This is the question of my day. With a rash of attacks that began late last year against email service providers (culminating in the Epsilon breach) and a similar spate against security vendors (the most recent publicized one being Barracuda Networks), this question is definitely top of mind.
Secondly, is it rational to expect our government to set data privacy standards and rules that guard our most sensitive data and assets that are held by trusted custodians?
I think the answer is yes to all these questions. No one wants to be critical and point fingers. I grew up with the saying that ‘when you point a finger at someone, there are three pointing back at you.’
Still we do expect trusted custodians to do their utmost to protect the assets and information we trust them with. And we don’t have very good tools to know that they deserve our trust. That’s where government and data privacy and security standards come in. Just like we have an FDA reviewing and approving the drugs we put in our bodies, or inspecting the quality of produce that we import from Japan, we could use some help with the review and certification of service providers that manage critical data, systems and information.
Of course there is a delicate balance that must be achieved when it comes to creating good regulations that are not too heavy handed but are still effective. Lots of well-versed economists and policy makers presumably know how to strike this balance so that new rules are not too onerous.
I’m confident that at a minimum any eventual U.S. law will be much easier to live with than Malaysia’s relatively new Personal Data Protection Act, just pointed out to me by a Gartner colleague living in Australia. Over there, the penalties for breaching the act include fines and/or a term of imprisonment of up to two years. Part of that act is the “Security Principle: A data user shall take practical steps to protect the personal data from any loss, misuse, modification, unauthorised or accidental access or disclosure, alteration or destruction.” And over in Malaysia, that includes potential jail time for CEOs, COOs, officers and other managers of the company that suffers the breach.
Category: Uncategorized Tags: