The question of whether the United States needs a national consumer data privacy and security law was met with a resounding "yes" from panelists on Wednesday at the RSA Conference.
The country is operating amid a fundamental paradox -- it has too many privacy and security laws and at the same time, too few, said panelist James Dempsey, policy director at the Center for Democracy and Technology, a nonprofit advocacy group.
Dempsey said the various federal laws securing credit reports, medical data, education records and credit cards are like a “patchwork quilt.” He added that having it this way does not serve either consumers or the industry well.
Nearly every state has its own data security law and that makes for a compliance nightmare, panelist Adam Rak, senior director of government relations at Symantec, said. Having a national law will help, he added.
Panelist Adam Golodner, director of global security and technology policy at Cisco, said he's not sure what a national data privacy and security law would entail but cautioned that it must not hinder innovation.
“Security is technology, process, people and innovation,” Golodner said. “When innovation is hindered we're at a disadvantage.
Getting from where we the nation is now to a more harmonized system will be no easy task, Dempsey said. There are a myriad of issues that must be considered before implementing a national law, including how it will address consumers who have been breached.
Panelists questioned the effectiveness of current practices to deal with consumers who have fallen victim to data-loss incidents. Companies that have experienced a breach typically offer free credit monitoring to those who were affected. Golodner said he would like to see some data about how credit monitoring has actually helped consumers.
Panelist Betsy Broder, assistant director, division of privacy and identity protection at the Federal Trade Commission (FTC), who also agreed that a national law is needed, said just offering credit monitoring is not enough.
She added that though credit monitoring can be useful, it doesn't cure the problems that data breaches cause for consumers.
“At the end of the day it's about protecting data,” Broder said. “Personal data also has a very long shelf life.”
One other issue: If the United States implements a national data privacy and security law, what effect would it will have globally? Golodner said that other countries likely would follow suit, looking at their own laws and altering them, but not necessarily following every aspect of the law implemented in the United States. Thus, China could have its own law, Russia another, and the United States yet another, which could become a “patchwork [quilt] on steroids,” Golodner said.