July 22, 2005 2:55 PM PDT

Panel: Don't rush into new data security laws

WASHINGTON--Sweeping federal laws on personal data security aren't necessarily the way to go, a panel of lawyers, academics and former federal officials said here Friday.

"There is this perception that we really need to do something on the part of the political leadership, and I understand that," Orson Swindle, a former Federal Trade Commissioner, said on a panel organized by the Progress & Freedom Foundation. "But I think we need to step back."

Congress in recent months has made data security one of its pet issues, citing millions of consumers who have had personal data lost to breaches this year. On the U.S. House of Representatives side, Rep. Steven LaTourette, R-Ohio, and Rep. Deborah Pryce, R-Ohio, on Thursday each introduced bills tackling the matter, and Rep. Joe Barton, R-Texas, is also assembling a draft in the House Energy and Commerce committee.

Sen. Arlen Specter, R-Penn., and Sen. Patrick Leahy, D-Vt., introduced bipartisan legislation last month that would impose sweeping rules on corporations, responding to what Specter deemed "an evolving problem that is gigantic." The Senate judiciary committee, which Specter chairs, is still due to discuss months-old bills introduced by Sen. Dianne Feinstein, D-Calif., and Sen. Jeff Sessions, R-Ala.

The bills share three common points. They require companies to notify consumers nationwide if certain types of breaches occur, set minimum standards for security, and pre-empt current state laws that regulate the matter. The lawmakers are still debating several questions, ranging from what would trigger notices to how companies should go about sending them.

The government is overreacting, Paul Rubin, professor of law and economics at Emory University, suggested on the panel. Pointing to the results of a Federal Trade Commission-sponsored survey, he said the number of people facing identity theft has remained constant over the last two years. Other data suggests that the amount of money companies are losing to credit card fraud has been dropping over time, he added.

Rubin said any federal regulation should be limited and aimed largely at keeping states from passing their own, more strongly worded variations on the law.

"There are very strong market incentives for companies to provide security," he said.

By contrast, Marc Rotenberg, executive director of the Electronic Privacy Information Center, argued that any federal legislation should establish "baseline" regulations but leave the major decision-making up to individual states. He praised California, which in 2003 became the first of more than a dozen states to enact its own security breach notification requirements, for providing a "very modest" but "innovative" approach that helped bring national attention to the matter.

Any legislation, Rotenberg said, should focus on requiring "good notification" and creating incentives for better privacy and security standards in the private sector. He said he was particularly concerned about keeping tabs on companies like ChoicePoint and LexisNexis, which derive their business from selling personal data and have run into data security trouble this year.

With such companies, "the market doesn't operate as it normally would," Rotenberg said, "because the people whose personal information is at issue and the people who are most concerned about privacy regulations on that information are not the customers of those companies."

Besides, notification simply isn't good enough, though it might be the best solution for now, said J. Howard Beales III, former director of the FTC's Bureau of Consumer Protection. "We need to find ways to push the system to make it seamless for consumers," parallel to the way that individual bank clients don't lose any money--and may not even receive notification--when robberies take place, he said.

Said Swindle: "If we start notifying everybody for everything that looks like it might be harmful, we're going to cry wolf so much that we're going to move away from this great medium that we're working with."


Join the conversation!
Add your comment
Privacy ACT
What is needed in this great country is a comprehensive Federal Electronic Privacy ACT (with oversight!). Not the existing fragmented knee-jerk set of laws on the books or adding further to the problem.
Posted by captnet (16 comments )
Reply Link Flag
What about enforcing the FTC Safeguards Rule for starters?
Okay, NEVER MIND NEW LAWS for just a moment. What about the existing FTC Safeguards Rule? You know, that little talked about and highly avoided piece of the Gramm Leach Bliley act that went into effect in May 2002 and has only had TWO measly enforcement actions since then? (See <a class="jive-link-external" href="http://www.ftc.gov/bcp/conline/pubs/buspubs/safeguards.htm" target="_newWindow">http://www.ftc.gov/bcp/conline/pubs/buspubs/safeguards.htm</a> ). The FTC Safeguards Rule has NEVER gotten the media or political attention it deserves nor has it been enforced. For this law to exist but not be enforced then it is the fault of the FTC, not just the violating companies, who are putting all our personal data at risk.

This is not a slam, just look at the record. Think about what we have seen in the news over the last 7 months with all the security breaches and backup tape thefts and losses then compare that to what the FTC claims it is doing to prevent identity theft and protect information security (see the FTC's Statement to the U.S. House of Representatives on 9/22/2004 at <a class="jive-link-external" href="http://www.ftc.gov/os/2004/09/040922infosecidthefttest.pdf" target="_newWindow">http://www.ftc.gov/os/2004/09/040922infosecidthefttest.pdf</a> ) This testimony of actions and intentions was prepared and delivered by the same FTC commissioner referred to in this article, ironically named Swindle, who suggests that more privacy laws and proper notification of security breaches will amount to "crying wolf" to the public.

The problem of ID theft has been allowed to grow out of control and is now collapsing under its own weight. And now the public is beginning to see the problem for what it is.

The real question at the end of the day is where are the monetary fines against businesses that willfully and intentionally ignore the FTC Safeguards Rule? With fines up to $10,000 per violation, just tapping a few arrogant companies with DEEP POCKETS for a few million dollars in fines could pay for a LOT of enforcement officers in the underfunded and overworked agency. But it would also show criminals and negligent businesses that data security laws are meant to PROTECT CONSUMERS BEST INTERESTS AND that violators WILL suffer severe monetary consequences (the SEC does it all the time, why can't the FTC?)

I would be curious to find out if anybody else out there has observed this discrepancy in privacy law enforcement and is willing to share their concerns or shed some light on the issue?
Posted by ceebee513 (11 comments )
Reply Link Flag
IT Lobby Poor Babies-Panel: Begs Don't rush into new data security laws
IT Lobby Poor Babies-Panel: Begs Don't rush into new data security laws

Mr. A.T. Alishtari, POA and Founder of EDI Secure LLLP, knows the 3 areas of concern notification, basic security and transcending State laws require Federal support and this administration found a way to do that without writing new laws but enacting existing laws. It is the basic standards of two factor authentication with offline devices that have the big IT lobbies upset. Good golly miss molly.

The Congress is supporting what the White House suggested to every other G8 nation to do by setting basic standards of two factor authentication with an offline swipe device to protect U.S. citizens from bank rape. The G-8 are enacting these changes from local presure from their own citizens.

However, the IT giant lobby and their advisory panels are a bit antsy since, well, they do not own the solution, EDI Secure LLLP owns the single use credit card number ID patent that has within it an exclusive U.S. right to do two factor authentication with an offline device using any electronic medium as a legal monopoly over the next 15 years. This was given July 22, 2003.

The IT giants do not know what to do in two years but the fact is the world must be a safer place online and offline or more companies will follow the ones now going bankrupt from not protecting private ID in banks or online. The consumer and average citizen is fed up with IT giants or banks putting them at risk since, well, it costs too much to stop ID theft online. The only thing worse or more cowardly than trying to stop a good solution is if the solution didn't work but every expert in the world, even these guys, say it works once using an offline swipe device.

One benefit of giving consumers two factor authentication with offline devices is it reduces costs to industry since it puts private ID security where it belongs; in the hands of users. Once there, consumers will rest knowing their cash and ID is safe. One does not know what this IT lobby sees as not important. 40 million ID was stolen and that is not all of it and every nation is under attack by cyber mafia but don't rock the boat. Well, the boat has sailed and if not wise, the boat is sunk. Get on the side of the American people and let free market principles do their thing.
Posted by (66 comments )
Reply Link Flag
Please adjust Mr. Alishtari's comments to the buyout of EDI Secure LLLP
Please adjust Mr. Alishtari's comments to the buyout of EDI Secure LLLP

A year ago, January 2006, EDI Secure LLLP was purchased by IDPixie LLC which owns the patent US 6,598,031 B1 granted on July 22, 2003 for APPARATUS AND METHOD FOR ROUTING ENCRYPTED TRANSACTION CARD IDENTIFYING DATA THROUGH A PUBLIC TELEPHONE NETWORK from inventor Jeffrey Ice. So to update EDI Secure LLLP's place in the marketplace, I add the above and below data.

My Pledge

I, Mr. Abdul Tawala Ibn Ali Alishtari, pledge my Foundation to halt child slavery activities including his Global Peace Film Festival, Inc., at www.peacefilmfest.org. I pledge moral support of legal, peaceful activities and my non-profit gifts offshore, onshore and globally, primarily with philantrophy from my personal investment to help halt all fraud, violence and scams hurting innocent children, women and families so help me God.
Posted by Abdul Tawala Ibn Ali Ali (53 comments )
Link Flag
staying a head of the hackers with smart password technology
Staying ahead of the hackers and cyber criminals means using smarter password software. Sweeping federal laws on personal data security aren't necessarily the way to go, a panel of lawyers, academics and former federal officials said here Friday.

We agree, federal laws dont solve identity theft or keep our data safer  software technology is the only thing to protect our information. We do not need another " data protection law", we need smart password software that does not allow hackers or criminals to see a password  and re-use it. Be it a password to your PC, cell phone, PDA or blue tooth cars.

Get rid of re-usable passwords! Yes a law should be made! Never, ever.. send a re-usable password on the internet. We should revoke net access until your secure! Lets get to the point where we can login with certainty that our password access could not be captured and re-used! No longer have passwords sent in clear text across the internet, on partner or on a private (internal) networks. And while we are at it, pass that law that includes - never store re-usable passwords anywhere.

How can we be secure and safe? New non-re-usable password software replaces your MS login. Easy, seamless, strong and better than anything we have today, because it uses a one-time encryption algorithm each time you login. Your password formula is safe from theft, misuse and mis-management. Still need (strong) 2 factor authentication? Do it with out a re-usable password.

Yes, lets hurry up and make laws that make us cybersafer. Lets stay ahead of the hackers. How can a hacker get information that they can use if government, Corporations, ISPs, Telcos and software developers remove re-usable passwords from their logins and replace logins with password risk free technology?

Once we get rid of re-usable passwords, when no one can "see" your password to steal your identity, waalaaa! We have a solution  NOT a new law!
I vote we make law for non-usable passwords. I vote for secure email, secure banking without the risk and secure communications online, safe from the threat of fraud and identity theft. Ask me more: s0ndra@securityuniversity.net or go to Griddatasecurity.net
Posted by s0ndra (9 comments )
Reply Link Flag

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot



RSS Feeds

Add headlines from CNET News to your homepage or feedreader.