Cybersecurity: Laws Only Go So Far

Datamation content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.

Many of us have been frustrated when dealing with the legalities of security. Most of the time, after pursuing an issue down to the cause, we find that we have no way to levy consequences against the offending party. It feels even worse when companies who were less than careful while handling and storing your personal data have personally victimized you.

So what’s happening to stop this? Have lawmakers and politicians been stung enough to at least attempt to mitigate the issues we face personally and professionally?

Well the Feds have decided to take a swing at the issue by proposing several bills and the States have followed suit too.

H.R. 1685 “Data Security Act of 2007” would require the federal government and businesses to notify individuals if their sensitive personal or financial information is compromised through a data security breach.
H.R. 836 “Cyber-Security Enhancement and Consumer Data Protection Act of 2007” would require notification of federal law enforcement officials of certain data breaches and provide criminal and civil penalties for knowingly concealing such breaches.
H.R. 958 “Data Accountability and Trust Act” would require companies to implement data security programs and notify individuals affected by a data security breach. It would require businesses to notify individuals if their personal information is compromised in a data breach incident. Additionally, businesses would be required to notify the FTC of the breach.

States have also jumped into the security legislation game with both feet and scored what all of us remember as landmark legislation in California with SB 1386. For those who need a refresher, this law requires all companies in California or that do business in California to disclose any security breaches to each affected Californian customer whose personal information has been compromised. Failure to comply may result in lawsuits and damages.

Once California introduced this law, roughly 36 other states followed with their own state breach notice laws.

And while the Senate has been slow to act on other security concerns such as spyware, we see that 15 states already have laws on the books with 8 states having proposals out this year. There are two federal bills floating now that have passed the House.

H.R. 1525 “I-SPY Act” would impose prison sentences on up to five years and/or fines for intentionally using spyware in furtherance of another federal crime and calls for sentences of not more than two years for intentionally accessing without authorization, or hacking into, a computer.
H.R. 964 “Spy Act” would prohibit the collection of personal information from a computer without notice to and consent from the consumer.

So we can see that our friends in Washington have been busy little bees with the FTC being the main enforcement arm of all these little gems. But with new laws come new issues.

Being that security litigation is still relatively new, you can bet that while legislation is laced with good intentions, we’re going to see quite a bit of a learning curve when it comes to lawyers, judges, rules of civil procedure and all of the many processes used to produce electronic evidence.

What does all of this mean to you?

While it’s nice to see that the wheels of justice are finally starting to spin, they have miles and miles of catching up to do. In addition, the laws on the books here in the United States certainly don’t begin to cover the deluge of international security issues that are now commonplace in all areas of business and government.

One thing is for sure. The bad guys are not going to get any less clever.

All of us are going to have to realize that even with new legislation on the books, we’re going to have to make serious adjustments in our practices and attitudes toward data security. No longer can we focus on our little piece of the pie and dwell on the frustrations within.

We need to understand that the issue of data security is no longer just a technology problem but also a criminal, legal and most of all, a business problem.

This article was first published on EnterpriseITPlanet.