June 30th, 2005

Legislative solutions to security problems

Posted by Phil Windley @ 7:17 am

Categories: Government, Security

Tags:

One thing I learned working for government is that if you don’t solve your own problems, the legislature will do it for you–and you probably won’t like the results.  So it was with Sarbanes-Oxley and, perhaps, now with a data privacy and security. 

Senators Patrick Leahy (D, VT) and Arlen Specter (R, PA) have introduced legislation called the Personal Data Privacy and Security Act that may not solve the problem, but will definitely add to the paperwork and compliance work that companies, and CIOs, have to manage. 

According to a News.com report, the proposed bill would do the following:

• Regulate the activities of "data brokers," a term used extensively in the bill and defined as any company or nonprofit that is "collecting, transmitting, or otherwise providing personally identifiable information" of 5,000 or more people that are not customers or employees. Data brokers would be required to follow European-style privacy guidelines.
• Create new penalties for database intrusions in federal law. Trespassing in a "data broker’s" system could result in fines and 10 years in prison.
• Provide penalties up to five years in prison for individuals who "willfully" conceal certain types of serious security breaches.
• Mandate a "comprehensive personal data privacy and security program" for most businesses and individuals acting as sole proprietors.
• Mandate disclosure of any computer security breaches that "impacts more than 10,000 individuals."
• Require review of federal sentencing guidelines for misuses of personally identifiable information.
• Authorize the Justice Department to grant money to states to be used to "enhance enforcement" of ID fraud-related crimes.
• Create additional "privacy impact assessments" when a federal agency relies on a commercial database consisting "primarily" of information on U.S. citizens.

This is a far-reaching list.  The law specifically says that these measures apply to companies and individuals acting as sole proprietors–meaning that size doesn’t matter. 

The law will undoubtedly change as it moves through the legislative process, but that doesn’t mean it will get better.  The problem of data security and privacy is something that has touched almost everyone either directly or through someone they know.  In fact, Sen. Leahy was one of the customers affected by the Bank of America loss.   This personal connection creates a passion for "doing something" that won’t subside.

I think many would agree that some legislative reform is in order.  I’m concerned that this bill represents a knee-jerk reaction, however, that will increase the compliance requirements on business–even small ones–without really changing the problem.  I interviewed Dan Solove, author of the book "Digital Person" not long ago.  His book provides some comprehensive ideas that are only hinted at in this legislation.