 | |
| |
TechnologyDaily Mobile
The Push For Better Data Protection
by Heather Greenfield
A security breach at the Veterans Affairs Department made data-protection legislation a more urgent matter before Congress last year. A more recent breach at the VA has highlighted the fact that little has been done to solve the problem. It is leading interest groups to both look at what stalled the previous legislation and what can be done to move bills in the 110th Congress.
The FBI and the inspector general's office at the Veterans Affairs Department continue to investigate the cause and the potential impact of the recent incident at a VA hospital in Birmingham, Ala., last month. Rep. Spencer Bachus, R-Ala., is concerned that personal information on 48,000 veterans may have been compromised and that some of the data that should have been encrypted was not.
Bachus said this latest breach leaves him with two unanswered questions: "First, why were the records of 20,000 veterans apparently not encrypted? If that is the case, given last year's experience, VA officials should have exercised greater caution," Bachus said. "Second, why did this incident happen at all given the fact that the VA already has the guidelines and tools needed to prevent such breaches?"
Motivated By Breaches Of The Past
The highly publicized theft of a VA employee's laptop in Maryland last year potentially compromised personal data of 26.5 million veterans. That incident led to congressional hearings and the first data-protection legislation to make it into law. President Bush signed the bill, S. 3421, which mandates encryption of sensitive data and notification of affected veterans and active-duty military personnel about any data breaches at the VA.
The legislation was one of the few bright spots in a cyber-security report card issued this month by the Cyber Security Industry Alliance. CSIA also praised the Senate for ratifying the Council of Europe's Convention on Cyber Crime and for the appointment of a cyber-security czar at the Homeland Security Department.
But the group noted that Homeland Security has not offered a clear agenda for cyber-security research and development or established an emergency network to handle a large cyber disaster. On authentication issues, CSIA said the government "continues to offer a mixed bag of successes and failures ... but much improvement is needed in the areas of using the power of procurement, resolving systemic telework issues, and releasing information on the cost of cyber attacks."
CSIA gave the government an overall grade of D in cyber-security progress for 2006. "We are discouraged by the inability to pass a comprehensive federal law to protect sensitive personal information, even in the face of more than 100 million Americans having their data records exposed," said Liz Gasster, the alliance's acting executive director.
Some members of Congress have taken note of perceived shortcomings in cyber security. They already have begun introducing and reintroducing data-security legislation that failed to move in the last session.
Senate Judiciary Committee Chairman Patrick Leahy, D-Vt., and ranking Republican Arlen Specter of Pennsylvania filed a bill, S. 495, to protect personal data, and Rep. Lamar Smith, R-Texas, introduced a cyber-security measure, H.R. 836. In addition to requiring notification of security breaches, both bills would make concealing breaches that lose sensitive personal information a crime with possible prison time.
Sen. Dianne Feinstein, D-Calif., also introduced a bill, S. 239, that would require both federal agencies and private companies to disclose security breaches that endanger personal data.
Overcoming Jurisdictional Hurdles
Gasster says it is important to provide one uniform security standard for data no matter where it rests -- a federal agency or a credit-card company. She argues that for potential victims of data theft, the impact is the same.
Gasster released the results of a recent CSIA survey at the RSA Security Conference in San Francisco last week. It said that both likely Democratic and Republican voters believe Congress is not doing enough to protect their privacy.
Adam Rak, the senior director of government affairs for Symantec, said during the conference that he expects data-security legislation to pass this Congress, but he doubts it will be comprehensive legislation. The challenge is getting comprehensive legislation through multiple committees. Kevin Richards, a Washington lobbyist for Symantec, blames jurisdictional fighting among different House committees for the failure to pass a broad bill last session.
That's why Richards was optimistic when House Financial Services Committee Chairman Barney Frank, D-Mass., proposed a task force of members from his committee, Energy and Commerce, Judiciary and Ways and Means. In a letter to House Speaker Nancy Pelosi, D-Calif., Frank said a task force would help "break that logjam by working out those conflicts at the very beginning of the legislative process."
But Energy and Commerce Chairman John Dingell, D-Mich., responded with his own letter to Pelosi two days later, saying that he sees no need for a task force "unless regular order fails to produce responsible legislation." Since then, Frank has abandoned the idea of a task force, but his staff has begun meeting with Dingell's staff in hopes of finding consensus on a data-security bill.
The Energy and Commerce Committee has a measure in the mix as of Thursday. The bill, H.R. 958, would require companies to notify consumers of data breaches if there is a reasonable risk of identity theft. Frank spokeswoman Heather Wong said his priorities would be to hold retailers more accountable for breaches and also to offer exemptions for companies from disclosing data breaches as long as they have taken steps like encryption to make the data unusable.
Conflicting Interests Outside The Capitol
There is also conflict over data-security legislation between interest groups -- financial services firms on the one hand and commercial businesses on the other.
Financial services companies already have to secure sensitive customer data under a 1999 banking act. Banks are wary of any Energy and Commerce legislation that would let the FTC, rather than banking regulators as under the current law, set rules for them on securing data. Frank has said he believes data security can be improved without revisiting that law by letting consumers freeze their credit files. But credit-reporting agencies oppose that idea.
Technology companies, meanwhile, are poised to fight any legislation that specifies certain security standards or devices be used to protect data. Robert Holleyman, CEO of the Business Software Alliance, said it is important that federal legislation be technology-neutral.
The Senate may stay in neutral until the House acts. CSIA's Gasster said it is tough to get items on the Senate agenda simply because of time -- and even tougher when there is concern about House jurisdictional bickering. Her group lists data security as a top goal for 2007.
CSIA also would like to see the Homeland Security Department move much more quickly to establish cyber security and telecommunications procedures for responding to and recovering from a disaster. The alliance recommends that government build an integrated, dedicated system that can monitor "the entire information infrastructure" if there is a major information infrastructure attack or disruption.
CSIA's 2007 recommendations to the federal government also include strengthening both the role of federal chief information officers and the Federal Information Security Management Act.
NEW FEATURE
-Advertisement-
-Advertisement-
-Advertisement-
