“Whenever industry fails to self-regulate, government will fill the void with legislation.” You can quote me on that.
Currently, the security industry fights a war on many fronts. On one end of the spectrum, we have industry regulations, such as PCI DSS, which helps mandate how credit card/payment card information is secured. On the other end, we have government regulations, such as CIPA (Children’s Internet Protection Act) or HIPAA (Health Insurance Portability and Accounting Act), which regulate data protection for schools, libraries and health care providers.
Now, we face one of the largest government acts of its kind, the “KerryDraft – Privacy Bill of Rights.” Although it is not law now, should it become law, businesses and consumers will see broad and sweeping changes to how consumer data is managed and protected.
Here are the key tenets of the Privacy Bill of Rights:
• Right to Security and Accountability
• Right to Notice and Individual Participation
• Right to Purpose Specification; Data Minimization; Constraints on Distribution; Data Integrity
• Voluntary Enforceable Codes of Conduct Safe Harbor Programs
• Co-Regulatory Safe Harbor Programs
• Application with other Federal Laws
• Development of Commerce Data Privacy Policy in the Department of Commerce
Obviously, this is a lot to digest for businesses and consumers. Here, I will break these points out in greater detail and provide in-depth analysis and commentary so that you can better understand the impact of this Act.
A year ago, Senators Kerry and McCain would have faced an uphill battle in pushing this legislation forward, but given the latest high-profile security fumbles (need I say Epsilon?), it follows that this Act may very well become the next big regulatory change for the industry. Stay tuned!
Maybe your quote should also include “and there is abuse”
“Whenever there is abuse and industry fails to self-regulate, government will fill the void with legislation.”
Generally, governments tends to be reactionary and will not do anything without prodding by one group or another.
Thanks for the comment. Certainly, when there is abuse, government moves faster. But as Epsilon has showed us, there doesn’t have to be abuse in order for the government to get involved. It will be interesting to see how this pans out.
I’m copying your post and putting it on my blog and pointing back here…
I’m sorry, but the “Privacy Bill of Rights” is not the step in the right direction I was hoping for…
Thanks for your thoughts and I will look forward to updates.
John
In the case of Epsilon the abuse is being directly committed by the hackers but Epsilon is responsible for the release of the information which can also be looked at as abuse. Please remember that any entity collecting or aggregating information is ultimately responsible for its security.
Also remember, that when we do risk analysis and mitigation we try to move risk off to someone else or take steps to reduce it internally. This practice is usually prioritized based upon costs. What the government is proposing will just ensure that protection of personally identifiable information (PII) will be ranked a bit higher.
Thanks for the comment. You are absolutely right… the entity collecting or aggregating information is ultimately responsible for its security. Sadly, for some businesses, it does take a government mandate to act as a catalyst so that data is better protected. Should be interesting to see how this concludes.
Chris, not to pick at you, but it appears your quote is a paraphrase of a statement in the Sept 18, 1997 prepared statement of the FTC regarding Implications of Emerging Electronic Payment Systems on Individual Privacy. That statement read “The question may ultimately be whether there is any alternative to government intervention if self-regulation does not fill the void.”.
Following up on your post, I also contacted one of the authors of the SANS course LEG523 “Legal Issues in Information Technology and Information Security”. My read on this legislation was that this bill was similar to the EU Data Directive. He confirmed that the bill as presented does bear earmarks of the European approach to security.
If enacted in substantially the form presented, this presents a landmark change in the regulatory approach to information privacy in the U.S.
Not a pick at all, in fact I’m flattered. I’ve never read the 1997 document that you are referring to, but obviously, I’d have to agree. 🙂 Oh, and you’re absolutely right about the EU legislation similarities. I’ve talked to our EMEA people, and they too reiterate the same points that you do. And yes, I couldn’t agree with you more, if this Act becomes law as presented, it will mark a landmark change for the industry. Thanks for the comments!
I will immediately clutch your rss as I can not find your email subscription link or newsletter service. Do you’ve any? Please allow me recognize so that I may subscribe. Thanks.
Your blog is pretty cool to me and your topics are very relevant. I was browsing around and came across something you might find interesting. I was guilty of 3 of them with my sites. “99% of site owners are guilty of these 5 BIG errors”. http://tinyurl.com/bn4kol9 You will be suprised how fast they are to fix.
To top mistakes, while I did find your article of interest I do not see how it pertains here.
Maybe you could write next articles referring to this article. I want to read even more things about it! Excellent post. I was checking continuously this blog and I am impressed! Very useful info specially the last part :
However, by early next morning, in most cases you will notice that your weight has
considerably dropped compared to where it was the previous night.
If the your body fat is above 25% but below 30% (Women)
or above 20% but below 25% ( Men) then you are overweight, you are
carrying more fat around than you need or that is healthy for you and it probably means you
are eating too much of the wrong foods. But let me
explain the whole concept of this diet program.