A breach notification about compromised personal data has never hit Congressman Tom Davis's email inbox. This makes the House Representative from Virginia one of the lucky few yet to fall victim to online criminals' attempts to steal customer data from organizations.
Since February, some 50 million people have seen their data compromised or exposed at a myriad businesses, according to the Privacy Rights Clearinghouse. It is because of these jaw-dropping numbers that Davis (R-VA) and other congressional lawmakers are considering whether to establish a national law to help thwart such crimes.
Already, close to a dozen bills related to consumer privacy have been introduced by various members of Congress this year, most of which include minimum standards to safeguard consumer details and requirements to notify customers of potential compromises to their personal data. But, says Davis, passing additional regulation should be the last step rather than the first.
"We need to look at a range of options. Clearly, there is heightened awareness about this issue, in part because [under] California's breach notification law... these incidents are now made public, so it seems like these events happen daily. But this shows why we need to think through legislation," says Davis, who is also chair of the House Committee on Government Reform. "We don't want notifications to become so commonplace that people become immune to them."
Alan Paller, director of research for The SANS Institute, says he worries about this too, "but it doesn't matter. We still have to do it."
It is not only federal lawmakers who must consider stepping up to address these proprietary information breaches, believes Davis. Individuals, private companies and government all have their roles to play.
"Also, we need to be aware of the importance of appropriate physical security protocols. Many of these data breaches result simply from the improper handling of physical assets," he says.
With information being the hot commodity of the 21st century, doling out responsibilities is key.
As Paller puts it: "The only role that legislators can play is to make security a priority for CIOs."
According to a recent study conducted by the Cyber Security Industry Alliance (CSIA), 48 percent of 1,003 likely voters avoid making online purchases because they fear their financial data will be stolen. Just over seven in ten believe that a new national consumer privacy law is needed.
"That's always the public's view – let the government solve it. The problem when government solves it... is we always over-solve it," says Davis. "As I said before, I think government has a strong role to play here, but I don't want to jump into it so quickly that we end up with a $50 solution for a $5 problem."
Casting a wider net
Yet the current state-by-state approach will become too cumbersome for firms, says Paul Kurtz, the CSIA's executive director. California's breach notification law, commonly called as SB1386, is having a national impact. Several other states have passed similar laws. Therefore, companies could end up dealing with 50 different consumer protection models if Congress fails to devise an overarching federal mandate, which would be an "untenable situation," believes Kurtz.
A great deal of information is already with the private sector, adds Kurtz. Certainly in some industries, particularly finance, there are already regulations for the security of sensitive personal information, he says. "As the problems have manifested... we're finding that a lot of folks appear to be taking the security of sensitive personal information in its electronic form for granted."
It seems appropriate that a carefully crafted federal law is passed, says Kurtz. The scope of such legislation must be broad enough to cover data brokers, retailers, hospitals universities and others. And a consumer protection mandate must harmonize with existing internet security-related legislation. Beyond this, such a law should offer reasonable security guidance that covers people, processes and tools – not just technology.
Individuals play a critical role in protecting their own data. But at some point their abilities are no longer enough when organizations they are transacting with step in, says David Lynch, vice-president of marketing for Apani.
A seller's carelessness with data could, for example, allow for theft of the credit card numbers and subsequent unauthorized spending.
"So in terms of responsibility for the citizen, [it's a case of:] 'I'm responsible not to be careless with my information, not to be careless with my credit card, and provide it to organizations that are reputable and that I generally do business with. But once I've done it, I don't really have a responsibility.' The organization I've given that data to now has the responsibility to protect it in the same way as they did credit card imprints."
Playing the blame game
Neither a grandmother at home nor a sysadmin at a company can be solely responsible for sensitive consumer data, warns Paller. "And they're the ultimate data owners, aren't they? [But] if you don't buy that, you can keep playing the game we've been playing, which is 'blame the user'," he says. "I believe that's a fatally flawed strategy."
Information, once valued by companies as an internal asset, has a value all its own these days. The problem is that most executives seemingly fail to see this.
