This week, the Massachusetts Office of Consumer Affairs and Regulations pushed back the deadline to comply with a new state law mandating encryption of sensitive consumer data. The law, passed in September 2008, was supposed to take effect on January 1, 2008. Instead, the deadline will now be pushed back to May 1.
Why the change? The extension was driven by the current economic crisis in order to give companies a bit more leeway.
OK, I read the papers and see what's going on. Yes, the economy is a mess and it ain't gonna get much better between now and May. While I understand why my state government blinked, I don't like the precedent this sets at all. May I point out that:
1. There were over 300 publicly disclosed breaches last year, according to the Privacy Rights Clearinghouse. These breaches exposed private data of more than 150 million people.
2. The number of malicious code variants is exploding. According to the latest version of the Symantec Internet Security Threat Report, the company identified approximately 74,000 malicious code threats in the second half of 2006, 212,000 threats in the first half of 2007, and nearly 500,000 threats in the second half of 2007.
3. The British National High-Tech Crime Unit estimates that cybercrime costs $4.7 billion per year.
Hey, I get it. Times are tough so we have to prioritize initiatives and cut back where we can. Fine, but it's important that we realize that cyberspace is a dangerous neighborhood and it isn't getting any better. In fact, this situation will only get worse as more IT and security staffers find that December brings pink slips rather than holiday bonuses.
Note to legislators and IT professionals: Delay IT purchases, cancel new projects, outsource some IT operations, but don't cut corners on IT security. If you do, we are all likely to suffer the consequences.