by Patrick McGregor, CEO, BitArmor
Consideration by Congress of a national data breach notification bill is encouraging, yet it should seize a much greater opportunity to advance true data protection.
Lawmakers should begin by mandating federal breach notification policies, and Congress should force negligent companies to pay for breaches.
Nearly all American companies are already required to publicly report breaches. Without monetary repercussions, a federal breach notification law will not significantly increase the number of reports, nor will it motivate companies to secure data proactively. TJX recently reported the largest cardholder data breach in history. Instead of suffering consumer backlash, however, company sales increased during 2007.
Congress must take more aggressive action. Minnesota recently passed a breach notification law with teeth: it allows financial institutions to recoup huge credit card re-issuance expenses from companies found to be responsible for breaches. Implemented on a national basis, this type of law would carry a far greater impact than notification alone.
by Pat Dane, CRO, MyPublicInfo
Data security should be the responsibility not of Congress, but of private technology firms in order to bring high-quality products to the market that reinforce comprehensive data protection policies.
The current issue we are facing is not about who needs to take the lead on data security, but rather that 167 million American consumers have had their identities breached in the past two and a half years, according to the Privacy Rights Clearinghouse, a nonprofit organization that fights for consumer rights (www.privacyrights.org).
Congress should play a solid support role in helping victims of identity theft to regain their identity. It is no longer a secret that consumers are exposed to credit and identity fraud by large corporations who are not investing the necessary funds in top quality data security.
What we need moving forward is more class action lawsuits against companies like TJX to incite proactive regulation in regards to identity theft prevention.