Data-breach milestone stirs new call for action

Armed with a new number on data breaches, the Cyber Security Industry Alliance is calling on the new Congress to enact comprehensive legislation to secure sensitive personal information.

The number of Americans whose personal data has been compromised has reached a new milestone --100 million, or more than one-third of the population, according to the Privacy Rights Clearinghouse.

"I actually don't think the news is that it hit 100 million, but why we haven't passed legislation to do something about it," said Joseph Ansanelli, the CEO of Vontu, a data-protection company that testified on Capitol Hill during hearings this year.

"The time is now to establish a single standard for securing citizens' personal information, regardless of whether it is housed within federal, state or local government, private sector or educational institutions," said Paul Kurtz, the executive director of CSIA.

Kurtz will be leaving CSIA at the end of the month for a private consulting company. Liz Gasster, will become executive director and will be the one to continue the lobbying effort next year for a comprehensive data-security bill with five key elements.

Gasster said it is critical to protect data wherever it sits -- whether that is a financial institution or a government agency. Another goal is security standards to prevent data loss in the first place, not just notifying victims after breaches.

Gasster said it is important that new rules do not result in double regulation for the financial or health industries. She said any federal law also should pre-empt state regulations so places do not face two potentially different laws. And finally, she said, businesses and government agencies should be freed from liability if they do take precautions like encryption.

While Congress discussed a half-dozen legislative fixes, Ansanelli said debate stalled over which bill ultimately should prevail.

Gasster said she is even more disappointed by what she considers a bad data-protection measure that was hastily inserted into an omnibus bill for the Veterans Administration. She said the bill has two big problems -- the broad definitions of personal information and data breaches.

"It includes any information about an individual, including just the name alone," Gasster said, noting that a telephone book would violate the new law, which just applies to the Veterans Administration. She said it should define personal data based on a combination of information that could be useful to thieves.

She also said the definition of data breach could include a list of names that ends up in the trash but still would have to be reported. "It could set a bad precedent," Gasster said.

Ansanelli said companies understand that personal data should be protected, but it is not always a high priority. He said he is optimistic about legislation early next year that would not just notify people of breaches but stop the problem with better security.

"Would you rather take an aspirin or a vitamin?" he said. "We believe in encouraging people to take the vitamin and not getting the problem to begin with."