WASHINGTON — Congress is not going to ignore the spate of data breaches
plaguing private enterprise and will pass new data protection laws, a Gartner analyst predicted.
Speaking at a Gartner IT security conference less than 24 hours after
CitiFinancial admitted it
had lost almost 4 million records with personally identifiable information,
John Pescatore told a packed room that Congress is bound to respond with new
laws.
“What will be the next Sarbanes-Oxley? It’s going to be some type of
identity theft or data security legislation,” said John Pescatore, a vice
president and analyst at Gartner. “That’s such a politician-friendly issue,
it’s the next big one coming.”
CitiFinancial’s revelation Monday only ups the pressure on lawmakers.
Pescatore urged the crowd to take advantage of the situation and not to let
it become a “regulatory distraction.”
“Any regulation brought to security is a two-way sword. It’s really nice to
have a regulatory stick to whap [executives] over the head with, because it forces
them to recognize that we need to change some things and spend some money on
security,” he said. “The dangerous side is that it often distracts that
spending towards reporting on compliance versus increasing security.”
According to Pescatore, compliance does not equal security.
That line of thinking, he said, leads to “this hangover that says, ‘Cool, we
had a big party, and we spent all this money, and now we’re compliant.’ But,
we didn’t change anything. We didn’t use [that money] to change anything to
get more secure.”
The result?
“We really focus on reporting and passing tests, and we have the same problem
we have now,” Pescatore said. “The real risk is that we are building these
cultures where we look at these pages that say, ‘We’re compliant, we’re
compliant.'”
If any one of several bills pending before Congress becomes law, security
officials will certainly be facing more regulatory compliance.
Sen. Dianne Feinstein (D-Calif.) is pushing legislation based on California’s
landmark disclosure law requiring any company or government agency to notify
an individual in writing or by e-mail when it is believed that unencrypted
personal information has been compromised.
Feinstein wants to take the California law one step further to also include
encrypted data. The legislation proposes a $1,000 per individual civil fine
for failure to notify or not more than $50,000 per day while the failure to
notify continues.