We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message
80,259 News Articles

Senator to businesses: Protect data or pay

Senator Richard Blumenthal, D-CT, says his newly-introduced legislation, the Personal Data Protection and Breach Accountability Act of 2011 will protect individuals' personally identifiable information from data theft and penalize firms that don't adequately secure their customers' information. Naturally, there are skeptics.

The bill would establish " appropriate minimum security plans" for businesses with 10,000 or more customers to safeguard their customer information and hold those businesses accountable through fines should they fail to meet those standards. The bill also calls for more public/private information sharing.

Also see They're baaack! National data breach notification bills resurface

"My goal is to prevent and deter data breaches that put people at risk of identity theft and other serious harm both by helping protect consumers' data before breaches occur," Blumenthal said in a statement.

The security analysts we interviewed questioned whether the bill would be successful at reaching those goals. It's not the first time they've expressed skepticism over federal data protection legislation.

"Philosophically, companies ought to be doing this already," says Mark Rasch, director of cybersecurity and privacy consulting at Computer Sciences Corporation. "The devil is in the details with these laws. But there are a number of questions here. We've had regulations, from Gramm-Leach-Bliley to HIPAA, that purport to help protect consumer data. Second, these companies are already victims in these attacks, so why are we penalizing them after a breach? I think that's because it's easier to issue fines than it is to track down the criminals and go after them."

John Pescatore, security analyst and VP at research firm Gartner, agrees that the law would be redundant with many of the existing laws on the books, and adds that the existing costs associated with disclosure already exceeds the financial penalties in the bill. "Also, the Federal Trade Commission already seems to do a good job of punishing privacy violators -- and it doesn't seem to need yet another law," he says.

Also see Data Breach Notification Laws, State By State

Pete Lindstrom, research director at Spire Security, questions whether the government can effectively legislate security standards. "Everyone has their own definition of what it means to be secure, and what these bills do not allow is organizations to apply common sense, or their own discretion, at mitigating risk," he says.

George V. Hulme writes about security and technology from his home in Minneapolis. He can be found on Twitter at @georgevhulme discussing security and business topics.

Read more about pci and compliance in CSOonline's PCI and Compliance section.

IDG UK Sites

Best camera phone of 2015: iPhone 6 Plus vs LG G4 vs Galaxy S6 vs One M9 vs Nexus 6

IDG UK Sites

In defence of BlackBerrys

IDG UK Sites

Why we should reserve judgement on Apple ditching Helvetica in OS X/iOS for the Apple Watch's San...

IDG UK Sites

Retina 3.3GHz iMac 27in preview: Apple cuts £400 of price of Retina iMac with new model