Avivah LitanThis is the question of my day. With a rash of attacks that began late last year against email service providers (culminating in the Epsilon breach) and a similar spate against security vendors (the most recent publicized one being Barracuda Networks), this question is definitely top of mind.
Secondly, is it rational to expect our government to set data privacy standards and rules that guard our most sensitive data and assets that are held by trusted custodians?
I think the answer is yes to all these questions. No one wants to be critical and point fingers. I grew up with the saying that ‘when you point a finger at someone, there are three pointing back at you.’
Still we do expect trusted custodians to do their utmost to protect the assets and information we trust them with. And we don’t have very good tools to know that they deserve our trust. That’s where government and data privacy and security standards come in. Just like we have an FDA reviewing and approving the drugs we put in our bodies, or inspecting the quality of produce that we import from Japan, we could use some help with the review and certification of service providers that manage critical data, systems and information.
Of course there is a delicate balance that must be achieved when it comes to creating good regulations that are not too heavy handed but are still effective. Lots of well-versed economists and policy makers presumably know how to strike this balance so that new rules are not too onerous.
I’m confident that at a minimum any eventual U.S. law will be much easier to live with than Malaysia’s relatively new Personal Data Protection Act, just pointed out to me by a Gartner colleague living in Australia. Over there, the penalties for breaching the act include fines and/or a term of imprisonment of up to two years. Part of that act is the “Security Principle: A data user shall take practical steps to protect the personal data from any loss, misuse, modification, unauthorised or accidental access or disclosure, alteration or destruction.” And over in Malaysia, that includes potential jail time for CEOs, COOs, officers and other managers of the company that suffers the breach.
Category: Uncategorized Tags:
2 responses so far ↓
1 Chris hoff April 13, 2011 at 8:32 am
We already do: FISMA
Further, the evolution of FedRAMP (in the case of Cloud Computing) will provide better oversight and transparency without sacrificing the ability to function.
We already have regulatory frameworks & legislation that many agencies can’t easily meet – how about fixing that problem before throwing another body on the heap?
Until the process rewards as well punishes companies will focus on the minimal sets of things required to be compliant – which is not to say they will focus on security or privacy if that is how they are measured.
2 Adam Hils April 13, 2011 at 4:17 pm
Avivah,
I disagree with your stance re: security vendors. We (the vendors) should be held to the same high standard as all other handlers of private/regulated data. While there is some grim humor in seeing a vendor hacked, the fact is that all organizations are equally culpable when soc sec #s or credit card info leaks. Regulatory entities should tighten the screws so that everyone – from TJ Maxx to Barracuda – gets penalized for lax standards or faulty security implementations.
As an info security customer shopping for solutions or a potential partner seeking a relationship, the vendor’s security practices would be one decision factor – just as security practices might be one decision criterion when I select a university for my children. The two cases are no different.