Letters to the editor: Add data privacy to Congressional agenda

Add data privacy to Congressional agenda; Fix for Windows problem; The 7 best practices for network security in 2007; Almost as good as paper

Add data privacy to Congressional agenda

A serious issue the new Congress needs to address is data privacy. The past few years have seen a sharp increase in the leakage of personal data such as credit card and Social Security numbers from institutions ranging from universities, to banks to government agencies such as the Veterans Administration. According to a list maintained by the Privacy Rights Clearinghouse, a San Diego-based advocacy group, more than 190 such incidents have been reported since February 2005. Ninety of those have been reported since January of this year. The Federal Trade Commission estimates the inadvertent or deliberate extrusion of critical data costs consumers and businesses $50 billion a year. Beyond these immediate costs, data leakage threatens the integrity and growth of ecommerce. Even more ominously, it could harm national security.

State governments and private organizations have responded with legislation and voluntary standards. The federal government has also entered the picture. Last year the FTC recently leveled the largest data privacy fine in its history. But the FTC has publicly stated its investigations and fines are not enough. It needs better tools to ensure that consumers’ most important information isn’t lost, stolen or peddled to the highest bidder. That means new and stronger legislation.

Data privacy bills have been introduced in Congress. The new Congress should take up these bills and pass data privacy legislation in 2007. Any legislation should be guided by the following principles:

* Clear, uniform and comprehensive application. By the end of 2006, 35 states had some type of data privacy law. The leading state law is California’s SB 1386. Given that it covers any company with operations in California, SB 1386 has been called a de facto national data privacy law. But that’s a misnomer. SB 1386’s provisions differ with those of other state laws. The result: Large organizations must tailor their processes and procedures to SB 1386 and other, different state laws. Compliance with multiple legal and often conflicting legal frameworks increases costs and, more important, minimizes the clarity necessary to inspire trust among consumers. It is this trust that is the basis of the continued growth of innovative, digitally based business models and practices. Federal legislation should be clear, uniform and comprehensive. It should authoritatively define “personal data” and “identity.” It must establish national benchmarks that set a floor of protection, rather than a ceiling. Finally, privacy legislation should apply to private and public enterprises, including federal, state and local governments.

* Use of current best practices. While clear, uniform and comprehensive legislation is necessary, it need not be constructed from whole cloth. As noted above, numerous states have addressed the data privacy issue. Government bodies have been joined in this effort by private businesses, trade associations and advocacy groups. Together, our nation’s public and private organizations have developed best practices that can and should be utilized in the development of a national standard. These best practices include: an expansive understanding of private data; disclosure of a breach even if security procedures are in place; disclosure of a breach when data is reasonably believed to have been compromised; delayed disclosure to meet the legitimate needs of law enforcement; and an annual risk assessment by organizations that meet a certain threshold, such as the quantity of identities held. California SB1386 and the Payment Card Industry Security Standard are two strong benchmarks for the federal legislation.

* Vigorous enforcement and substantial penalties. Experience with spam and other abusive and criminal activity has demonstrated that enforcement is a critical element of any digital protection legislation. Appropriate government agencies must be fully empowered and possess necessary resources to enforce the law. In addition, penalties must be designed to encourage compliance that genuinely lessens the risk of private data loss. This translates into significant funding; substantial penalties for intentional violations; lesser penalties for unintentional violations; and penalties based on the number of identities disclosed.

It is also critical that the legislation reward organizations that make significant efforts to comply. Unfortunately, no system can be 100% secure. Organizations that deploy processes and technology to protect information should be rewarded for this effort. Penalties should escalate for organizations that do not meet these industry standard requirements. To both deter potential perpetrators and protect consumers, penalties should be severe for intentional violations.

Continued faith in that economy, and its ability to increase wealth and expand opportunity, rests on a widely shared trust that digitized data is used for proper purposes. Congress should step up to the plate and guarantee that trust through thoughtful and comprehensive legislation. Doing so will send a strong signal to corporations and voters that the new Congress is serious about tending to the nation’s business.

David Etue

Senior security strategist

Fidelis Security Systems

Bethesda, Md.

Fix for Windows problem

Regarding Mark Gibbs’ latest Unfathomable Windows Problem: “How does Windows and its Start menu get screwed up to the point where opening the Start menu and clicking on Programs or Settings results in the playing of the Windows alert sound and nothing else?”: There is a simple fix for this problem.

Remove the system drive, place it in a working Windows system and back up all files. Replace the drive and reformat it. Re-install Windows, download and apply 48MB of security and bug patches. Download and install hardware drivers. Re-install all applications. Download and apply application updates. Copy backed-up user profile and documents into the myriad of appropriate 12-level-deep nested folder locations. Locate and rename the Hatten Bold font file (Microsoft actually had me do this to fix a failed Office upgrade). Buy a Mac and migrate your files to the Mac. Dell tech support informs me that another possible fix is the Initialize Array command, which they recommend early and often.

Jim Magruder

Network engineer

Digital-DNS

Greenville, S.C.

Inside job

Regarding “The 7 best practices for network security in 2007”: Yes, it's important to lay out corporate security policies, but these days that's just not enough to protect organizations from inside threats. Data theft and internal security breaches through the use of portable storage devices such as iPods, USB sticks and digital cameras are on the rise and can catch organizations with their pants down.

Moderated lockdown of a network's endpoints is vital and organizations should consider investing in a good endpoint security package.

Edward Lansink

Cary, N.C.

eBook Reader

Regarding Mark Gibbs’ Gearhead column, “Almost as good as paper”: I have been using my Palm T|X and its included eReader program to read eBooks. I am not sure if this is a proprietary format but I find the 2 1/8" x 3 1/8" rotatable screen very easy to read. There are four font sizes available, even the smallest of which is easy to read. The program includes all the expected reader features, including bookmarks, searches and management of multiple books on the device. I have downloaded and read dozens of books, and enjoy reading ebooks on my Palm. As the font or orientation is changed on the Palm, the book is reformatted to fit the new format and all bookmarks remain at their proper location. I find it very handy to have several books right in my pocket, ready for when I have some free time to read.

One of the interesting features is that the purchased and downloaded eBook, available through the Palm eBook portal, is secured with the credit card number used to purchase the book. This prevents someone from passing the file around.

What features would I like? A bigger screen would be nice, but that would defeat the original purpose of the pocket-size Palm T|X. I would like to see more books, new and old, available in eBook format.

Bob Ackerman

Kirksville, Mo.

Learn more about this topic

 
Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.
Related:
Now read: Getting grounded in IoT