Security Watch | Matt Hines » CSIA backs national data breach laws

June 14, 2007 | Comments: (0)

CSIA backs national data breach laws

TAGS: Security

When I had the chance to question Massachusetts Attorney General Martha Coakley about the debate over whether it should be individual states or the federal government who create and enforce consumer data protection and breach reporting laws, she sort of straddled both sides of the argument.

While Coakley clearly indicated that she wished the feds would get their act together and pass stricter laws that established national guidelines that address the issues -- as many business leaders have called for -- she also pointed out that any law that essentially strips states' abilities to exercise their own legislation wouldn't be in anyone's best interest.

"We need to revisit what the fed has or hasn't done. As AGs have stepped into consumer protection issues, most of us have felt that if the fed was doing its job we wouldn't be as organized," Coakley said at the Authentication and Online Trust Alliance (AOTA) Summit 2007 in Boston in mid-April. "Many people believe that we shouldn't need to go state-by-state, but we don't want federal pre-emption that abdicates the state's ability to do anything."

Despite the fact that Coakley's comments echo those of many other concerned parties, including experts at the Electronic Privacy Information Center (EPIC) and other industry watchdogs who would prefer to see states retain the power to dictate data-handling and breach reporting requirements, some advocates remain in favor of more powerful national laws -- including the Cyber Security Industry Alliance (CSIA).

The CSIA -- an advocacy group "dedicated to ensuring the privacy, reliability and integrity of information systems through public policy, technology, education and awareness" -- maintains that consumers will be better served if federal lawmakers move forward and create national breach reporting requirements.

"Consumers need to have a consistent experience about receiving a notice and how they are told about whether their data is likely to have been misappropriated as a result of a data theft or some other form of loss," said Geoff Gray, a legislative consultant for CSIA, which counts CA, F-Secure, IBM, PGP, Symantec and Vontu among its members.

"People need to know whether the data involved was encrypted or usable, if it was merely lost, or if it was stolen by sophisticated criminals," said Gray. "They need to know that, depending on where they live, that any notification they receive has the same meaning as a notice received in another location."

Gray said that CSIA's members feel that the uniformity of such federal legislation would vastly improve the situation for companies that operate in multiple states, or Web-based players such as e-commerce shopping sites.

"Our constituency is all for setting clearer consumer expectations, and for the private sector and government to implement these requirements," said Gray. "However, the government also needs to be conscious of giving companies a roadmap to compliance with any laws it passes; in the end we want a safer environment where people are not afraid and can do business online with more confidence that their information is being protected."

While Gray said that states should play a significant role in helping to apply any national laws, he indicated that CSIA believes that any form of legislation that dictates oversight of the Internet, and e-commerce in particular, should be left to federal lawmakers.

"Clearly this is a fed-related issue to me, the Internet is a uniquely national and global system, and the burden of primary enforcement has to fall on fed and other nations' governments," said Gray. "The federal government needs to devote more resources to this problem, and we believe that it is critical for this issue to be a priority; e-commerce is the future, and if people are afraid that data won't be protected, they will shy away from doing business online."

Posted by Matt Hines on June 14, 2007 11:46 AM

RATE THIS ARTICLE: