Topic(s): Data Protection | Identity Management | Business Continuity | Physical Security | Leadership
It is not a bad thing that bill (H.R. 4279) introduced by Rep. John Conyers (D-MI) that would increase penalties for theft of intellectual property has been approved by the House Judiciary Committee’s Subcommittee on Courts, the Internet, and Intellectual Property.
Increasing the penalties ensures the proper sanctions are in place should someone get caught violating the to-be-ratified bill. The problem I have is that we still don’t have an information security law that requires public and private entities to fully protect sensitive information of any and all kinds in any shape or form. Heck - we can get a law that protects telecoms http://www.usatoday.com/news/washington/2008-06-20-bush-eavesdropping_N.htm in a heartbeat but years and years since the first data breach, we still sit idly by.
The government eavesdropped on American phone and computer lines for almost six years after the Sept. 11 attacks without permission from the Foreign Intelligence Surveillance Court, the special panel established for that purpose under the 1978 law. Some 40 lawsuits have been filed against the telecommunications companies by groups and individuals who think the Bush administration illegally monitored their phone calls or e-mails.
Yes, we have GLBA, HIPAA, DMCA, CCFA, and other laws but we continue to piecemeal the effort and not focus on a reasonable law that requires entities to comply.
We have 40+ states breach laws largely because congress has done nothing to create an overarching federal law. No, SOX does not cover it and 404 is quite ambiguous to the point that large accounting firms have exploited the wording to create a whole industry while they fill their coffers. SOX did not go far enough in that it covers financial systems only. The attestation at the C-level is one thing but it does not cover information security explicitly. It does not cover any and all sensitive information.
PCI-DSS is only focused on one area and that is self-governing.
We need something that is more preventative then an after-the-fact penalty and someone in congress who has enough chuzpah to face the corporations who will oppose it; enough clout to gather enough votes; and enough awareness to craft a law that encompasses the right things.
Why do we need such a law you may ask (although I don’t know why you would since it seems like a ludicrous question right from the same ward that Nurse Mildred Ratched ran). If you must ask – www.etiolated.org – http://attrition.org/dataloss/dldos.html. That should be enough.
Increasing information security in the USA is not going to happen while the current major political party remains in power. This party has excused itself from state law compliance (such as Texas state governmental workers being proofed from suit for purposely not redacting personal ID info), is in the process of excusing telcos from suit for playing along with it's breaking of the constitutional requirement for court oversight of private individual monitoring, and is allowing banks to pass the onus of credit card security on to everybody else instead of implementing a better credit card system. In so many other ways, the major party is all about money at the expense of security, all about pushing FUD instead of true national security. Nothing is going to be fixed until the electorate elects them out of office for the good of all. They have had the power for too long. Even the FBI is noticing the corruption and is finally getting around to putting state lawmakers behind bars. There are plenty of Federal lawmakers who should likewise be put behind bars so that we can really be secure as a nation. Pushing for new laws isn't going to make a bit of difference until the lawmakers are forced to comply with current laws. Afterall, if the lawmakers are above the law, so are their supporters. To make their supporters, such as banks and businesses adhere to the law, the lawmakers must be made to adhere to the law.