Over the next year or so, this space will provide a monthly guest perspective on various aspects of regulatory compliance from the leading information security companies that make up our CSIA's membership. For our inaugural column, I'd like to focus on the need for Congressional action on data security.
With new, often large-scale breaches of sensitive personal information disclosed almost daily, more than half of the states have already passed legislation requiring notification to victims, and in some cases minimum standards for database protection. But this patchwork quilt is no substitute for a coherent and comprehensive national policy.
Now the problem has gotten so bad that even local governments are feeling the need to step forward into an arena that is clearly a federal responsibility. Westchester County, N.Y., has required local businesses to install basic security measures for any wireless network that stores customers' credit card numbers or other financial information. This unprecedented act underscores the need for Congress to achieve a legislative consensus and get a bill onto the president's desk.
Of course both the House and the Senate have busy schedules. But data security is a critical issue in an economy where information constitutes the most valuable asset of most companies. Cyber crime has begun to significantly reduce consumers' confidence in online transactions, threatening the long-term viability of the Internet Revolution, which has helped drive productivity and economic growth to historic levels. This is clearly – even to the technology-challenged – a big deal. It also happens to be one of the relatively few major issues that aren't currently mired in partisanship.
Substantively, it's not all that hard to figure out what needs to be done. More than one bipartisan bill would provide a realistic and effective legal framework to foster the adoption of best practices to protect consumers' personal information – such as encryption that renders lost data unusable – and standardize the requirements for reporting breaches that do occur. The Gramm-Leach-Bliley Act, which regulates sensitive data in the financial industry, provides a useful and proven model.
Politically, data security is a no-brainer. More than three million Americans had their identities stolen last year and spent an average of $834 and 77 hours restoring their good name. They are surely looking for the federal government to do something to help prevent it from happening again.
If Congressional leaders don't manage to squeeze a data security bill onto the legislative calendar soon, it is likely to be lost in the maelstrom of election season.
Meanwhile, state and local governments will continue to step in, doing the best they can but creating the real potential for confusing and contradictory requirements that serve neither business nor consumers. One hopes things won't have to get to that point for Congress to take action.