Expect More Focus on Data Security in 2010

Tighter State regulations and Federal legislation is likely this year

According to the website datalossdb.org, there were a total of 436 publicly-disclosed breaches in 2009, down from the disastrous 717 in 2008. Does this decrease represent real improvement? No -- simply the luck of the draw. It wouldn't surprise me a bit if 2010 was a banner year for data breaches. Heck, we are only 4 days in and there have already been two reported breaches -- one at Larch County Correction Center (OR) and one at the TSA here in Boston.

While I'm afraid 2010 may be an especially bleak year for cybersecurity, there is a bit of good news with regard to data breach lesgislation.

First, there is significant momentum for this issue on Capitol Hill. In December, HR 2221, the Data Accountability and Trust Act (i.e. the DATA Act) passed a House vote. Of course, the Senate is working on its own similar legislation -- S.1490, the Personal Data Privacy and Security Act (sponsored by Senator Leahy D-VT) and its companion bill, S.139, the Data Breach Notification Act (sponsored by Senator Feinstein D-CA). The two bodies of Congress have to somehow merge these bills into some cohesive body of legislation but I do expect this to happen by the summer.

Data breach legislation is by no means limited to the United States. The EU is contemplating new legislation that would cover all member countries. Canada recently passed tougher criminal penalties for identity theft. The UK passed the UK Data Protection Act and recently backed up this legislation with guidelines for businesses and the public.

While these federal laws come to fruition, my home state of Massachusetts will finally enforce the most stringent data breach notification laws to data, MA 201 CMR17. Yes, this legislation has been delayed several times and watered down a bit, but it is still a milestone.

So what does all this mean?

1. Data privacy and security will be front and center in 2010. You are bound to see much more public debate and mainstream news as data security, breach notification, and legislation gains traction.

2. Federal legislation will be the legal equivalent of a 1.0 software revision. Expect the Feds to compromise with lobbyists, misunderstand security technology, and leave loopholes in bills. For example, it is my understanding that the House bill only covers private data in electronic form; so if I print and steal a report with 100,000 Social Security Numbers, it is not considered a breach.

3. Compliance will continue to drive security spending as large organizations sort through new global legislation. ESG recommends that CISOs stay on top of developments and prepare for changes proactively.

4. Lots more compliance rhetoric from the tech industry.

As for security breaches themselves, all of this legislation will be fairly ineffective in the short term -- there are simply too many vulnerabilities and threats at this point. Nevertheless, more attention to data privacy and security is a welcome change since we've been given these issues little more than lip service in the past. As long as we view legislation as progress and not a data security panacea, it can only help.

• congress
• cybersecurity
• data security
• HR 2221
• MA 201 CMR17
• S.139
• S.1490