There's always been a premium on data protection, but a paradigm shift away from reactive laws toward more proactive
and uniform breach-prevention frameworks may up the ante for information security practitioners who can expect a lot of heavy compliance lifting this year.
Hardcore data protection laws in Nevada, as of last October, and coming May 1 in Massachusetts, have changed the information security game for everyone. They've mandated prevention; shifting the focus from data-breach notification, though not eliminating that concern, to breach prevention by way of mandatory encryption. When it comes to data handling and data control, encryption is now front and center. The undertone is that data containment is how the game will be won, and encryption is the approach chosen by these states to achieve containment.
But even more significant than what these laws read, is what they will do. Requiring businesses to encrypt transmitted personal data (and under the Massachusetts regulations, the encryption of personal information stored on portable devices or laptops) raises the bar for security and technology practitioners, as does Massachusetts' new requirement for "comprehensive, written information security programs" to protect records containing personal information.
Effectively, these laws create a new baseline for practitioners who are intimately involved with regulatory compliance and transmission of personal data, regardless of where they do business. Lawyers spend months hashing out the meaning of any new law, and the extent of a law's applicability to a business. Information security practitioners don't have the luxury of time, especially where effective data control, risk management, and compliance are sought after. Practitioners must act now, starting by making a case to management about what needs to be done, including what resources and tools are needed, for containment.
Beyond the courtroom and corporate counsel offices, the real-world practical effect of these two laws is that companies should begin encrypting data in situations where they have already decided (deliberately or by default) that there is no business case for encryption. Information security professionals interested in being seen as strategists will approach this problem by finding a way to roll the regulatory requirement for encryption into existing corporate policies and procedures, such that the practice of encryption is a tightly integrated practice rather than a regulatory add-on.
Meeting the new bar may involve uncomfortable expense, particularly for smaller businesses with small security budgets. However, a focus on data breach prevention and data containment is the right approach (even if government mandated) and will only gain more regulatory traction as we move into 2009. The emphasis on prevention will serve long-term corporate interests by reducing costs due to breach remediation, public relations clean up, and business distraction caused by sensitive data disclosure.
In the end though, it's a near certainty that data breaches are going to happen. Comprehensive corporate policy, that carefully contemplates major currents in the law and reflects a strategic mindset, will go a long way toward minimizing those risks and put companies in the best posture to address the fallout.
Julie Tower-Pierce, Esq., is an attorney, past professor of cybercrime and cyberlaw, and author. She is admitted to practice in Vermont and the District of Columbia. Send comments on this column to firstname.lastname@example.org.