New legislation proposed by the White House is attempting to blanket
the United States with a standard set of data breach notification
rules and experts say the time has never been better for the proposed
data breach notification law (PDF).
The Obama administration is seeking to standardize the amount of time
companies can wait before informing consumers of a data breach
involving consumer data. At the same time, the White House issued a
document outlining its International Strategy for Cyberspace (PDF),
which outlines a roadmap in how the federal government would help
secure distributed networks, protect intellectual property and build
disaster response plans.
The new data security legislation sent to Congress follows a string of
high-profile data breaches. It would require companies to notify
potential victims “without unreasonable delay.” Other requirements
include the notification of a major media outlet and all major
credit-reporting agencies within 60 days if the credit card data on
more than 5,000 individuals is at risk.
The bill and a document outlining the country’s national security
strategy comes just two years after President Barack Obama’s Strategic
Cyber security Review, which outlined cybersecurity and made it
paramount to U.S. national security.
“There hasn’t been a high number of very high-profile attacks and data
breaches that have drawn the concern of Congress,” said Eric
Rosenbach, principal and lead of the Global Cybersecurity Consulting
Practice at Good Harbor Consulting. “You see now, within the last two
or three years, that there has been a number of high-profile attacks
that change the context in which people think about this.”
The Obama administration said it sought to construct a ubiquitous
piece of legislation that would benefit the private sector and protect
consumers, thus creating one consistent federal standard for data
breech notification. A unified federal law will help “push forward
the new momentum of cloud computing,” by creating one set of rules
that large corporations have to deal with instead of several,
Rosenbach said.
Rosenbach believes that while this proposal is important, it will not
make it through the legislative process unchanged, especially coming
from a democratic White House through a republican House of
Representatives.
Other experts agreed that the timing is right for federal
cybersecurity legislation. Different rules and regulations set up by
states have been costly for enterprises, said Pete Lindstrom, a
research director with Malvern, Pennsylvania-based Spire Security.
“Any time you’re consolidating the procedural requirements for
notification, I think it’s generally a good thing,” Lindstrom said.
“Right now, with each state deciding how notification should occur,
it’s a huge burden on enterprises to actually comply with all the
different state laws.”
Lindstrom said privacy advocates will be watching the bill closely,
but legislators are keenly aware of ongoing sensitivity over privacy
issues.
“States are going to dislike it because it usurps some of their
authority, but generally the House and the Senate are going to like it
because it gives them more oversight and people care,” Lindstrom said.
Some like Avivah Litan, a vice president and distinguished analyst at
Gartner Inc., see the law as “pretty innocuous” and do not anticipate
much of a fight on Capitol Hill. Since companies already have to
comply with state disclosure laws they have little reason to fight a
bill seeking to make their legal maneuverings easier; however, Litan
is sure there will be lobby groups who come out against the bill.
“I think this law can only improve security,” Litan said. “I think it
is one of the better things they’ve done in cybersecurity, and I’m not
usually very generous with them. I’ve got lots of other criticisms of
the Obama administration, but I think this law is actually a good
proposal.”
The unified federal law will be especially helpful to smaller
businesses, preventing them from having to deal with expensive and
specialized lawyers, especially if the businesses operate in multiple
states, said Good Harbor’s Rosenbach. This is because larger companies
often have the resources to deal with multiple and varying state laws
while smaller businesses do not, which could be an impediment to
competitiveness.
“The private sector, above all else when it comes to cybersecurity,
wants something that is stable and easy to understand because then
it’s easy for them to plan for future investment and they have a more
stable kind of operating environment,” Rosenbach said.
No comments:
Post a Comment