Federal data protection legislation seems inevitable

May 16, 2014
Bipartisan support for a comprehensive cybersecurity bill appears to be growing

If you didn’t have enough to worry about already as a security executive, it appears that legislation mandating data protection safeguards may be on the legislative agenda of federal lawmakers in the not too distant future. Earlier this week, Department of Homeland Security Secretary Jeh Johnson told attendees at the Reuters Cybersecurity Summit that members of Congress will likely move forward on bipartisan cybersecurity legislation this summer.

The Senate also issued a report on Thursday urging some the country’s leading high-tech companies to go to greater lengths to protect consumers from hackers using online advertisements as a way to infect computers.     

While past efforts to develop comprehensive cybersecurity laws have stalled on Capitol Hill, the increasing number and severity of breaches have simply become too much for lawmakers to ignore, especially in the wake of last year’s high-publicized breach at retail giant Target. The incident, which compromised about 40 million debit and credit card accounts, has not only galvanized privacy advocates and legislators to call for greater accountability from organizations that maintain and store large amounts of sensitive data, but it has also been the catalyst behind a push within the U.S. retail industry for more secure payment technology. Historians may also reflect on the Target breach as being the primary driver behind federal mandates in network security. 

Despite past political wrangling over fears that data protection legislation would only burden businesses with more government regulation, bipartisan support now seems to be growing in favor of passing some type of measure around the issue. Speaking at a conference on "The Future of Privacy and Data Security Regulation" hosted by George Mason University’s School of Law on Wednesday, Maureen Ohlhausen, a commissioner at the Federal Trade Commission, said she recently met with the Congressional Bi-Partisan Privacy Caucus and came away “surprised at their level of consistency” in how they view data security as problem that should be addressed. 

Ohlhausen said she believes that it would be “beneficial” to have a uniform federal law on data security; however, she admitted that there are still a lot of intricacies that would have to be worked out both before and after a bill is passed. For example, Ohlhausen said that lawmakers and agencies like the FTC will have to define what exactly a “reasonable precaution” is for organizations to take to protect sensitive information, which will certainly have to be refined and tweaked as technology advances.

“One thing (the FTC has) done is to try and choose our cases so they’re not close to the line,” she said. "Have a firewall, don’t have your password be ‘password,’ these are basic things we’ve brought enforcement actions on.”

Additionally, Ohlhausen said that as technology changes, the threats will also change, which means that that the reasonable precautions a company is expected to take will also likely change. Another element that will have to be taken into consideration, according to Ohlhausen, is what a reasonable precaution for large corporations with vast resources is versus a small business or startup company.

On the positive side, Ohlhausen said that one of the benefits of a federal data protection law is that it would supersede varying state laws on the issue. Rather than having to figure out what criteria have to be met in order to trigger a breach notice in all of these different jurisdictions, under a federal law, companies would now have a single, uniform statute to adhere to.

As most security executives can attest, however, even if Congress passes a law or a set of laws surrounding cybersecurity and the protection of sensitive data, just giving businesses a compliance checklist or a set of guidelines, in and of themselves, is not necessarily going to translate into a more secure network environment unless the organization and their security staff go above and beyond that minimum threshold required by law.

“The reality is that all compliance (frameworks), whether they are industry compliance requirements, federal or even international requirements, all of these are baseline standards and you have to think of compliance as the basement of where your security starts,” Randall Gamby, a founding member of Wisegate and information security officer at the Medicaid Information Service Center of New York, told SIW in an interview last year. “You have to make sure that you secure the compliance stuff and then you have to look at the other information that doesn’t fall underneath the regulation so you can secure that as well.”

Ohlhausen also pointed out that not all data breaches are the result of lax IT security safeguards and cited a case the agency brought against a major pharmacy chain that was found to be throwing patients’ prescription drug information in a dumpster. “I don’t think we needed a rule that said, ‘hey, don’t take peoples medical records and put them out back in the dumpster.”

Time will tell whether or not and, to what degree, lawmakers take action on this front, but there is perhaps more momentum now for federal legislation than any point over the past several years. With the proliferation of the Internet-of-Things and more and more devices becoming Internet-enabled by the day, this issue is unlikely to go away anytime soon.