Aug 7, 2010 WASHINGTON, D.D.—U.S. Senators Mark Pryor (D-AR) and John D. (Jay) Rockefeller IV (D-WV) today introduced legislation to require businesses and nonprofit organizations that store consumers’ personal information to put in place strong security features to safeguard sensitive data, alert consumers when this data has been breached, and provide affected individuals with the tools they need to protect their credit and finances. Currently, there is no single federal standard for guarding many types of consumer information.
I cannot believe my eyes – “no single federal standard”??
I am at a loss to understand why the US needs another data security bill – when there are already a plethora of regulations regarding personal information – Graham Leach Bliley (financial services), PCI DSS (credit cards), HIPAA (health care) and the state data security bills (CA SB 1386, Mass Data privacy etc.. ). This is without even mentioning FISMA and the NIST security requirements for implementing HIPAA. With Obamacare in effect – it seems to me that the gold standard for PII protection will soon become HIPAA and since health care appears to becoming nationalized in the US – NIST will soon be the king of data security control frameworks.
Looking at data security as an exercise in providing cost effect security countermeasures, it appears to me that the bill is most likely either a public relations play or congressional logrolling. The interesting item is the requirement to provide credit card monitoring services after a breach for a year – perhaps the bill is intended to help stimulate the business of companies like Experian, Symantec, RSA and Mcafee.
The US does not need more data security regulation (requiring “strong security features” whatever that means) because with over 350 million US credit cards breached – the data is already out there. This bill is equivalent to closing the barn door after the horses have already fled.
What I would recommend to the esteemed Senators is a totally different approach – one adopted by Poland. Poland, which is a member of the EU and subject to the EU Privacy Law decided a few years back to make data security breaches expensive. If a firm in Poland breaches personal data – they are liable to up to a 2.5% fine of their annual gross revenue.
None of this hokey – “provide monitoring services and notify within 60 days” nonsense. Make US data breachers pay for their security vulnerabilities and even the playing field with the consumers – who are indeed paying the price for poor data security at American retailers and banks.