Needed: A National Cyber Security Law
By Paul Kurtz
In less than two years, more than 93 million Americans have had their personal information lost, stolen, or otherwise compromised. That means more than 93 million people now have to figure out what degree of risk they face and how best to protect themselves from future incidents. Not a mild concern, considering that the average identity theft victim spends $834 and 77 hours just clearing his name.
These security breaches, affecting everything from medical records to Social Security numbers to bank accounts, are eroding public confidence in the security of private personal information. This growing trust-deficit is a serious threat to economic growth. Nearly every company's assumptions about growth rely on the continued acceptance of our digital networks, whether they operate online or not.
It is time for Congress to act. If the economic consequences of this waning consumer confidence aren't enough to spur action, then perhaps the preferences of voters will be. According to a recent Cyber Security Industry Alliance-sponsored survey, 70% of likely voters agree that Congress should pass a strong data-security law. And nearly half (46%) of likely voters who think Congress should pass such a law report that they would have serious doubts about a candidate who opposes swift action.
STATES OF CONFUSION. Congress must respond with a comprehensive national law that aims to both prevent further data breaches and to address leaks once they occur. To accomplish these goals, lawmakers should establish reasonable security measures, create a consistent and recognizable notification standard, encourage best practices such as encryption, and include effective enforcement capabilities.
While some argue that this should be addressed at a state level, pointing to the 33 states that have already passed data-security bills of their own, the truth is that these good intentions will likely result in an unnecessarily complex and cumbersome web of regulations for businesses and consumers alike, while doing little to actually prevent further security leaks.
Only a tiny handful of the regulations actually help prevent data breaches. The vast majority of these laws only address the problem after personal data has been compromised, mandating consumer notification when a breach occurs. Congress has the power to design a national law that addresses both notification and prevention. At the end of the day, wouldn't we all rather avoid having our privacy compromised in the first place?
GET IT TOGETHER. More than one bipartisan bill under consideration would provide a realistic and effective legal framework that organizations of all sizes could comply with—if party leaders, committee chairmen, and other members can set aside their differences and focus on protecting Americans' private, personal information.
The specific distinctions between the bills' provisions are important, but not enough to justify derailing the process altogether. Even the most finely crafted legislation is meaningless if it never makes it to the floor for a vote. And this one is long overdue.
Paul Kurtz is executive director of the Cyber Security Industry Alliance. He previously served as special assistant to President George W. Bush and senior director for critical infrastructure protection on the White House's Homeland Security Council, where he was responsible for both physical and cyber security.
No comments:
Post a Comment