RealTime IT News

Gartner: National Data Breach Law Inevitable

WASHINGTON -- Congress is not going to ignore the spate of data breaches plaguing private enterprise and will pass new data protection laws, a Gartner analyst predicted.

Speaking at a Gartner IT security conference less than 24 hours after CitiFinancial admitted it had lost almost 4 million records with personally identifiable information, John Pescatore told a packed room that Congress is bound to respond with new laws.

"What will be the next Sarbanes-Oxley? It's going to be some type of identity theft or data security legislation," said John Pescatore, a vice president and analyst at Gartner. "That's such a politician-friendly issue, it's the next big one coming."

CitiFinancial's revelation Monday only ups the pressure on lawmakers.

Pescatore urged the crowd to take advantage of the situation and not to let it become a "regulatory distraction."

"Any regulation brought to security is a two-way sword. It's really nice to have a regulatory stick to whap [executives] over the head with, because it forces them to recognize that we need to change some things and spend some money on security," he said. "The dangerous side is that it often distracts that spending towards reporting on compliance versus increasing security."

According to Pescatore, compliance does not equal security.

That line of thinking, he said, leads to "this hangover that says, 'Cool, we had a big party, and we spent all this money, and now we're compliant.' But, we didn't change anything. We didn't use [that money] to change anything to get more secure."

The result?

"We really focus on reporting and passing tests, and we have the same problem we have now," Pescatore said. "The real risk is that we are building these cultures where we look at these pages that say, 'We're compliant, we're compliant.'"

If any one of several bills pending before Congress becomes law, security officials will certainly be facing more regulatory compliance.

Sen. Dianne Feinstein (D-Calif.) is pushing legislation based on California's landmark disclosure law requiring any company or government agency to notify an individual in writing or by e-mail when it is believed that unencrypted personal information has been compromised.

Feinstein wants to take the California law one step further to also include encrypted data. The legislation proposes a $1,000 per individual civil fine for failure to notify or not more than $50,000 per day while the failure to notify continues.