Today's Article
Are corporate
security groups
more interested in
protecting us or their
bottom line?
security groups
more interested in
protecting us or their
bottom line?
The American Spark
 |
 |
 |
 |
 |
Personal Data Breaches Hit Record High
By Cliff Montgomery - Jan. 3rd, 2007
After reaching a record high on data breaches, the Cyber Security Industry Alliance (CSIA) is calling on the new
Congress to enact comprehensive legislation which will better secure sensitive personal information.
According to the Privacy Rights Clearinghouse, the number of Americans whose personal data has been
compromised has reached a new milestone--100 million, or more than one-third of the population.
"I actually don't think the news is that it hit 100 million, but why we haven't passed legislation to do something about it,"
Vontu CEO Joseph Ansanelli, who testified on Capitol Hill during hearings on data-protection last year, told National
Journal magazine.
"The time is now to establish a single standard for securing citizens' personal information, regardless of whether it is
housed within federal, state or local government, private sector or educational institutions," added Paul Kurtz, the
executive director of CSIA.
According to the National Journal, Kurtz left CSIA at the end of 2006 for a private consulting firm. Liz Gasster has taken
over as CSIA executive director, and will be the one to continue the lobbying effort in 2007 for a comprehensive
data-security bill based on five key elements.
Gasster said it is critical to protect the data of private citizens, whether that data is held by a financial institution or a
government agency. Another goal is to no longer merely notify victims of data theft after breaches, but to prevent data loss
in the first place by employing more stringent security standards.
Gasster added it is important that federal law also should pre-empt state regulations, so that financial or health industries
do not face two potentially different laws--a just sentiment, though why private citizens of every stripe apparently should not
be given the same courtesy is something Ms. Gasster did not immediately make clear.
Gasster also argues that businesses and government agencies should be freed from liability if they take precautions like
encryption. Of course, this would seem to leave open questions of whether the encryption used could be considered
reasonable and adequate--in previous government reports, a number of agencies were found to only partially encrypt data,
for instance.
While Congress discussed a half-dozen legislative fixes, it appears that debate has stalled over which bill ultimately should
prevail.
Gasster's opinion is that the strong data-protection measures which were inserted into an omnibus bill for the Veterans
Administration (VA) are too stringent. She claims the bill has two big problems:
--The broad definitions of "personal information" and "data breaches," which Gasster claims "includes any information
about an individual, including just the name alone," adding that a telephone book would technically violate the new
Veterans Administration law. She said it should define personal data based on a combination of information that could be
useful to thieves.
--She also believes that under the current VA law, the definition of "data breach" could include a list of names that ends up
in the trash but still would have to be reported.
"It could set a bad precedent," Gasster said.
But there may be problems with Gasster's thesis.
Ms. Gasster is surely an able executive director of a major private security corporate alliance, but she is by definition
putting forth the corporate mindset here--what's surely best for the corporations, but not necessarily best for you and me.
Consider for instance her first argument: that a list of names from a database means no more than the lists of names found
in a simple phone book. What Gasster fails to mention is that the names of those in a phone book are in no certain way
customers of any particular business or government agency; but people whose names are on a list obtained from, say,
Business X is sure to have some vital connection to that business, be they customers or employees. Such information is
just what data thieves search for when they're looking to assume another's identity, or when they wish to discover personal
information about this or that individual.
So while we indeed must work to lower the number of data breaches, we must also ask: are corporate spokespeople more
interested in our security, or their bottom line?
By Cliff Montgomery - Jan. 3rd, 2007
After reaching a record high on data breaches, the Cyber Security Industry Alliance (CSIA) is calling on the new
Congress to enact comprehensive legislation which will better secure sensitive personal information.
According to the Privacy Rights Clearinghouse, the number of Americans whose personal data has been
compromised has reached a new milestone--100 million, or more than one-third of the population.
"I actually don't think the news is that it hit 100 million, but why we haven't passed legislation to do something about it,"
Vontu CEO Joseph Ansanelli, who testified on Capitol Hill during hearings on data-protection last year, told National
Journal magazine.
"The time is now to establish a single standard for securing citizens' personal information, regardless of whether it is
housed within federal, state or local government, private sector or educational institutions," added Paul Kurtz, the
executive director of CSIA.
According to the National Journal, Kurtz left CSIA at the end of 2006 for a private consulting firm. Liz Gasster has taken
over as CSIA executive director, and will be the one to continue the lobbying effort in 2007 for a comprehensive
data-security bill based on five key elements.
Gasster said it is critical to protect the data of private citizens, whether that data is held by a financial institution or a
government agency. Another goal is to no longer merely notify victims of data theft after breaches, but to prevent data loss
in the first place by employing more stringent security standards.
Gasster added it is important that federal law also should pre-empt state regulations, so that financial or health industries
do not face two potentially different laws--a just sentiment, though why private citizens of every stripe apparently should not
be given the same courtesy is something Ms. Gasster did not immediately make clear.
Gasster also argues that businesses and government agencies should be freed from liability if they take precautions like
encryption. Of course, this would seem to leave open questions of whether the encryption used could be considered
reasonable and adequate--in previous government reports, a number of agencies were found to only partially encrypt data,
for instance.
While Congress discussed a half-dozen legislative fixes, it appears that debate has stalled over which bill ultimately should
prevail.
Gasster's opinion is that the strong data-protection measures which were inserted into an omnibus bill for the Veterans
Administration (VA) are too stringent. She claims the bill has two big problems:
--The broad definitions of "personal information" and "data breaches," which Gasster claims "includes any information
about an individual, including just the name alone," adding that a telephone book would technically violate the new
Veterans Administration law. She said it should define personal data based on a combination of information that could be
useful to thieves.
--She also believes that under the current VA law, the definition of "data breach" could include a list of names that ends up
in the trash but still would have to be reported.
"It could set a bad precedent," Gasster said.
But there may be problems with Gasster's thesis.
Ms. Gasster is surely an able executive director of a major private security corporate alliance, but she is by definition
putting forth the corporate mindset here--what's surely best for the corporations, but not necessarily best for you and me.
Consider for instance her first argument: that a list of names from a database means no more than the lists of names found
in a simple phone book. What Gasster fails to mention is that the names of those in a phone book are in no certain way
customers of any particular business or government agency; but people whose names are on a list obtained from, say,
Business X is sure to have some vital connection to that business, be they customers or employees. Such information is
just what data thieves search for when they're looking to assume another's identity, or when they wish to discover personal
information about this or that individual.
So while we indeed must work to lower the number of data breaches, we must also ask: are corporate spokespeople more
interested in our security, or their bottom line?