News of major data breaches at some of the world's largest online services has been plastered all over the headlines this year. Some of the high profile cases include Sony's PlayStation Network (PSN) and SEGA's ongoing investigation of a data breach that affects over one million people.
Other attacks of an even more serious nature have targeted the International Monetary Fund (IMF), Lockheed Martin in the United States and the European Union. However, what the BSA is really concerned about is how consumers will react to data breaches in systems run by the likes of Sony, and how it will effect confidence as industry and commerce moves even further into cyberspace than ever before.
The rise of cloud computing, for example, is promising for both enterprise and home customers as a low cost solution for all kinds of data computing and mass storage. The BSA is concerned that after the PSN hack saga and the increasing number of attempts to acquire consumers' personal information, a lack of confidence in data security could hurt the emergence of cloud-based services.
The BSA, and members of both houses of the U.S. Congress, believe that two things should be required of companies possessing personal information of citizens. Firstly, the information should be strongly protected by data encryption solutions, so that if there is a mass breach (such as a stolen database), it will become extremely hard or impossible for the attackers to decipher the information.
Secondly, the firm in question should be bound by law to make the breach publicly known, especially if users' personal information is at significant risk.
Last Wednesday, BSA President and CEO Robert Holleyman testified before the House Energy and Commerce Committee to push for Data Breach legislation to the passed on a national level. "This is now the fourth Congress to consider data breach legislation," said Holleyman. "The time to act is now. The need is clear, as are the solutions."
The hearing was set to discuss draft legislation introduced by Rep. Mary Bono Mack (R-Calif.), Chairman of the Subcommittee on Commerce, Manufacturing, and Trade. The draft bill (which you can download here) states its goal is to, "protect consumers by requiring reasonable security policies and procedures to protect data containing personal information, and to provide for nationwide notice in the event of a security breach."
Holleyman endorsed the key provisions of the bill.
He testified: "The bill requires organizations that hold sensitive personal information to implement reasonable security procedures, taking into account an organization’s size, the scope of its activities, and the costs involved. It creates incentives to adopt strong security measures by promoting the use of technologies such as encryption, which render data unusable, unreadable, or indecipherable to thieves if they manage to steal it. And it requires notifying consumers when there is a significant risk of identity theft, fraud or unlawful activity."
He also pointed out that over 2,500 data breaches have been recorded since 2005, and pointed out that in the procrastination of Washington on this issue, individual states have already stepped up to mandate notification in the event of a data breach.
In 2002, a California data breach law was enacted (went into effect in July, 2003) that required firms to report a breach of unencrypted data to possibly effected users (although it allowed delays in notification if law enforcement determined it would stifle an investigation.) Most other U.S. states that have enacted data breach rules have followed California's example. A number of bills have been proposed at the national level, but none have been successful so far.
Written by: James Delahunty @ 20 Jun 2011 10:38