• On TV.com: TOP 10 Shows CANCELED Too Soon
April 14, 2009 10:57 AM PDT

Why a national data breach notification law makes sense

by Jon Oltsik
  • Font size
  • Print
  • 4 comments

As we await the 60-day federal cybersecurity review from Melissa Hathaway, acting senior director for cyberspace for the National Security and Homeland Security Councils , there is something else that could be done. It seems to me that the federal government could take another related action to help protect the private information of U.S. citizens while reducing the cost of doing so. In my humble opinion, it is time to create a single federal data breach disclosure law. I believe this action would:

  1. Simplify the maze of current state legislation. As of the end of December, 44 states, the District of Columbia, Puerto Rico, and the U.S. Virgin Islands have enacted security breach notification legislation. While most of these laws are modeled on the original California legislation (SB-1386) that took effect in 2003, there are subtle differences in terms of deadlines for notifications, definitions, and civil penalties. Massachusetts and Nevada have gone the furthest so far by mandating that private data be encrypted in certain circumstances. Obviously, this creates a legislative mess that could be streamlined by one central federal regulation.

  2. Protect the unprotected. In the six years since California started the trend toward data breach notification legislation, Alabama, Kentucky, Mississippi, New Mexico, and South Dakota have no such laws in place or have laws that haven't taken effect. I'm not sure why this is but citizens in these states deserve the same type of protection we others have.

  3. Extend the definition of private data into other areas. Aside from state data notification laws, many large organizations must still comply with the Health Insurance Portability and Accountability Act, the Gramm-Leach-Bliley Act, Sarbanes-Oxley Act, etc. There must be a way to broaden the definition of private data and consolidate private data security and breach notification legislation like the European Union has. The cost of compliance could go down precipitously if organizations were not obligated to perform the same basic tasks and audits numerous times.

If we are truly looking for ways to improve electronic data security and reduce cost and overhead, this seems like a good plan to me. I know my argument is simple and I'd be glad to learn more as to whether this logic makes sense. Please let me know if my instincts are correct or whether I've missed some important issues.

Jon Oltsik is a senior analyst at the Enterprise Strategy Group. He is not an employee of CNET.
Topics:

Privacy & data protection

Tags:

federal data breach disclosure law,

data breach notification,

cybersecurity review

Share:
Digg
Del.icio.us
Reddit
Recent posts from Security
Microsoft races to plug IE hole after exploit code released
When malware strikes via bad ads on good sites
ISP interruptions trip up Zeus botnet
Researcher publishes exploit for new IE hole
LimeWire enlists AVG for user protection
Twitter to block malicious links
WhitePages.com halts ad networks over malware
LifeLock to pay $12 million to settle deceptive-practices claim
Related
Feds weigh expansion of Internet monitoring
White House outlines secret cybersecurity plan
FTC warns 100 organizations about leaked data via P2P
RSA 2010: Taking on cyberthreats
Five ways to keep your PC free of viruses and Trojans
Enter the Audiophillie music contest for a chance at winning big prizes
Utilities: Green tech good for planet, bad for business
Experts warn of catastrophe from cyberattacks
Add a Comment (Log in or register) (4 Comments)
  • prev
  • next
by ManuNamboodiri April 14, 2009 12:57 PM PDT
A national plan makes a lot of sense - the challenges would be to figure out whether to take the MA or NV route (i.e. stricter) or maybe opt for something in the middle. I think the stricter laws have generated a more serious attitude amongst the organizations with regards to protecting data - will the rest of the states and those six that dont seem to care, win and therefore undo the stricter regulations? Also within a global economy and with data moving across national boundaries, it is imperative to work with the EU, China and the Asian blocs to figure out a common framework for data privacy and protection.
Reply to this comment
by lindafoley April 14, 2009 1:08 PM PDT
It is critical to remember three items. If the national law is not strict as the strictest law, then it must be considered the baseline and not the ceiling and cannot take the place of an existing law. Second, it must include documents in all forms, including paper. This is a topic missed in almost all security breach laws. Third, we must have a centralized, publicly accessible database of the breach notification letters similar to the one created by the Recovery Act for HIPPA regulated health practitioners.
Reply to this comment
by grecs April 16, 2009 6:03 PM PDT
The big question to consider is if breach notification really works. It seem to be there to shame companies into making their systems more secure. So far there hasn't been much of a decrease in fraud but we really don't have enough data to go on since these laws are fairly new. I guess we'll find out as time goes on. But having one national data breach law is a step in the right direction.
Reply to this comment
by small45gt April 29, 2009 7:57 AM PDT
As far as I'm concerned private data should be everything I have on my computer, including systems and application software that everyone else may have, and even my porno files that anyone can download and have nothing specifically to do with me. Something has to be done about these websites that change your system settings without notifying you, install malicious, rogue or trojan software, etc. They should get a year in jail for every computer they infect. That way they would be sentenced to 2 million years in jail. That ought to stop them.
Reply to this comment
(4 Comments)
  • prev
  • next
advertisement
CNET River
  • image
    GreeterDan: RT @ScrewYouSXSW 1 of my gfs cant blieve I'm on CNET. Don't make me beat @billybush off w/ stick @GreeterDan WineTime. #sxsw #ScrewYouSXSW
    by Daniel Terdiman
  • image
    GreeterDan: My CNET story on @ScrewYouSXSW is up. Has an unexpected personal ending. http://bit.ly/amWdiE #sxsw #screwyousxsw
    by Daniel Terdiman
  • image
    GreeterDan: My CNET story on @ScrewYouSXSW is up. Has an unexpected personal ending. http://bit.ly/amWdiE
    by Daniel Terdiman
  • image
    Wheelie robot brings dinner on the double
    by Tim Hornyak
  • image
    Tech finds its place at SXSWi (roundup)
    by CNET News staff
    •
advertisement

Tech finds its place at SXSWi

roundup As the Web generation descends on the South by Southwest Interactive show in Austin, several location-based start-ups try to put themselves on the map.

Top 10 must-have gadgets

This month's picks include the Nexus One and the Squeezebox Radio. See what else is hot on our most recent Must-Have Gadgets list.

About Security

Online security is threatened by more than hacking and phishing attempts. Check here for the latest updates on software vulnerabilities, data leaks, and rapidly spreading viruses--and learn how to protect your systems.

Add this feed to your online news reader

Security topics

advertisement
advertisement

Inside CNET News

Scroll Left Scroll Right
News
News site map
Latest headlines
Contact News
News staff
Corrections
CNET blogs
Popular topics
Apple iPhone
Apple iPod
Cell phones
CES 2010
GPS
LCD TV
CNET sites
CNET Site map
CNET TV
Downloads
News
Reviews
Shopper.com
More information
Newsletters
CNET Mobile
Customer Help Center
RSS
CNET Widgets
About CNET