Yet a clear trend causing a major liability gap relates to a rise in just how much information companies are collecting about consumers, says Apani's Lynch. The value of the information has moved from being meaningful to just one firm's business to the entire marketplace.
"When you add that to the declining effectiveness of perimeter-based security, you've got a gap there that has created an opportunity... unsavory elements of society are taking advantage of," he says.
This means legislators will have to force companies to implement appropriate security measures that protect their constituents. This has been done to an extent with Sarbanes-Oxley and Gramm-Leach-Bliley (GLBA), and it all boils down to reminding corporate leaders that, rather than owning consumer data, they are merely its custodians.
"You don't own it and, by allowing it to propagate in the way that's going on, it's not good for the industry, it's not good for the citizens, and it has created identity theft as [a major] crime," says Lynch.
Government has a wider mission
Among the many congressional legislative offerings, a rather comprehensive bipartisan proposal is being led by Senators Gordon Smith (R-OR) and Bill Nelson (D-FL). The proposed bill, modeled after SB1386, allows for consumers to put a freeze on their credit at any time (as opposed to current measures which allow for this only after they are victimized), and implements more extensive social security number protection – severely restricting reasons for taking social security numbers, and outlawing buying or selling them.
Recently passed by the Senate Commerce Committee, the bill uses security standards already set by GLBA rather than creating yet another set of new ones. So all entities, including businesses (not just those in the financial industry), non-profits and schools, would have to follow GLBA security standards to safeguard any sensitive consumer information. But the proposed bill excludes government.
Mike Sozan, legal counsel for Senator Nelson, says lawmakers who drafted this and other bills want to cover government entities. But thorny questions surrounding conflicts with post-9/11 legislation and the Patriot Act add time-consuming complexity to drafting such an inclusion.
In the meantime, 2002's Federal Information Security Management Act (FISMA), which Davis sponsored and helped to pass," is sufficient, but not ideal," believes Sozan.
Agencies must all play their part in protecting consumers' sensitive data, leading by example, believes Paller. "What's wrong with FISMA is that 90 percent of it assumes that it's all the users' responsibility. If you look at the attacks that work, they were enabled by the vendor delivering unsafe systems."
Yet 2002 changes to FISMA, which added a section requiring agencies to set minimum benchmarks for the security of every system they deploy, are strong, he says. And during the past year, the Office of Management and Budget (OMB) released guidance that agencies must report which systems have met these requirements.
"Once software has been made a certain way, it doesn't cost anything extra to make it that same way for everybody," explains Paller. "So if the Feds require the delivery of safer configurations, the rest of us can buy it for probably the same cost of buying unsafe ones."
This is why FISMA matters, and shows just how agencies could play a critical role in securing the nation's infrastructure as a whole, along with individuals' sensitive data in the interim, he adds.
For now, however, congressional members like Senator Patrick Leahy (D-VT) are criticizing agencies such as the Internal Revenue Service (IRS) and the Securities and Exchange Commission (SEC), for their multi-million dollar contracts with data broker Choice Point, which had to notify around 145,000 of its customers earlier this year as a result of an identity theft scam.
Other groups' involvement
In addition to helping consumers protect themselves and ensuring that government safeguards the data it houses (which is where Davis's House Government Reform Committee comes in), law enforcement must also become more diligent in its fight against cybercriminals, for which it needs manpower and money, says Davis.
"We need to enforce the criminal laws that are on the books, explore other laws that may need to be written, [and] pursue cybercriminals as aggressively as we can," he says.
"To do that, we have to provide law enforcement with the personnel, training, and latest technology to conduct these investigations."
Ultimately, to secure the nation's infrastructure and the people using it, government and private industry must work together to counter potential threats. However, the onus is on organizations using consumers' personal data – government is unable to go it alone.
"It's a partnership with the private sector, and companies have to take the initiative to address these vulnerabilities," says Davis. "It's in their interest to do so – it makes sense from a business perspective and it makes overly intrusive government regulation less likely."