Article

Privacy: How much regulation is too much?

Shawna McAlearney, News Editor

We had a chance to self-regulate, but now it's the government's turn, Marcus Ranum told a panel of security and privacy experts yesterday at the Security & Technology Online (SATO) e-conference. The group discussed the future of security and privacy regulations and the possibility of further government intervention in industry practices. But it offered no solutions.

"We're in a really difficult spot," said Ranum, CSO of Columbia-Md.-based Tenable Security. "Industry should have been doing more all along, but because it didn't the government is going to have to step in."

Panelists also included Barbara Lawler, chief privacy officer for Hewlett-Packard Co. in Palo Alto, Calif.; Dan Burton, vice president of government relations at Entrust Inc. in Addison, Texas; Ken Williams, vice president of IT governance at Computer Associates Inc. in Islandia, N.Y.; and Mary Ann Davidson, CSO for Oracle Corp. in Redwood Shores, Calif.

CA's Williams said that while regulations such as Sarbanes-Oxley Act and the Health

    Requires Free Membership to View

More on privacy

Privacy breaches: Knowing the facts and asking the right questions

Lawsuit could amplify data protection laws

Insurance Portability and Accountability Act have given security issues better exposure in executive decision-making, we need to be cautious of "over-regulating to the point that more effort is spent ensuring compliance than in security itself."

Incidents of identity theft are multiplying all the time: ChoicePoint, 145,000 potential victims; Lexis-Nexis, 310,000; Bank of America, 1.2 million; Discount Shoe Warehouse, 1.4 million. In addition, more than 300,000 identities have been stolen from universities since January, cited Entrust's Burton. He said a focus mandating controls and not specific technologies is merely pushing paper around.

These thefts have led to every state collectively proposing more than 150 bills to regulate security standards; ID theft and fraud protection; limits on data sharing, use and sales; the use and sale of Social Security numbers; data broker limitations; and security breach notification, according to HP's Lawler.

She cautions that a thought-out approach -- one that some industry groups are now examining -- is a far better plan then the "knee-jerk reaction" that is prompting the onslaught of state and federal bills.

"The bill that will move this situation forward hasn't been introduced yet," said Burton. He believes that what will likely succeed where others are failing to gain traction is a bipartisan bill with some teeth.

Though a proponent of regulation in the wake of the industry's failure to self-regulate, Ranum worries that these measures may not get to the heart of the matter. In an interview before the presentation, he said, "I can't think of any system that has gotten less expensive or more efficient when lawyers have gotten involved."

Added Ranum: "Perhaps the next time self-regulation is suggested people will listen before the government has to step in."


There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: