Harriet Pearson, chief privacy officer, IBM
(Credit: IBM)Harriet Pearson once joined a petition signed by Facebook users, urging the social-networking site to do more in terms of privacy.
But the privacy expert considers herself a moderate when it comes to protecting her personal information.
Pearson, IBM's chief privacy officer for the past nine years and also its security counsel since last year, says each person needs a mental model to assess the benefits or risks associated with providing personal data. In the same way, she said, governments ought to be thoughtful when drafting policies and laws on data protection.
In town recently for Singapore's annual GovernmentWare conference, Pearson sat down with ZDNet Asia to discuss data protection legislation, the need for a balanced view regarding data breach notification, and why Asian regulators should not "photocopy" European law books.
Read more of "Asia's lawmakers need not copy Europe" at ZDNet Asia.
Two U.S. senators introduced legislation on Wednesday that calls for naming a national cybersecurity adviser who reports directly to the president and who would have the authority to disconnect federal or critical infrastructure networks from the Internet if they were deemed to be at risk of attack.
This proposed legislation comes amid a review ordered by the Obama administration into the government's policies for defending itself against cyberattacks and follows the resignation of Rod Beckström as director of Homeland Security's National Cybersecurity Center in response to what he said was a power grab by the NSA for cybersecurity leadership.
The legislation, proposed by Sen. John D. Rockefeller IV (D-W.Va.) and Sen. Olympia Snowe (R-Maine) would establish an Office of the National Cybersecurity Advisor that would take the lead on Internet security matters and coordinate with the intelligence community and the private sector.
The legislation also calls for the creation of a Cybersecurity Advisory Panel composed of outside experts from industry, academia, and nonprofit groups that would advise the president, as well as creation of a public-private clearinghouse for cyber threat and vulnerability information sharing, establishment of measurable and auditable cybersecurity standards from the National Institute of Standards and Technology. It would also require that cybersecurity professionals be licensed and certified.
In addition, the legislation would require that the cybersecurity adviser conduct a review of the U.S. cybersecurity program every four years and require officials to complete a number of reviews and reports. Officials would be asked to: do a threat and vulnerability assessment of public systems and private sector operated infrastructure; conduct a legal review of the federal statutory and regulatory framework for cybersecurity; complete a report on identity management and civil liberties, and one on risk management that attempts to put a dollar value on cybersecurity threats and includes civil liability and government insurance.
Other provisions of the legislation call for the creation of state and regional cybersecurity centers to help small and midsize businesses adopt security measures, an increase in funding for cybersecurity research and development at the National Science Foundation, and the establishment of a Secure Products and Services Acquisitions Board that would certify that products the government purchases meet security standards it sets.
BERKELEY, Calif.--Six years after California enacted the country's first data breach notification law, many state residents have received letters warning them that their data was exposed by a breach but usually they don't know how or how long, experts said at a privacy conference on Friday.
That would change with the passage of a measure proposed by California State Sen. Joe Simitian, who authored the country's first bill requiring companies to notify customers when a breach has occurred that exposes their data.
Senate Bill 20 would require that notification letters to consumers have a standard set of information such as information about the timing and circumstances of the breach.
It would also require that a state entity be notified at the same time so that law enforcement, lawmakers, and researchers "can spot larger trends and don't have to rely on what they read in the newspaper," Simitian said in a luncheon address at the Security Breach Notification Symposium in Berkeley.
... Read more
This week, the Massachusetts Office of Consumer Affairs and Regulations pushed back the deadline to comply with a new state law mandating encryption of sensitive consumer data. The law, passed in September 2008, was supposed to take effect on January 1, 2008. Instead, the deadline will now be pushed back to May 1.
Why the change? The extension was driven by the current economic crisis in order to give companies a bit more leeway.
OK, I read the papers and see what's going on. Yes, the economy is a mess and it ain't gonna get much better between now and May. While I understand why my state government blinked, I don't like the precedent this sets at all. May I point out that:
1. There were over 300 publicly disclosed breaches last year, according to the Privacy Rights Clearinghouse. These breaches exposed private data of more than 150 million people.
2. The number of malicious code variants is exploding. According to the latest version of the Symantec Internet Security Threat Report, the company identified approximately 74,000 malicious code threats in the second half of 2006, 212,000 threats in the first half of 2007, and nearly 500,000 threats in the second half of 2007.
3. The British National High-Tech Crime Unit estimates that cybercrime costs $4.7 billion per year.
Hey, I get it. Times are tough so we have to prioritize initiatives and cut back where we can. Fine, but it's important that we realize that cyberspace is a dangerous neighborhood and it isn't getting any better. In fact, this situation will only get worse as more IT and security staffers find that December brings pink slips rather than holiday bonuses.
Note to legislators and IT professionals: Delay IT purchases, cancel new projects, outsource some IT operations, but don't cut corners on IT security. If you do, we are all likely to suffer the consequences.
Regardless of whether you favor Barack Obama or John McCain, you have to admit that the next president will inherit a monumental mess.
Each candidate has been scrambling to explain how he plans to right the financial ship, reign in growing health-care costs, improve education, and balance the budget. Yikes!
As if this wasn't enough, the new president and Congress also have an obligation to figure out how to proceed with a strategic plan for IT and information security.
Now I understand that economic, social, and national security issues should have precedence, but the fact is that the federal government is sort of treading water on a number of highly visible strategic initiatives regarding information security. The issue here isn't new legislation or initiatives, however. It is finishing work that has already been started.
Here are a few examples:
1. The Comprehensive National Cyber Security Initiative (CNCI). This effort grew out of presidential and Department of Homeland Security directives with the goal of standardizing security practices and appointing DHS as the overseer of critical information security infrastructure across all federal agencies. It is estimated that CNCI will ultimately cost around $18 billion to $30 billion. But for now, DHS is asking for $200 million in 2009. As of this writing, these funds have not been allocated to the project.
2. The next revision of the Federal Information Security Management Act (FISMA) of 2002. Back in 2002, FISMA was passed in order to provide a set of guidelines and requirements for federal agencies. Each agency was then graded on a FISMA report card with the results presented to Congress and the public. Several agencies (alarmingly, including DHS) received an "F", while others saw FISMA as nothing more than a series of check boxes with no teeth. To improve the efficacy and benefits of FISMA, the Senate is currently working on the FISMA Act of 2008 (S.3474). As of now, this bill remains in committee.
3. A national information privacy act. The Personal Data and Privacy Act (S.495) has been languishing in the Senate for years. In lieu of national personal-privacy legislation, 42 states have enacted their own laws leading to a messy situation for any organization doing business across the country. Some states like Nevada and Massachusetts now mandate data encryption to protect data confidentiality, but individual laws remains vague and unique.
These examples pale in comparison to the federal train wreck around Homeland Security Presidential Directive 12 (HSPD-12), a well-intended but unfunded effort to standardize identity technologies for federal workers and contractors. In my opinion, the lack of federal funding has rendered HSPD-12 a bad joke inside the Beltway.
As a private citizen, I can't help but lament the tremendous amount of wasted effort here, especially in the face of increasingly dangerous information security threats. Bills are discussed but not passed. Some legislation gets passed and is either ignored or treated as a mere check-box item. Other bills are passed and never funded.
Unfortunately, these examples are a microcosm of a broken, wasteful system. Regardless of who becomes our next president, I'll judge progress in Washington by the government's ability to pass and fund legislation, meet regulatory compliance mandates, improve information security, and strive for constant improvement. I, for one, will be watching carefully.
- prev
- 1
- next
