paulmudgett.com

Senator Richard Blumenthal, D-Conn, introduced new legislation aimed to prevent data breaches.   The proposed legislation includes federal requirements for customer notification in the event of a breach (something most States have been requiring for years) and requiring companies to provide two years of credit monitoring service.  There are fines and program requirements for regularly testing controls and protecting information while stored.

SC Magazine Article:  New Senate Bill Aims To Prevent, Deter Data Breaches

Here’s just a few issues with this:

1.  We’re assuming the federal government can successfully patch together the existing state privacy and security requirements to make this helpful to businesses.  I’m not sure our federal government can successfully tie a pair of shoes without creating extensive knots.

2.  While requiring secure storage of sensitive information is certainly a valid idea, it doesn’t do a bit of good when sensitive information is readily copied to flash drives, laptops and other removable media.   Regaining focus on “least privilege” and reducing the ability to copy data to media that is easily lost or stolen is at least as important as storing data securely on servers.

3.  The alphabet soup of security/privacy legislation and compliance is mind boggling.  Personally Identifiable Information (PII) is defined differently depending on what piece of legislation or industry standard you’re applying.  PCI-DSS, HIPAA/HITECH, FERPA, GLB, SOX, state legislation, etc.   How about one definition to rule them all?

I’m encouraged that the government takes privacy and security seriously, but as too often the case, federal legislation is based on knee-jerk reactions to events and create such complexity that security and privacy are seldom improved.   I don’t disagree with the attempt, just wary of another set of regulations that may create more complexity without really improving the security and privacy of personal information.

The FTC and White House are once again throwing their support behind a “Do Not Track” tool meant to protect user privacy on the Internet.   I think it’s easy to jump on board the good ship Privacy but anytime the federal government engages in such rule enforcement and legislation, you have to wonder what the unintended consequences might be.  Will it really make a difference?

For instance, if this models the Do Not Call list, does the collection of internet activity not apply to politicians and their election campaigns?  Or do they get a pass again?

Will it change the business model that provides free content and services?

If legislation is created and passed, will it also include funding for ant farms in Alabama or other items that have no business being in a privacy bill?

More importantly, will it really change people’s behavior? I’m not sure.  People have been giving away information about themselves for a long time whether it’s to get 3 cents off a loaf of bread or to win money in a lottery they’ve never entered.  Can you really legislate personal responsibility anyway?

I think providing a choice is a good thing.  I think it’s reasonable to inform people how their information will be used.  I’m just not sure the end result of this effort will resemble the good intentions.

Photo credit:  Mikey G. Ottawa

In an effort to be a focal point of “cybersecurity”, legislation was introduced that would allow the DHS to levy fines and other civil penalties against any companies the government decides is “critical”.  I agree that the need to protect critical infrastructure is important, but this effort by legislators creates a slippery slope and a recipe for internal conflict.

First, what is “critical”?  The use of this broad term makes me nervous.   It’s an open-ended path to abuse in my opinion.

Second, this is nothing more than an added layer of bureaucracy that adds no value to information security other than the costs associated with complying with yet one more check box.  In the long run, more money will be dumped into information security but the large bureaucracy will negate the benefits.  The last thing that should be done is inserting a slow moving beast into an environment that requires agile response to defend against new attacks.

Third, what becomes of Howard Schmidt, the Presidential appointed U.S. Cybersecurity Coordinator.  Does this role go away?  If not, what type of conflict does the appointing of a DHS Cybersecurity guru create?

This is simply a bad idea.

“File Sharing Leaks Sensitive Federal Data, Lawmakers Are Told” – Washington Post

Another politician jumps into high gear with more useless legislation and finger pointing after sensitive information was leaked via P2P software on federal computers.   Policy already dictates that P2P software shouldn’t be used but these agencies lacked the technical controls to implement the policy.  Adding legislation that merely says “don’t do it” is not the answer.  Blaming the P2P software companies for federal agencies failure to implement good security is pathetic but certainly not unusual for the political blame game.

Good endpoint security with perhaps the prudent implementation of whitelisting technology can provide the technical controls necessary to enforce such policy.