Fed Regulation of Private Data MulledHouse Cyber Panel Chair Suggests a National Data Breach Law
Rep. Yvette Clarke, the Brooklyn, N.Y., Democrat who chairs the House Homeland Security Subcommittee on Emerging Threats, Cybersecurity and Science and Technology, says she hopes to hold hearings on what she calls the National Data Breach Law either later this year or in early 2010.
"There is no way that we can, giving the evolving nature of data breaches, not (to) regulate, bring some uniformity to our expectations on how data is managed, dealt with and stored," Clarke said in an interview with GovInfoSecurity.com on Friday. "Everyone has come to that realization."
Year after year, the number of data breaches have soared. In 2005, the Identity Theft Resource Center reported 157 breaches with 66.85 million records exposed. In 2009, through last Tuesday, the center reported 407 breaches and nearly 220.6 million records exposed.
Sensitive to the concerns of business about regulation, Clarke said the private sector must be involved in crafting data regulation, and sees her panel or the full Homeland Security Committee holding a series of hearings on the topic to solicit the views of government officials, business leaders and academics.
Clarke said that any law or regulation should not hamper innovation, but feels the public is clamoring for the government to act to protect data and systems from criminals and adversaries. "It's just looking for best practices, and what makes sense so that we don't inhibit or dampen innovation, and expectations, quite frankly, of the public, of what they come to utilize in their daily lives."
Details to Come
The congresswoman said it is too early to provide details on the proposed legislation - that's the purpose of hearings, she noted - but said the legislation should cover the way data is retrieved, transmitted, intercepted and stored.
First, though, Congress should consider updating the 7-year-old Federal Information Security Management Act that regulates how the federal government secures its data and systems, saying that government, business and academic leaders she met with earlier Friday suggested FISMA reform could provide a framework for wider data regulation.
A bill introduced by Sen. Tom Carper, D.-Del., last spring known as the United States Information and Communications Enhancement Act, or U.S. ICE, would reform FISMA with the aim of replacing so-called paper compliance with real-time metrics to judge the security of government IT systems.
Richard Hunter, a fellow and vice president at the IT advisory firm Gartner, sees government regulating some aspects of IT -- including companies involved in finance, health, welfare and safety -- occurring between 2012 and 2015. "Regulating IT products and services for quality and for security is a fairly complex issue," Hunter said in a recent interview. "It is difficult to be precise about this. It is like what Hemingway said about failure, it happens slowly and then all at once.
"I anticipate that we will see a continuing drumbeat coming from public representatives leaning toward an environment in which regulation is a possibility and then something occurs to push it over the edge and you have got regulation."
Stanton Sloane, chief executive officer of the information services firm SRA International, agrees that government regulation of IT is likely to come in the next half decade, though he doesn't like the idea. "Probably, what will happen is that it will get to the point where there will be a call for government involvement," Sloane said. "There will be some crisis or some disaster, something will shut down the electrical grid for a couple of days or something that will trigger a response; that's certainly feasible. The current environment seems to be more government regulation on things than less."
Still, he questions the effectiveness of government regulation on the private sector, questioning the ability of the government to enforce it. "Like everything else, too much regulation is not helpful," Sloane said. "First of all, too much regulation won't solve the problem. You can regulate whatever you want, but if people aren't able to comply with it or be knowledgeable enough to comply with it, it is kind of pointless."