Data-breach milestone stirs new call for action
Armed with a new number on data breaches, the Cyber Security Industry Alliance is calling on the new Congress to enact comprehensive legislation to secure sensitive personal information.
The number of Americans whose personal data has been compromised has reached a new milestone --100 million, or more than one-third of the population, according to the Privacy Rights Clearinghouse.
"I actually don't think the news is that it hit 100 million, but why we haven't passed legislation to do something about it," said Joseph Ansanelli, the CEO of Vontu, a data-protection company that testified on Capitol Hill during hearings this year.
"The time is now to establish a single standard for securing citizens' personal information, regardless of whether it is housed within federal, state or local government, private sector or educational institutions," said Paul Kurtz, the executive director of CSIA.
Kurtz will be leaving CSIA at the end of the month for a private consulting company. Liz Gasster, will become executive director and will be the one to continue the lobbying effort next year for a comprehensive data-security bill with five key elements.
Gasster said it is critical to protect data wherever it sits -- whether that is a financial institution or a government agency. Another goal is security standards to prevent data loss in the first place, not just notifying victims after breaches.
Gasster said it is important that new rules do not result in double regulation for the financial or health industries. She said any federal law also should pre-empt state regulations so places do not face two potentially different laws. And finally, she said, businesses and government agencies should be freed from liability if they do take precautions like encryption.
While Congress discussed a half-dozen legislative fixes, Ansanelli said debate stalled over which bill ultimately should prevail.
Gasster said she is even more disappointed by what she considers a bad data-protection measure that was hastily inserted into an omnibus bill for the Veterans Administration. She said the bill has two big problems -- the broad definitions of personal information and data breaches.
"It includes any information about an individual, including just the name alone," Gasster said, noting that a telephone book would violate the new law, which just applies to the Veterans Administration. She said it should define personal data based on a combination of information that could be useful to thieves.
She also said the definition of data breach could include a list of names that ends up in the trash but still would have to be reported. "It could set a bad precedent," Gasster said.
Ansanelli said companies understand that personal data should be protected, but it is not always a high priority. He said he is optimistic about legislation early next year that would not just notify people of breaches but stop the problem with better security.
"Would you rather take an aspirin or a vitamin?" he said. "We believe in encouraging people to take the vitamin and not getting the problem to begin with."
RELATED STORIES
- Proponent of IT centralization declares victory at the VA 12/13/06
- VA tech chief says another major data breach is unlikely 12/11/06
- Panelists: Combating data theft is not complicated 11/15/06
- Business data breaches found to be more costly than thought 10/23/06
- Report: Agency loss of personal information widespread 10/13/06
Post a Comment
To post a comment, you must provide a name and a valid e-mail address. Messages must be limited to 400 words. By using this Service you agree not to post material that is obscene, harassing, defamatory, or otherwise objectionable. Although Government Executive does not monitor comments posted to this site (and has no obligation to), it reserves the right to delete, edit, or move any material that it deems to be in violation of this rule.