Federal officials urge industry to better protect IT systems

Greg Garcia, the Homeland Security Department's cyber czar, is looking at incentives to encourage businesses to better protect their networks and sensitive information, and he hopes Congress does the same.

In response to questions at a two-day Visa Security Summit this week, Garcia said he likes the idea of a "Good housekeeping seal of approval" for cyber security. "I think we need to get ourselves to a point where we have some sort of third-party validation of security," he said noting that it could be by sector because a broad standard would conflict with different business models.

Garcia said any good security seal of approval "needs to be vetted in a sector so we can say this is the standard and we call all be accountable."

Commerce Undersecretary for Technology Robert Cresanti said he understands the need for businesses to make every nickel spent on security count. He said businesses that do invest will weather cyber threats better than competitors, and he believes businesses are "profoundly motivated" to make sure they address problems.

Former Federal Trade Commissioner Orson Swindle, now a senior policy advisor at Hunton & Williams, had his own motivational speech for the audience of mostly bankers and retailers.

"If data security breaches continue, the government is going to step in and regulate," Swindle said. "If we don't solve these problems, the government will attempt to solve them, and they're not very good at it."

Swindle said government has already made a mess in some ways because rules for the banking agencies on data protection are not consistent with those from the FTC and Securities and Exchange Commission.

Oliver Ireland, a law partner at Morrison & Foerster, helps clients that have had security breaches meet the requirements of different state laws. He said that instead of finding ways to prevent the problem, more than 30 states have passed laws requiring that consumers be notified of the loss of their sensitive information.

Ireland said in practice that means he focuses on fulfilling the requirements of a few of the more different state laws -- Connecticut, North Carolina and North Dakota -- to make sure his clients are covered legally. He said it is unfair that those states decide how a company handles a breach regardless of what the Florida or New York legislatures put into their legislation.

"We need to arrive at a consistent [national] standard one way or another," Ireland said.

Last Congress, several different House committees offered competing data-security bills. Mike Quaranta, the chief of staff for Rep. Michael Castle, R-Del., said Castle wants the legislation that emerges this session to clearly outline who pays for the impact of data breaches, who is responsible and who communicates with consumers.

Quaranta said Castle has asked the Government Accountability Office to examine data breaches over the past few years to see "who was truly harmed." "It's important to understand the context of the size of the problem so we don't go too far in over-regulating," he said.