We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message
80,259 News Articles

Senator to businesses: Protect data or pay

Senator Richard Blumenthal, D-CT, says his newly-introduced legislation, the Personal Data Protection and Breach Accountability Act of 2011 will protect individuals' personally identifiable information from data theft and penalize firms that don't adequately secure their customers' information. Naturally, there are skeptics.

The bill would establish " appropriate minimum security plans" for businesses with 10,000 or more customers to safeguard their customer information and hold those businesses accountable through fines should they fail to meet those standards. The bill also calls for more public/private information sharing.

Also see They're baaack! National data breach notification bills resurface

"My goal is to prevent and deter data breaches that put people at risk of identity theft and other serious harm both by helping protect consumers' data before breaches occur," Blumenthal said in a statement.

The security analysts we interviewed questioned whether the bill would be successful at reaching those goals. It's not the first time they've expressed skepticism over federal data protection legislation.

"Philosophically, companies ought to be doing this already," says Mark Rasch, director of cybersecurity and privacy consulting at Computer Sciences Corporation. "The devil is in the details with these laws. But there are a number of questions here. We've had regulations, from Gramm-Leach-Bliley to HIPAA, that purport to help protect consumer data. Second, these companies are already victims in these attacks, so why are we penalizing them after a breach? I think that's because it's easier to issue fines than it is to track down the criminals and go after them."

John Pescatore, security analyst and VP at research firm Gartner, agrees that the law would be redundant with many of the existing laws on the books, and adds that the existing costs associated with disclosure already exceeds the financial penalties in the bill. "Also, the Federal Trade Commission already seems to do a good job of punishing privacy violators -- and it doesn't seem to need yet another law," he says.

Also see Data Breach Notification Laws, State By State

Pete Lindstrom, research director at Spire Security, questions whether the government can effectively legislate security standards. "Everyone has their own definition of what it means to be secure, and what these bills do not allow is organizations to apply common sense, or their own discretion, at mitigating risk," he says.

George V. Hulme writes about security and technology from his home in Minneapolis. He can be found on Twitter at @georgevhulme discussing security and business topics.

Read more about pci and compliance in CSOonline's PCI and Compliance section.


IDG UK Sites

Microsoft Band UK release date and price rumours, features and specs: Microsoft smartwatch unveiled

IDG UK Sites

Why Sony's PS4 2.0 update is every gamer's dream (well, mine at least)

IDG UK Sites

Watch new Grolsch ad that combines stop-motion & CG for majestic results

IDG UK Sites

Apple rumours and predictions for 2015: What to expect from Apple in 2015