If you didn’t have enough to worry about already as a security executive, it appears that legislation mandating data protection safeguards may be on the legislative agenda of federal lawmakers in the not too distant future. Earlier this week, Department of Homeland Security Secretary Jeh Johnson told attendees at the Reuters Cybersecurity Summit that members of Congress will likely move forward on bipartisan cybersecurity legislation this summer.
The Senate also issued a report on Thursday urging some the country’s leading high-tech companies to go to greater lengths to protect consumers from hackers using online advertisements as a way to infect computers.
While past efforts to develop comprehensive cybersecurity laws have stalled on Capitol Hill, the increasing number and severity of breaches have simply become too much for lawmakers to ignore, especially in the wake of last year’s high-publicized breach at retail giant Target. The incident, which compromised about 40 million debit and credit card accounts, has not only galvanized privacy advocates and legislators to call for greater accountability from organizations that maintain and store large amounts of sensitive data, but it has also been the catalyst behind a push within the U.S. retail industry for more secure payment technology. Historians may also reflect on the Target breach as being the primary driver behind federal mandates in network security.
Despite past political wrangling over fears that data protection legislation would only burden businesses with more government regulation, bipartisan support now seems to be growing in favor of passing some type of measure around the issue. Speaking at a conference on "The Future of Privacy and Data Security Regulation" hosted by George Mason University’s School of Law on Wednesday, Maureen Ohlhausen, a commissioner at the Federal Trade Commission, said she recently met with the Congressional Bi-Partisan Privacy Caucus and came away “surprised at their level of consistency” in how they view data security as problem that should be addressed.
Ohlhausen said she believes that it would be “beneficial” to have a uniform federal law on data security; however, she admitted that there are still a lot of intricacies that would have to be worked out both before and after a bill is passed. For example, Ohlhausen said that lawmakers and agencies like the FTC will have to define what exactly a “reasonable precaution” is for organizations to take to protect sensitive information, which will certainly have to be refined and tweaked as technology advances.
“One thing (the FTC has) done is to try and choose our cases so they’re not close to the line,” she said. "Have a firewall, don’t have your password be ‘password,’ these are basic things we’ve brought enforcement actions on.”
Additionally, Ohlhausen said that as technology changes, the threats will also change, which means that that the reasonable precautions a company is expected to take will also likely change. Another element that will have to be taken into consideration, according to Ohlhausen, is what a reasonable precaution for large corporations with vast resources is versus a small business or startup company.
On the positive side, Ohlhausen said that one of the benefits of a federal data protection law is that it would supersede varying state laws on the issue. Rather than having to figure out what criteria have to be met in order to trigger a breach notice in all of these different jurisdictions, under a federal law, companies would now have a single, uniform statute to adhere to.
As most security executives can attest, however, even if Congress passes a law or a set of laws surrounding cybersecurity and the protection of sensitive data, just giving businesses a compliance checklist or a set of guidelines, in and of themselves, is not necessarily going to translate into a more secure network environment unless the organization and their security staff go above and beyond that minimum threshold required by law.