Gartner: National Data Breach Law Inevitable

WASHINGTON — Congress is not going to ignore the spate of data breaches

plaguing private enterprise and will pass new data protection laws, a Gartner analyst predicted.

Speaking at a Gartner IT security conference less than 24 hours after

CitiFinancial admitted it

had lost almost 4 million records with personally identifiable information,

John Pescatore told a packed room that Congress is bound to respond with new

laws.

“What will be the next Sarbanes-Oxley? It’s going to be some type of

identity theft or data security legislation,” said John Pescatore, a vice

president and analyst at Gartner. “That’s such a politician-friendly issue,

it’s the next big one coming.”

CitiFinancial’s revelation Monday only ups the pressure on lawmakers.

Pescatore urged the crowd to take advantage of the situation and not to let

it become a “regulatory distraction.”

“Any regulation brought to security is a two-way sword. It’s really nice to

have a regulatory stick to whap [executives] over the head with, because it forces

them to recognize that we need to change some things and spend some money on

security,” he said. “The dangerous side is that it often distracts that

spending towards reporting on compliance versus increasing security.”

According to Pescatore, compliance does not equal security.

That line of thinking, he said, leads to “this hangover that says, ‘Cool, we

had a big party, and we spent all this money, and now we’re compliant.’ But,

we didn’t change anything. We didn’t use [that money] to change anything to

get more secure.”

The result?

“We really focus on reporting and passing tests, and we have the same problem

we have now,” Pescatore said. “The real risk is that we are building these

cultures where we look at these pages that say, ‘We’re compliant, we’re

compliant.'”

If any one of several bills pending before Congress becomes law, security

officials will certainly be facing more regulatory compliance.

Sen. Dianne Feinstein (D-Calif.) is pushing legislation based on California’s

landmark disclosure law requiring any company or government agency to notify

an individual in writing or by e-mail when it is believed that unencrypted

personal information has been compromised.

Feinstein wants to take the California law one step further to also include

encrypted data. The legislation proposes a $1,000 per individual civil fine

for failure to notify or not more than $50,000 per day while the failure to

notify continues.

News Around the Web