Privacy: How much regulation is too much?

By Shawna McAlearney, News Editor 28 Apr 2005 | SearchSecurity.com

Digg This!     StumbleUpon     Del.icio.us

We had a chance to self-regulate, but now it's the government's turn, Marcus Ranum told a panel of security and privacy experts yesterday at the Security & Technology Online (SATO) e-conference. The group discussed the future of security and privacy regulations and the possibility of further government intervention in industry practices. But it offered no solutions.

"We're in a really difficult spot," said Ranum, CSO of Columbia-Md.-based Tenable Security. "Industry should have been doing more all along, but because it didn't the government is going to have to step in."

Panelists also included Barbara Lawler, chief privacy officer for Hewlett-Packard Co. in Palo Alto, Calif.; Dan Burton, vice president of government relations at Entrust Inc. in Addison, Texas; Ken Williams, vice president of IT governance at Computer Associates Inc. in Islandia, N.Y.; and Mary Ann Davidson, CSO for Oracle Corp. in Redwood Shores, Calif.

CA's Williams said that while regulations such as Sarbanes-Oxley Act and the Health

More on privacy Privacy breaches: Knowing the facts and asking the right questions Lawsuit could amplify data protection laws

Insurance Portability and Accountability Act have given security issues better exposure in executive decision-making, we need to be cautious of "over-regulating to the point that more effort is spent ensuring compliance than in security itself."

Incidents of identity theft are multiplying all the time: ChoicePoint, 145,000 potential victims; Lexis-Nexis, 310,000; Bank of America, 1.2 million; Discount Shoe Warehouse, 1.4 million. In addition, more than 300,000 identities have been stolen from universities since January, cited Entrust's Burton. He said a focus mandating controls and not specific technologies is merely pushing paper around.

These thefts have led to every state collectively proposing more than 150 bills to regulate security standards; ID theft and fraud protection; limits on data sharing, use and sales; the use and sale of Social Security numbers; data broker limitations; and security breach notification, according to HP's Lawler.

She cautions that a thought-out approach -- one that some industry groups are now examining -- is a far better plan then the "knee-jerk reaction" that is prompting the onslaught of state and federal bills.

"The bill that will move this situation forward hasn't been introduced yet," said Burton. He believes that what will likely succeed where others are failing to gain traction is a bipartisan bill with some teeth.

Though a proponent of regulation in the wake of the industry's failure to self-regulate, Ranum worries that these measures may not get to the heart of the matter. In an interview before the presentation, he said, "I can't think of any system that has gotten less expensive or more efficient when lawyers have gotten involved."

Added Ranum: "Perhaps the next time self-regulation is suggested people will listen before the government has to step in."

Tags: HIPAA,  Identity Theft and Data Security Breaches,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT HIPAA Cost of security, IT management add up at healthcare facilities, study finds Healthcare security spending remains sluggish, report shows Creating a HIPAA employee training program FTC extends breach notification to Web-based health repositories Are there guidelines to create a HIPAA-compliant data center? HHS HIPAA guidance on encryption requirements and data destruction Writing a patient identifier policy to prevent common HIPAA violations HIPAA compliance: New regulations change the game HIPAA compliance manual: Training, audit and requirement checklist Key elements of a HIPAA compliance checklist HIPAA Research Identity Theft and Data Security Breaches Health Net healthcare data breach affects1.5 million Massive T-Mobile UK security breach involves insiders Chip and PIN adoption serves lesson for U.S. payment industry Group to shed light on secure identity management threats Heartland CIO is critical of First Data's credit card tokenization plan Heartland CIO on end-to-end encryption, credit card tokenization Heartland CIO on PCI, E3 project Visa probes tokens, encryption for PCI card data protection University data breach exposes 163,000 women to identity theft TJX thrives following breach, bucks sour economy

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary bot worm  (SearchSecurity.com) CISP-PCI  (SearchFinancialSecurity.com) cookie poisoning  (SearchSecurity.com) drive-by pharming  (SearchSecurity.com) extrusion prevention  (SearchSecurity.com) identity theft  (SearchSecurity.com) parameter tampering  (SearchSecurity.com) pretexting  (SearchCIO.com) Rock Phish  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary