Do We Need a National Data Security Bill?

There is only one primary driver for investing in security and that is the threats to your data and computing infrastructure. However, a secondary driver that often overshadows even the threats is compliance.






More Articles from Richard Stiennon on CIO Update

Network Admission Control is a Blind Alley

Lessons Learned from Biggest Bank Heist in History

The Security Connection Between WAN , Virtualization and UTM

The Economics of Cybercrime

If you want to comment on these or any other articles you see on CIO Update, we’d like to hear from you in our IT Management Forum. Thanks for reading.

Allen Bernard, Managing Editor.


FREE IT Management Newsletters




It is secondary because compliance is driven by legislation and regulations that seek to enforce a particular standard the purpose of which is to address a threat. Often compliance has more to do with paperwork than anything else but, even so, in our day-to-day tasks security compliance has become one of the most important aspects of an IT administrator’s job.

While HIPPA, GLB, and even Sarbanes-Oxley have security aspects about them the two most important compliance measures are the Payment Card Industry standard which dictates specific security measures for those who accept credit cards and California 1386 which requires organizations to disclose when they lose customer data. 1386 was the first State law that required disclosure and it rapidly became the most influential piece of security legislation.

Just look at the number of data loss disclosures there have been since 1386 was passed. According to PrivacyRights.org which keeps a running tally there have been 218,621,856 records reported lost or stolen since January, 2005. California just updated their legislation to expand the definition of personally identifiable information to health records. There are now over 20 separate state laws requiring disclosure in one form or another in the event of data loss.

U.S. Congress and the Data Security Bill

Congress has been working on a data security bill for over three years now. Every session has seen several bills put forward. Criticism of the proposed legislation runs the gamut from “too expensive for business” to “not enough teeth.” The primary benefit of a national law will be that it will supersede all of the individual state laws. This will make compliance vastly simpler.

One of the hold ups is that too much is being packed into one bill. Many congresspeople would like to see greater government accountability for data protection. But there are already laws for that including the most recent FISMA (Federal Information Security Management Act of 2002).

Business and individuals would be best served if Congress would avoid bundling multiple purposes into one bill. But, while we wait for Congress to finally come to grips with data security here are some guidelines that will help you prepare for what is eventually passed:

First, make sure that you are following established best practices for data protection. Identify every instance of personally identifiable (PII) data in your network:


  • Does your website contain a sign-up form? A survey?
  • Is that data encrypted immediately?
  • Are the keys well protected?
  • Do your employees, contractors, auditors have access to your PII records?
  • Do they encrypt that data on their laptops?
  • What do your backup and recovery procedures look like?
  • Is PII encrypted when it is stored?
  • How about your database security?
  • Do your DBAs have unauthenticated access to PII?