Government security regulations: How's it working for us so far?

The latest data protection bill to be introduced in Congress is getting the usual skeptical reception. What does it say about regulations as a whole?

On the surface, it's just another reflection of voter anger over a government that doesn't seem to work anymore. The summer showdown between the White House and Congress over the debt ceiling convinced a lot of people that nothing government does will help. In fact, government action will just make a bad situation worse every time.

All this comes to mind as I read the latest article from George V. Hulme about new legislation filed by Senator Richard Blumenthal, D-CT. He said his Personal Data Protection and Breach Accountability Act of 2011 will protect individuals' personally identifiable information from data theft and penalize firms that don't adequately secure their customers' information.

A lot of security practitioners are familiar with this kind of talk. They remember the rhetoric with Gramm-Leach-Bliley and HIPAA. They remember it with Sarbanes-Oxley.

For all the changes those laws have forced organizations to make, stupidly simple data breaches continue to happen on a daily basis, the skeptics say.

"Philosophically, companies ought to be doing this already," says Mark Rasch, director of cybersecurity and privacy consulting at Computer Sciences Corporation, told Hulme. "The devil is in the details with these laws. But there are a number of questions here. We've had regulations, from Gramm-Leach-Bliley to HIPAA, that purport to help protect consumer data. Second, these companies are already victims in these attacks, so why are we penalizing them after a breach? I think that's because it's easier to issue fines than it is to track down the criminals and go after them."

Rasch speaks a lot of truth there. But I don't think it tells the whole story.

As a journalist, I've made a lot of site visits over the years to companies that offered to show me their security programs in action. All of the security practitioners involved have told me that a lot of the regulatory work they've done contributed directly to a stronger security program, and that the changes they made had kept out hackers trying to get in.

I don't doubt that. I also don't doubt that a lot of organizations have botched their security installations in the rush to check off all the regulatory boxes and get the government off their backs.

That's not the government's fault, is it?

Discuss among yourselves.

My personal view is that legislation at the federal level is a waste of effort. Most states at this point have their own laws and there's really not much these federal bills would add to what's already there.

Federal legislation won't end data breaches, just as state laws have not ended them.

Companies will always be sloppy in their security implementations, and that's all the bad guys need to get in. Other companies will suffer a breach despite their absolute best efforts to get security right.

The government has never really been able to save us from ourselves, which isn't necessarily a bad thing. All it can do is offer guidance.

At this point we have plenty of guidance. I have no doubt it has helped organizations get some things right. But dump too many regulations on an organization and you're bound to have the opposite effect sooner or later.

Too many regulations can create confusion. Confusion often leads to failure.

Does that mean we should do away with all legislation concerning data protection? I don't think so.

But what comes next should be more about clarifying and improving what we already have than just adding more bloat to the system.

Frankly, I'm not sure Congress is capable of that sort of thing right now.

--Bill Brenner

one-stop view of latest business threats. We created it for you! Bookmark it! Use it!

CSO's Daily Dashboard gives you a

Copyright © 2011 IDG Communications, Inc.

22 cybersecurity myths organizations need to stop believing in 2022