Whether or not various federal and state laws will actually sway how organizations view IT security is still up in the air.This month's cover story by Marcia Savage shows us that some industry players have high hopes that infosec legislation will push companies to implement security practices to safeguard information.
Others think there are more than a few enterprises still limping along hoping that corporate information or customer details won't ever be compromised. And, laws or no laws, these are the companies that are being less than forward-thinking in an age when networks are the backbone of critical infrastructure.
Although the likes of HIPAA, GLBA, Sarbox, California's SB1386 and other legislative mandates have actually prompted most entities to ponder the possibility of compromised data, and what it means for their companies' future, there are still too few actually taking sufficient action to stop breaches from occurring, say some experts. Many of these same industry pundits might add that cybersecurity laws altogether fail to mobilize any entity without the teeth that will bite them if they fall short.
I agree with them. History bears out that government regulation is only as strong as its enforcement.
Up until this point, it's fair to say that many corporations have been slow to conform because they are not seeing real instances of what happens when companies don't follow the letter of the law. Such cases are few and far between – until now.
According to a September issue of McKnight's Long-term Care News, 32-year-old Richard Gibson of Washington was criminally convicted under the health information privacy provision of HIPAA. He reportedly pleaded guilty of wrongfully disclosing individually identifiable health information for economic gain. After obtaining a cancer patient's personal details while employed at the Seattle Cancer Care Alliance, Gibson reportedly got credit cards in the victim's name and charged over $9,000. He faces a term of 10 to 16 months in prison and will have to pay restitution to the credit card companies and victim.
Then there was the recent report of how California's In-Home Supportive Services database was compromised. Anyone who provided or received care under the program since 2001 (around 1.4 million Californians) had their personal details stored on the database exposed. The breach is reportedly one of the largest public disclosures under SB 1386, the state anti-identity theft law.
Cybersecurity laws, when enforced to the fullest extent possible, can have an impact. With so much personal information saved on databases around the world, new and upcoming laws are useless without ample authority to back them up.
Illena Armstrong is U.S. editor
Are cybersecurity laws effective? Email [email protected]