As George Hulme recently wrote, the vision of Senator Richard Blumenthal’s data breach legislation is simple enough: Protect individuals’ personally identifiable information from data theft, and penalize firms that don’t adequately secure their customers’ information.
Clearly, there’s a need for organizations to better secure confidential and private customer information. It seems that a week rarely passes without a new high-profile data breach in the news. In fact, 2011 is trending to be the worst-ever year for data breaches. And that is despite many U.S. states introducing legislation that expands the scope of state laws, sets stricter requirements related to notification of data breaches involving personal information, and increases penalties for those responsible for breaches.
I agree with Senator Blumenthal’s concept of establishing “appropriate minimum security plans”…. But color me skeptical on the government’s ability to appropriately monitor and enforce those plans, especially after witnessing the mighty struggles at effectively governing the dozens of state laws already on the books.
My skepticism is shared by many, including Mark Rasch, director of cybersecurity and privacy consulting at Computer Sciences Corporation: “The devil is in the details with these laws. We’ve had regulations, from Gramm-Leach-Bliley to HIPAA, that purport to help protect consumer data. Companies are already victims in these attacks, so why are we penalizing them after a breach? I think that’s because it’s easier to issue fines than it is to track down the criminals and go after them.”
In my opinion, business leaders need to prioritize their own internal efforts to properly protect sensitive information rather than wait on the government to catch up. First order of business is to identify where confidential files and data live in your organization and ensure visibility of that info (after all, how can you protect what you don’t know about?). Fortunately, there are technology solutions available to help organizations better manage and govern their critical files and data as they are being moved and consumed both internally and with business partners and across people, systems and various business applications.