Recently, a draft data breach bill "Data Security And Breach Notification Act Of 2010" has been proposed to the US Senate. The bill would amend the shortcomings of existing laws and require "covered entities" to increase security regarding personal information, monitor for vulnerabilities, mitigate such vulnerabilities and follow a more defined notification protocol should a breach occur. The draft keenly demonstrates the increased importance and understanding attached to information protection at the highest levels of power.
This bill, whether it passes or not, should signal to information security professionals the shape of things to come. Holistic protection requirements for all sensitive information will become a fact of life soon, running the spectrum of transaction data, stored data and data shared with third parties and partner organizations. Organizations should beware of solutions that only solve today's limited compliance mandates as, highlighted by this bill, the future of protection is far broader. Encryption, backed by strong key management, is an enduring tool which can see out the long term challenges.
The proposed bill provides guidance on a broad range of personal information which is long overdue. Traditional definitions have focused on narrow and incomplete data sets such as only Social Security or credit card numbers. The addition of name and address information, and in particular the recognition that aggregation of information makes it more sensitive, is a positive step toward true privacy and away from check-box compliance. A person's telephone number might not be terribly confidential or dangerous on its own, but when combined with other information such as transaction history, full name or account details becomes a useful phishing tool.
As well as broadening the scope of personal information, the range of covered entities that will have to adhere to this bill is also larger than most existing requirements. By applying to everyone ranging from a sole trader through a corporation, the bill recognizes an inconvenient but important fact - in matters of data and privacy protection it doesn't matter how big you are - it's the value of the data that counts. And, more important than ever will be the security and encryption that an organization deploys to prevent breaches in the first place.
For more information on the bill, please visit http://frwebgate.access.gpo.gov/cgi-bin/getdoc.cgi?dbname=111_cong_bills&docid=f:s3742is.txt.pdf