Submitted by Alex Teu on May 22nd, 2009
The Federal legislation "Cybersecurity Act of 2009" was submitted to Congress in April 2009. A link to the legislation is provided here. The most talked about and controversial piece of the legislation is the looming threat of placing in federal hands unprecedented authority over the public and private Internet. While this tide was already started with previous legislation like the seizure provisions of Homeland Security Act, the new Federal legislation will potentially rise to tsunamic proportions.
Putting aside the impact on civil liberties, the legislation is sure to lead to greater IT angst as public and private companies alike try to meet the new requirements. Will it lead to greater IT costs? That question does not have to be answered in the affirmative.
I think most people who has ever taken even a cursory view of the data security and privacy laws know that a more comprehensive approach is required. There are currently about 42 states that have their own data security laws based on a breach notification standard; while 2 states (
Nevada and
Massachusetts) have adopted a more front-end approach. And the state laws have inconsistent approaches when it comes to the question of whether they apply to a non-resident breach.
In addition to state legislation, there's the myriad federal (HIPAA, SOX and GLBA, FRCP) and International (Safe Harbor Act and PIPEDA) that you can rest assured apply if you are a real business, but you just don't know how or even when you commit a violation.
According to the
information from Privacy Rights Clearinghouse, there have been 261,759,380 = total number of records with sensitive personal data involved in security breach in US since January 2005. Clearly, a Federal approach is required, and it's helpful that it appears that the Obama IT team is looking to adopt more Cloud-based services to understand with depth of security and privacy issues currently facing us and on the horizon.
There can be significant savings to IT departments simply by cleaning up and streamlining the data security landscape. Perhaps one safe harbor provision could be that a company who has already taken measures to comply with another statute, like HIPAA, and have been certified to be in compliance, can be released from further obligations under the federal mandate.
Right now, many IT departments are forced to consider new technologies and adopt new internal procedures every time there's a new applicable statute or a new communication medium (e.g. Twitter, IM). Often, they also have to involve legal counsel just to ensure that the applicable statutes are complied with. This is not good business practice.
