New Nationwide Breach Law Could Force Data-Centric Security Push

The surge in high-impact data breaches in the first half of 2011 -- and its resulting attention from consumers -- is increasing the pressure on federal lawmakers and regulators to introduce nationwide data breach disclosure and protection laws.

Though no one is sure what its final language might say, a federal law requiring companies to disclose their breaches has a better chance of passing this year than ever before. Experts believe that enterprises will need to bolster data-centric protection policies and monitoring programs to ready themselves.

"It’s likely that any national data breach law will attempt to directly address data security," says Josh Shaul, CTO for Application Security Inc., a database security tool vendor. "This will force organizations to change today’s perimeter-focused IT security model to pay much more attention to protecting sensitive information where it lives in databases and file systems."

Making the biggest waves last week was Sen. Patrick Leahy's introduction of the Personal Data Privacy and Security Act, which, among other provisions, would criminalize the cover-up of a data breach. If such a law introduces federal criminal charges against enterprises that do not disclose breaches in a timely manner, then some experts believe monitoring of account activity and potential breach signs would likely grow in importance.

"It certainly would up the ante on monitoring and collecting the information that shows a breach is in process," says Scott Crawford, analyst for Enterprise Management Associates. "There has been so much focus predicated on prevention without recognizing how and where they've already been penetrated. That may change."

More important, Shaul says, many organizations might be compelled to work on their foundational policies and start moving their security focus away from network defenses and toward more data-driven protection.

"To prepare for a bill with more regulations, organizations need to establish a documented framework or policy for how they will secure their data. That’s likely the first thing regulators will expect," Shaul says. "For example, organizations should take a look at NIST 800-53. This is the current federal standard and will likely be the basis for any standards that impact commercial business."

While the prospect of a national data breach law might seem daunting, some believe it could be a relief to many organizations forced to wade through a patchwork of state regulations. A nationwide law could actually bring "sanity" back to the regulation of data protection and breach disclosure, says Rick Dakin, CEO of Coalfire Systems, an IT audit and compliance firm.

Dakin believes that while early state disclosure laws catalyzed improvements in security practices, the evolution toward more prescriptive laws, like the Massachusetts Data Privacy Law, has muddied the waters on what is and is not required of enterprises.

"We went from companies being negligent to some states starting to overreach," Dakin says. "[New laws] would give businesses a fighting chance. "

Instead of reinventing the wheel, a federal law could stipulate that protection regimens be focused on complying with existing regulations in verticals with established best practices -- for example, PCI DSS for retail and credit card processors or the Hi-Tech Act for health care.

"If you're in one of those industries, that industry already has defined what reasonable controls are," Dakin says. "Then you can just hold them accountable to what the industry has decided. For everybody else, my guess is that [a national law is] going to back off the Massachusetts plan that stipulates you have to specifically do this or that, and you're going to have more process-driven statements -- such as you must analyze your risks, adopt appropriate controls, and measure and maintain those controls."

Have a comment on this story? Please click "Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.