John Pescatore

Today we have a guest blogger from Gartner’s Security group, Avivah Litan:

The Massachusetts Office of Consumer Affairs and Business regulation (OCABR) recently extended the deadline for compliance to Executive order no. 504 from Jan. 1 until May 1. This law, which requires encryption of data, is said to be the strictest data security law in the country.
 
I think it will become the standard for more stringent state-level data security legislation, since banking and other lobby groups will work hard to make this happen to extract penalties and reimbursement fees from organizations responsible for data breaches that lead to fraud that banks end up paying for.

How strictly this will be enforced will determine how much impact this legislation will have. I believe we will first see enforcement by example. In other words, once a data breach is discovered, the laws will be used to force the companies responsible for the data breach to pay back the banks and other companies who suffer the fraud and customer service costs on behalf of their customers (since they don’t typically make the customers pay). I don’t think there will be proactive enforcement of the laws since the government agencies don’t have the resources to do that.

It is certainly a ‘good’ thing to encourage stronger data protection among customer data custodians. However, we would like to see a more evenhanded approach where banks and other custodians of customer accounts take proactive measures to help the business community meet stricter security requirements. For example, they could modify their systems so that stolen data would be useless in any event, for example if its use required stronger dynamic authentication of the user.

 - Avivah Litan