Federal Data Security Law: 'Careful What You Wish For'

A federal cybersecurity law edged closer to reality late last week when the Senate Judiciary Committee approved a bill to protect the personal data of Americans. The bill is a bipartisan effort sponsored by Chairman Patrick Leahy, D-Vt., and co-sponsored by former Chairman Orrin Hatch, R-Utah, that would, among other things, force companies and data brokers to institute data privacy and security programs.

It's exactly what many security experts have been calling for -- one federal law that would supersede the growing mountain of state data security laws and give enterprises a simplified, one-size-fits-all roadmap to work from.

Also see Mass 201 CMR 17: A Survival Guide for the Anxious

And yet, when asked if a federal law is a good idea Tuesday during a panel discussion on the seventh-annual Global Information Security survey, which CSO and CIO magazines conducted with PricewaterhouseCoopers (see survey results here), one attendee who happens to work for the federal government deadpanned, "Careful what you wish for."

That seems to be the consensus among IT security pros these days. True, the patchwork of state laws can indeed be confusing to companies looking for a one-size-fits-all approach to security compliance. But in a recent, informal and unscientific poll CSOonline conducted on LinkedIn, a majority of respondents expressed doubt that a federal law would make their jobs easier. If anything, they said, the opposite would probably be the result.

The question we asked in various LinkedIn forums was if a federal cybersecurity law was the right way to proceed. Here's what four respondents said:

Gregory Anderson, desktop security SEPM lead manager and wise application packager at Qwest CommunicationsI have no faith in the U.S. government to implement useful strategies and security measures that don't fall completely apart when political cowards take the reins.

James McGovern, Hartford, Conn., chapter leader for the Open Web Application Security Project (OWASP)One thing I believe is missing is that the government needs to acknowledge that while their security practice is probably more rigorous through the lens of process than their enterprise counterparts, they can learn something from enterprises in terms of community sharing of knowledge, ability to work under scenarios of smaller budgets and how to accomplish the job with less bureaucracy. We don't need more enforcement, but collaboration. When was the last time a government CIO or enterprise architect ever traded notes with their enterprise peers? Good security requires understanding multiple perspectives and not thinking in such an insular manner.

Michael S. Black, manager of information security operations at Barclaycard U.S.Well, the Data Breach Notification Act has an exemption for data that "was rendered indecipherable through the use of best practices or methods, such as redaction, access controls, or other such mechanisms, that are widely accepted as an effective industry practice, or an effective industry standard." It doesn't really have any teeth, does it? And, the Personal Data Privacy and Security Act isn't really about breaches but more about the legal and punishment aspects. So we are left with PR and not a framework to increase security. It's something to let politicians thump their chest and say "We are working hard to help you," but it actually doesn't help the average person whose data gets stolen and resold, and has his credit destroyed.