Today we have a guest blogger from Gartner’s Security group, Avivah Litan:
The Massachusetts Office of Consumer Affairs and Business regulation (OCABR) recently extended the deadline for compliance to Executive order no. 504 from Jan. 1 until May 1. This law, which requires encryption of data, is said to be the strictest data security law in the country.
I think it will become the standard for more stringent state-level data security legislation, since banking and other lobby groups will work hard to make this happen to extract penalties and reimbursement fees from organizations responsible for data breaches that lead to fraud that banks end up paying for.
How strictly this will be enforced will determine how much impact this legislation will have. I believe we will first see enforcement by example. In other words, once a data breach is discovered, the laws will be used to force the companies responsible for the data breach to pay back the banks and other companies who suffer the fraud and customer service costs on behalf of their customers (since they don’t typically make the customers pay). I don’t think there will be proactive enforcement of the laws since the government agencies don’t have the resources to do that.
It is certainly a ‘good’ thing to encourage stronger data protection among customer data custodians. However, we would like to see a more evenhanded approach where banks and other custodians of customer accounts take proactive measures to help the business community meet stricter security requirements. For example, they could modify their systems so that stolen data would be useless in any event, for example if its use required stronger dynamic authentication of the user.
– Avivah Litan
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.