It seems like every day there is news of a new consumer data breach, and the pace of such breaches is indeed increasing. In 2005, organizations reported 151 incidents affecting more than 57.7 million people, and half way through 2006 there has already been 93 incidents affecting more than 32.1 million individuals, according to the Identity Theft Resource Center.
For many of these organizations, network and data security has not traditionally been a major concern. However, as organizations increasingly store customer information electronically, identity thieves will continue to find new, poorly protected targets.
While consumers are clamoring for the government to help stop these breaches, businesses and other organizations are not so sure. In a recent Web poll by nCircle Network Security, 79% of respondents did not think congress should make data security a legislative priority.
This, then, seems to indicate a fundamental disconnect between consumers and businesses surrounding government legislation of consumer data security.
Understandably, consumers see the rash of security breaches and fear identity theft. It is their personally identifiable information, stored by companies and organizations with whom they may or may not have done business, which is being lost and stolen. They want responsibility, accountability, and security of their data.
Businesses, on the other hand, worry that government legislation may create “busy work” and increase overhead while not actually making organizations more secure. There is also concern among organizations that heavy-handed legislation may overreach.
Some relevant legislation already exists; in fact, there is a rapidly increasing “patchwork quilt” of data security legislation designed to protect consumer data. Not only are there federal regulations such as HIPAA, GLBA, and Sarbanes-Oxley, but individual states are also developing their own consumer data protection laws.
California’s SB1386, which requires companies doing business online in California to alert their customers in the event of any security breach that exposes personally identifiable information. Since the enactment of SB1386, 22 other states have established similar laws.
At the very least, these laws have helped draw attention to the serious data security problem within the U.S. However, it is infeasible to expect businesses and organizations to be compliant with different regulations in each state. Congress is simply reacting to its constituency and adding more patches to the quilt, but there is a better solution.
What We Need
What is needed is a top-down approach to addressing both compliance and security, with the ultimate goal being that organizations that are compliant with the legislation are also therefore secure.
One of the common complaints of existing legislation is that organizations can spend an inordinate amount of time and money changing internal processes to be compliant with a specific regulation, yet this does not guarantee that the organization (and any relevant consumer data) is secure.
More such legislation may be worse than none at all, as it wastes time and money, and gives the public the illusion of security without fully protecting consumer data.
Much of the reason that it is possible for organizations to be “compliant but not secure” is the ambiguity surrounding data security within the regulations.
Some regulations were drafted to serve purposes other than specifically data security. In the case of Sarbanes-Oxley, for example, the purpose was the enforcement of accurate financial reporting. Because you can’t be sure if your financials are accurate if you are not also sure the data hasn’t been tampered with, data security also falls under the Sarbanes-Oxley umbrella. However, the section of Sarbanes-Oxley that deals with data security has no suggestions or guidelines on how to accomplish the difficult task of protecting data.
Given the patchwork of existing regulations and the sometimes divergent objectives, the correct approach to today’s consumer data security problem is federal legislation that actually focuses on measurably improving overall information security, rather than adding yet another small patch to the quilt of existing regulations.
And there is an excellent precedent already in use by the federal government itself: the Federal Information Security Management Act (FISMA) of 2002. FISMA requires federal agencies to measure the effectiveness and readiness of their information security programs. And it uses a scoring system like we do in high school, A to F.
Federal agencies scoring high grades are measurably more secure than those that aren’t. The recent Department of Veterans Affairs data breach that exposed nearly 10% of the U.S. population to potential identity theft happened to an agency that has scored an “F” on their FISMA rating two years in a row. That’s simply not happening to agencies that are scoring A’s.
A FISMA-like regulation for companies that collect sensitive information about their customers, employees and shareholders would be good for everyone. It would ensure that compliance equals security, and vice versa. And by making public a standardized FISMA-like score for each business, there would be a powerful incentive for organizations to comply that is more effective than the threat of government punishment.
Customers would naturally choose to do business with companies scoring the highest grades. Legislation designed in this way will minimize the business overhead and cost of attempting to comply with multiple regulations, while at the same time providing consistent, measurable security of information systems and consumer data.