Liz Gasster, the acting director and general counsel of the Cyber Security Industry Alliance (CSIA), admits she is an optimistic person, but she is nevertheless “discouraged” over Washington’s failure to adequately address data security issues.
Calling 2006 a “kind of disaster” for data security, her trade group, which includes Entrust , McAfee
and Symantec
, recently gave Congress and President Bush a D for their cyber security efforts last year.
Topping the list of Gasster’s disappointments is Congress, which failed to pass a national law to require both the government and the private sector to better protect sensitive personal data and to notify consumers of data breaches.
Since the ChoicePoint data breach of 2005, more than 100 million records have been exposed to potential identity theft through breaches and lost data, according to the Privacy Rights Clearinghouse. The 109th Congress promised –- repeatedly -– to do something about it, but it ultimately didn’t.
“The horse is already out of the barn. Thirty five states have breach notification laws already on the books, but we have no national law about when and how you notify consumers,” Gasster said.
The White House fared no better in the CSIA analysis.
In May, Bush appointed a national Identity Theft Task Force, promising to “make sure that the 13 governmental agencies involved with identity theft have a well-coordinated strategy to help the victims and to put those who commit the theft behind bars.”
Eight months later, it has issued no recommendations.
After years of pleading from the security industry to raise the profile of cyber security at the Department of Homeland Security (DHS), the agency appointed the first-ever assistant secretary for cyber-security and telecommunications in September, 14 months after the White House created the position.
Gasster said the CSIA has talked with the new assistant secretary, Greg Garcia, but worries the new DHS division lacks focus on the hard cyber security issues.
“They need to narrow down their priorities,” she said. “They don’t need to be concerned about every virus out there and problems with individual computers. That’s clearly secondary to securing the homeland from a cyber attack.”
Despite the low cyber security grades for Washington, Gasster has high hopes and a few recommendations for the new 110th Congress.
“I don’t think there was a lack of support for a national law but jurisdictional disputes between various committees stopped the legislation,” Gasster said, urging lawmakers not to mix security with privacy issues. “Together, it gets complicated and will slow things down.”
The CSIA is seeking data security legislation applying equally to all government and private sector entities that collect, maintain or sell significant numbers of records containing sensitive personal information. The group wants lawmakers to establish “reasonable security measures” in order to minimize the likelihood of a breach.
Under the CSIA’s plan, companies and agencies that use encryption or other secure technology would not have to notify consumers in the case of a breach since the technology would, presumably, render the breach data virtually unreadable.
Sen. Dianne Feinstein (D-Calif.) introduced legislation last month that would require businesses and government agencies to notify consumers of data breaches under certain circumstances, but there are a number of broad exemptions in the bill.
For example, the Feinstein bill does not grant a safe harbor provision for using encryption.
In the House, Rep. Barney Frank (D-Mass.), the new chairman of the Financial Services Committee, plans to introduce legislation that would grant exemptions to notification if encryption or other secure technology is used.
Gasster said the CSIA supports Frank’s approach if the bill provides for updating the encryption standard.
“There was a time when 64-bit encryption was considered strong, but the capability of cracking encryption increases all the time,” she said.
The CSIA also likes Frank’s idea to create a House cross-committee panel to study the issue to reduce jurisdictional disputes over the legislation. “Perhaps they could work through whatever differences that might be there,” she said.
Whatever data security legislation emerges from Congress, Gasster’s optimism is likely to be tested. The CSIA blames much of the 109th Congress’ failure to enact data security and notification laws with Congress focusing too much on re-election concerns.
A year from now, lawmakers will be viewing all legislation through the prism of a presidential election, prompting the CSIA to call for “swift action” in 2007 before it is too late. Again.
