Over the past few months, the press has been discussing an increasing pressure to develop some form of government-mandated security breach notification infrastructure, and also reporting on whether the U.S, government will appoint a so-called “cyber czar.”

The immediate question that comes to mind is how a federal regulation would measure up against the plethora of state laws currently on the books. Interestingly, there are still several states that have not followed the California Act (SB-1286) that started it all in 2003. The residents of these states currently have no protection, and the Federal disclosure law would provide the coverage that they also deserve. While many state breach notification laws address electronically-stored data, the Federal law would likely be more encompassing of private information, regardless of how or where it is stored, as well as provide strict guidelines regarding how notification is handled.

Like any type of formal regulation, there are many arguments made for and against government control. Proponents site the reduced cost and administrative overhead from complying with a single law rather than numerous overlapping state laws, and that there needs to be some form of oversight in order to be able to prosecute those who do not adequately control access to our personal information. Detractors fear that legitimate firms are being burdened with the cost of compliance, while businesses that are not staying within the confines of the law continue to find workarounds and ignore the directives anyway.

Always of interest to me, we will likely to continue to see a range of companies that are truly interested in protecting themselves from the staggering costs of a breach, while others will do the least necessary in order to satisfy a “checkmark” on an auditor’s questionnaire. And with auditors interpreting laws on a server platform that many are still not familiar with, it will continue to be a game of cat-and-mouse between the regulators and the security officers.

Whichever argument you feel carries the most weight, the exponential growth of breach events over the past few years is likely to drive change. Expect 2010 to see more government control over how we react to those events, as well as discussion regarding the consolidation of existing data notification and data protection requirements. For those firms “lucky” enough to have avoided the requirement to comply with formal regulations, be forewarned that those days are probably numbered.

This entry was posted on Tuesday, December 1st, 2009 at 8:30 am and is filed under Security. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.