customer notification in the event of a breach (something most States have been requiring for years) and requiring companies to provide two years of credit monitoring service. There are fines and program requirements for regularly testing controls and protecting information while stored.
SC Magazine Article: New Senate Bill Aims To Prevent, Deter Data Breaches
Here’s just a few issues with this:
1. We’re assuming the federal government can successfully patch together the existing state privacy and security requirements to make this helpful to businesses. I’m not sure our federal government can successfully tie a pair of shoes without creating extensive knots.
2. While requiring secure storage of sensitive information is certainly a valid idea, it doesn’t do a bit of good when sensitive information is readily copied to flash drives, laptops and other removable media. Regaining focus on “least privilege” and reducing the ability to copy data to media that is easily lost or stolen is at least as important as storing data securely on servers.
3. The alphabet soup of security/privacy legislation and compliance is mind boggling. Personally Identifiable Information (PII) is defined differently depending on what piece of legislation or industry standard you’re applying. PCI-DSS, HIPAA/HITECH, FERPA, GLB, SOX, state legislation, etc. How about one definition to rule them all?
I’m encouraged that the government takes privacy and security seriously, but as too often the case, federal legislation is based on knee-jerk reactions to events and create such complexity that security and privacy are seldom improved. I don’t disagree with the attempt, just wary of another set of regulations that may create more complexity without really improving the security and privacy of personal information.


