Are corporatesecurity groupsmore interested inprotecting us or theirbottom line?
Personal Data Breaches Hit Record HighBy Cliff Montgomery – Jan. 3rd, 2007After reaching a record high on data breaches, the Cyber Security Industry Alliance (CSIA) is calling on the new Congress to enact comprehensive legislation which will better secure sensitive personal information.According to the Privacy Rights Clearinghouse, the number of Americans whose personal data has been compromised has reached a new milestone–100 million, or more than one-third of the population.”I actually don’t think the news is that it hit 100 million, but why we haven’t passed legislation to do something about it,” Vontu CEO Joseph Ansanelli, who testified on Capitol Hill during hearings on data-protection last year, told National Journal magazine.”The time is now to establish a single standard for securing citizens’ personal information, regardless of whether it is housed within federal, state or local government, private sector or educational institutions,” added Paul Kurtz, the executive director of CSIA.According to the National Journal, Kurtz left CSIA at the end of 2006 for a private consulting firm. Liz Gasster has taken over as CSIA executive director, and will be the one to continue the lobbying effort in 2007 for a comprehensive data-security bill based on five key elements.Gasster said it is critical to protect the data of private citizens, whether that data is held by a financial institution or a government agency. Another goal is to no longer merely notify victims of data theft after breaches, but to prevent data loss in the first place by employing more stringent security standards. Gasster added it is important that federal law also should pre-empt state regulations, so that financial or health industries do not face two potentially different laws–a just sentiment, though why private citizens of every stripe apparently should not be given the same courtesy is something Ms. Gasster did not immediately make clear.Gasster also argues that businesses and government agencies should be freed from liability if they take precautions like encryption. Of course, this would seem to leave open questions of whether the encryption used could be considered reasonable and adequate–in previous government reports, a number of agencies were found to only partially encrypt data, for instance.While Congress discussed a half-dozen legislative fixes, it appears that debate has stalled over which bill ultimately should prevail.Gasster’s opinion is that the strong data-protection measures which were inserted into an omnibus bill for the Veterans Administration (VA) are too stringent. She claims the bill has two big problems:–The broad definitions of “personal information” and “data breaches,” which Gasster claims “includes any information about an individual, including just the name alone,” adding that a telephone book would technically violate the new Veterans Administration law. She said it should define personal data based on a combination of information that could be useful to thieves.–She also believes that under the current VA law, the definition of “data breach” could include a list of names that ends up in the trash but still would have to be reported.”It could set a bad precedent,” Gasster said.But there may be problems with Gasster’s thesis.Ms. Gasster is surely an able executive director of a major private security corporate alliance, but she is by definition putting forth the corporate mindset here–what’s surely best for the corporations, but not necessarily best for you and me.Consider for instance her first argument: that a list of names from a database means no more than the lists of names found in a simple phone book. What Gasster fails to mention is that the names of those in a phone book are in no certain way customers of any particular business or government agency; but people whose names are on a list obtained from, say, Business X is sure to have some vital connection to that business, be they customers or employees. Such information is just what data thieves search for when they’re looking to assume another’s identity, or when they wish to discover personal information about this or that individual.So while we indeed must work to lower the number of data breaches, we must also ask: are corporate spokespeople more interested in our security, or their bottom line?
