Published: 01 Jun 2006
With data breaches continuing at a steady clip and nearly 30 state laws enacted, it's time for Congress to pass a national data protection law.
It's tough not to distrust the federal government these days, regardless of your politics. President Bush's policies at home and abroad are worthy of--and have received--bashing from both parties. Tom DeLay was forced to step down as House speaker in the wake of a campaign finance scandal. And now, über-lobbyist Jack Abramoff is going to spend more than five years in the Big House for conspiracy and fraud.
The tech sector hasn't been spared questionable politics. Consider the Check Point/SourceFire deal, which was squelched because the same committee that initially approved the Dubai Port deal had responsibility for its approval.
Despite our cynicism, we must forge ahead and demand a federal data protection law that firmly protects the consumer, but also makes it easier for security professionals to adhere to regulations in the market today.
Currently there are nearly 30 state laws on data protection offering varying degrees of security and enforcement--certainly a lot to keep track of if you're a compliance officer. Meanwhile, there are six or seven bills in the federal government stuck sitting in various committees.
A national law needs to have teeth--a weak one could do more harm than no federal legislation at all, especially if it pre-empts stronger state laws on the books. The bill must enforce and define security measures and best practices. It must use strong legislation such as GLBA and SB 1386 as its examples. If it wasn't for SB 1386, we wouldn't know about the more than 55 million personal records that have been breached since the ChoicePoint debacle.
On April 4, board members and the executive director from the Cyber Security Industry Alliance (CSIA) tried to jumpstart the legislative process for a federal data protection bill. They visited Capitol Hill and met with legislators and staffers to underscore its importance.
While these security executives have a vested interest (you do the math: more regulations equal more products being sold and more profits to their bottom line), the fact remains that if businesses can't police themselves, the government has to step in.
Furthermore, CSIA argued, the lack of a federal law puts U.S. companies at a competitive disadvantage. We're viewed as not taking security seriously. Europeans and Asians, for instance, are far more aware of privacy issues and have privacy ministers as a result. The good news is that legislators understand that their constituents also want this type of protection.
So, will we get a federal law any time soon? CSIA executive director Paul Kurtz says members were well received on the Hill. Legislators and staffers were well-versed and engaged on the subject. But, Kurtz estimates that there is a 50-50 chance that they will be able to pass a data protection law in this session. The reason: It is a short session, they have a full legislative calendar, and they would need to reconcile all different bills.
Oh, my cynic meter is sounding off...politics.