Regulations Can Only Do So Much to Protect Against Breaches (*Josh Shaul quoted)

IT Business Edge, By Sue Marquette Poremba, September 21, 2011

The next decade portends new threats that surpass those of years past in both intensity and impact. A few years ago, Massachusetts passed a state law that requires companies doing business within the commonwealth to report any security breach that could result in identity theft to customers. The law is a good step forward, and if you read my blog regularly, you know that I think government needs to step it up when it comes to cyber security and user protection. However, the recent announcement from Massachusetts shows that while it is great to have a law that promises consumers notification if their information is compromised, companies still need to step up and prevent the breaches in the first place. It has just come to light that nearly one out of every three Massachusetts residents has had his or her personal information compromised through data theft or loss since the beginning of 2010. As Josh Shaul, CTO at Application Security told me, that may be the largest scope of criminal activity ever witnessed in this country’s recent history. He said: “MA passed legislation (MA 201 CMR 17) in 2009 requiring organizations to better protect residents personal information. The spirit of that law is exactly on target, but with no proactive enforcement or oversight, the impact on real world data security has turned out to be minimal. By implementing a program to randomly audit organizations compliance with MA201 that will actually test the security controls in place around resident personal information, Attorney General Martha Coakley’s office would really make a dent in this problem. It’s likely that any such audit program would be easily self-funded by the fines the state could issue for non-compliance. That’s a win for the state, a win for the residents, and a program that makes clear that all organizations will face a cost for non-compliance not just those that have been forced to disclose data breaches.”

  1. Leave a comment

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: