COULD CONCEALING A DATA SECURITY BREACH PUT YOU IN JAIL?
According to the Personal Data Privacy and Security Act reintroduced this month by Senators Patrick Leahy and Bernie Sanders (press release), it would be a crime to intentionally or willfully conceal a security breach involving personal data. Failure to disclose a breach in personal data which causes economic damages to one or more persons shall be subject to a fine or imprisonment of up to five years, or both. 

This bill may appear harsher on penalties compared with other proposals already submitted to Congress, but it too has its share in exceptions and safe harbor rules that privacy groups say are far too lenient. As with the Feinstein Notification of Risk to Personal Data Act (NORPDA) featured in last month's newsletter, it allows businesses that have had their data exposed conduct their own risk assessment to establish if there's a "significant risk" of identify theft. This makes critics question how Americans can be sure their data is truly protected.

There are some strong stipulations that businesses would have to adhere to, though. The Personal Data Privacy and Security Act would require that within one year of the bill becoming law, business entities establish and implement a "comprehensive personal data privacy and security program" which includes risk assessments, regular vulnerability testing, policies, and other safeguards to protect personal identifiable data.

The Leahy bill is one of many proposals submitted at the federal level for approval, but after two years of no decision, analysts have little doubt Congress will come to an agreement any time soon. One thing businesses can be sure of is that Congress will pass a law sooner or later that requires more stringent safeguards and tighter control of personal data. And if consumers have their way, those companies who are negligent will find themselves living on the court steps and spending a tremendous amount of money after the fact.

SO MANY LAWS, SO MUCH CONFUSION
As of January 2007, 35 states have enacted data breach notification laws which are creating chaos for business security officers. Not only do companies have to adhere to their own state law, but also to the states in which they do business.

To have one federal law would certainly alleviate the overwhelming aspect of coordinating the various state laws, but in the meantime, businesses must be prepared. An article entitled Flurry of state disclosure laws creates confusion for CISOs states that while California is the model for data disclosure laws, companies have to be sensitive to what triggers disclosure requirements, what data may be exempt, and the method and timing of notification.

In reading the data breach notification proposals that have been submitted at the federal level, you will notice that not only do they contain how, what, and when a breach is to be disclosed, but also the requirements and stipulations of providing a secure business infrastructure. This in itself will be interesting to see the mandates required by each business holding personally identifiable information.

Businesses need to budget now for enhanced security to avoid the potential onslaught of regulatory compliance requirements. Waiting to the last minute to comply can leave you throwing money at security in hopes it will be sufficient. Have a thorough security assessment done by an unbiased professional security firm, such as NCX Group, to pinpoint where remediation is required. It will save you time and money.

IF A COMPANY PASSES COMPLIANCY LAWS, DOES IT MEAN THEIR DATA IS SAFE? NOT NECESSARILY
There is a misconception that passing audits such as SOX confirms data is safe. This could not be further from the truth. While an audit does tighten data governance, security can still have plenty of holes.

Case and point: NCX Group did a security assessment on a company that had just completed a SOX audit. More than 130 high-level vulnerabilities were found. These commanded a "drop everything, nobody goes home until they're fixed" stance. You can be sure that many companies in the news have had their SOX review, and yet they are in the news because of a lax in security.

The responsibility of security goes beyond the IT department. The need for a collaborative effort across the enterprise is required to develop an integrated security posture that encompasses all areas affecting data security and business continuity.

As is written in the attached article IT compliance success doesn't equal security success,
the key is to base your security programs on frameworks like ISO 17799 or COBIT, not compliance mandates that will constantly keep you updating changes. It states that "CIOs often lump regulatory compliance spending with information security spending simply because the information security organization has been made responsible for regulatory compliance. CISOs need to educate management that security spending decisions not only extend to fulfilling regulatory compliance requirements, but should also be based on the threats to the organization and aligned with corporate objectives." How true this is.

When security programs are based on security principles, they can easily be mapped to include regulatory compliance projects and most likely keep you above the standard called for by legislation.