RealTime IT News

Swindle: 'Somebody Has Got to Pay'

WASHINGTON -- Corporate America is acting irresponsibly in protecting consumer data, Orson Swindle of the Federal Trade Commission (FTC) said today. The payback for that irresponsibility, he predicted, will be painful.

In impromptu comments made during a think-tank panel discussion on international cyber crime, Swindle, a Republican FTC commissioner, took broad swipes at both private enterprise and Congress for their efforts on consumer data protection.

"Everybody's screaming, all the political figures up on [Capitol] Hill, about identity theft," he said. "It's not identity theft, it's the theft of information."

And, he added, in today's global, digital marketplace, that information is currency.

"While politicians raise hell about identity theft, what we're really talking about is the failure to protect valuable currency," Swindle said. "Corporate boards better start paying attention, because they haven't been."

The daily headlines of various data breaches from ChoicePoint to Bank of America to several colleges and universities, he said, "Indicates to me the industry has, to a great extent, been irresponsible, and somebody has got to pay."

He suggested the first people to pay might be corporate lawyers.

The lax data protection, according to Swindle, is "being driven in part by those general counsels who sit around and say, 'Be careful about what you promise in privacy and information security because you might get sued for it.'"

Swindle called that attitude and said doing the right thing will minimize the problem.

"That is irresponsible. Do the right thing and we'll have a heck of a less problem," he said. "That'll give technology a chance to catch up and keep building better reinforcements in multi-layer defenses."

One of the right things to do, according to Entrust CEO Bill Connor, is a uniform national breach notification law to cover consumers exposed to possible ID theft.

Connor said he supports disclosure to consumers in breaches of both encrypted and unencrypted data. But, like most in the technology industry, Connor wants the notification law to exempt encrypted data breaches from liability lawsuits or penalties.

"Information is what people are after. All encryption does is put some locks on it, granted some pretty strong locks," Connor told internetnews.com. "If they have the right credentials, encryption wont stop them. If someone gets in and accesses that information, they have the credentials and you then, therefore, can manage and track [who did it]."

Encrypted data, according to Connor, takes away approximately 80 percent of the breach vulnerabilities of unencrypted data.

Liability for encrypted data breaches should be limited, or "non-existent," according to Connor, since the company "practiced good safekeeping. You've done duty of care."

Sen. Dianne Feinstein (D-Calif.) is proposing a national disclosure law with liability for both encrypted and unencrypted data breaches.

"Encryption 'safe harbor' provisions benefit not only consumers and citizens, but also provide incentives for business and organizations to provide greater security throughout their operations," Connor told the panel. "It is a win-win proposition, which ultimately benefits all parties involved."