Swindle: ‘Somebody Has Got to Pay’

WASHINGTON — Corporate America is acting irresponsibly in protecting
consumer data, Orson Swindle of the Federal Trade Commission (FTC) said
today. The payback for that irresponsibility, he predicted, will be painful.

In impromptu comments made during a think-tank panel discussion on
international cyber crime, Swindle, a Republican FTC commissioner, took
broad swipes at both private enterprise and Congress for their efforts on
consumer data protection.

“Everybody’s screaming, all the political figures up on [Capitol] Hill,
about identity theft,” he said. “It’s not identity theft, it’s the theft of
information.”

And, he added, in today’s global, digital marketplace, that information is
currency.

“While politicians raise hell about identity theft, what we’re really
talking about is the failure to protect valuable currency,” Swindle said.
“Corporate boards better start paying attention, because they haven’t been.”

The daily headlines of various data breaches from ChoicePoint to Bank of
America to several colleges and universities, he said, “Indicates to me the
industry has, to a great extent, been irresponsible, and somebody has got
to pay.”

He suggested the first people to pay might be corporate lawyers.

The lax data protection, according to Swindle, is “being driven in part
by those general counsels who sit around and say, ‘Be careful about
what you promise in privacy and information security because you might get
sued for it.'”

Swindle called that attitude and said doing the right thing will minimize the problem.

“That is irresponsible. Do the right thing and we’ll have a heck of a less
problem,” he said. “That’ll give technology a chance to catch up and keep
building better reinforcements in multi-layer defenses.”

One of the right things to do, according to Entrust CEO
Bill Connor, is a uniform national breach notification law to cover
consumers exposed to possible ID theft.

Connor said he supports disclosure to consumers in breaches of both
encrypted and unencrypted data. But, like most in the technology industry,
Connor wants the notification law to exempt encrypted data breaches from
liability lawsuits or penalties.

“Information is what people are after. All encryption does is put some locks
on it, granted some pretty strong locks,” Connor told
internetnews.com. “If they have the right
credentials, encryption wont stop them. If someone gets in and accesses
that information, they have the credentials and you then, therefore,
can manage and track [who did it].”

Encrypted data, according to Connor, takes away approximately 80 percent of
the breach vulnerabilities of unencrypted data.

Liability for encrypted data breaches should be limited, or “non-existent,”
according to Connor, since the company “practiced good safekeeping. You’ve
done duty of care.”

Sen. Dianne Feinstein (D-Calif.) is proposing a national disclosure law with
liability for both encrypted and unencrypted data breaches.

“Encryption ‘safe harbor’ provisions benefit not only consumers and
citizens, but also provide incentives for business and organizations to
provide greater security throughout their operations,” Connor told the
panel. “It is a win-win proposition, which ultimately benefits all parties
involved.”