Comments
Sensitive Data: What Constitutes 'Reasonable Protection'?
Oldest First  |  Newest First  |  Threaded View
Drew Conry-Murray
50%
50%
Drew Conry-Murray,
User Rank: Ninja
4/22/2014 | 10:45:41 AM
Legislate outcomes, don't mandate requirements
I think it's useful to have organizations like NIST provide guidelines that companies can use, but I'd rather have the federal government provide very clear rules that mandate the protection of customer data, and the potential penalities for failure (fines, lawsuits, etc) instead of trying to tell companies how to protect customer data. You can mandate all the security requirements you want: organizations will still get breached. Rather than make companies jump through regulatory hoops to demonstrate compliance, set clear penalties for failure and then organizations put their efforts into protection and response rather than trying to play "find the loophole" or "satisfy the auditor."
RobPreston
50%
50%
RobPreston,
User Rank: Author
4/22/2014 | 11:42:31 AM
Re: Legislate outcomes, don't mandate requirements
Drew, I'm sure you're thinking what I'm thinking: Telling companies HOW to reach an outcome rather than punishing them for not reaching the desired outcome smacks of PCI, which has become a dance around the auditors.
Drew Conry-Murray
50%
50%
Drew Conry-Murray,
User Rank: Ninja
4/22/2014 | 11:54:37 AM
Re: Legislate outcomes, don't mandate requirements
PCI was very much on my mind when I was writing that response.
Lorna Garey
100%
0%
Lorna Garey,
User Rank: Author
4/22/2014 | 11:58:58 AM
Re: Legislate outcomes, don't mandate requirements
Exactly, but the key is to make the penalties have teeth. We've all heard about HC firms that would rather pay HIPAA fines, if they ever are caught, because the fines cost significantly less than being compliant. The penalty should be a percentage of company earnings so that the amount scales and dings large and small equally, plus mandates to offer credit monitoring services.
WKash
50%
50%
WKash,
User Rank: Author
4/22/2014 | 1:03:21 PM
Re: Legislate outcomes, don't mandate requirements
Thanks for weighing in on this Drew.  I think you half-right: Government should set penalties for failure to protect data.  But I believe -- and that most in industry believe -- that Government shouldn't be in the business of setting "rules that mandate the protection of customer data" as you suggest, in part, because history has shown that rules fail to keep up with the rapid changes in technology (and the products/services that evolve from them.)  I do agree, focus on the outcomes, not compliance, is the better way to go. 
Drew Conry-Murray
50%
50%
Drew Conry-Murray,
User Rank: Ninja
4/22/2014 | 1:35:51 PM
Re: Legislate outcomes, don't mandate requirements
Hi Wyatt,


Thanks for the comment. I think I was a bit inarticulate. I don't want the government to set the requirements for how to protect the data, because you're right, technology changes faster than the government can keep up with.

I want the government to say "You have a legal obligation to protect customer data" and "you have a legal obligation to publicly report the unauthorized exposure of customer data" and pretty much leave it at that. If companies fail in either of those obligations, that would open them to repercussions.
WKash
50%
50%
WKash,
User Rank: Author
4/22/2014 | 1:59:07 PM
Re: Legislate outcomes, don't mandate requirements
Thanks Drew for clarifying that.  I think how you put it: "(Companies) have a legal obligation to protect customer data" and "have a legal obligation to publicly report the unauthorized exposure of customer data"-- is on the money. 

One of the big challenge that remains is determining when and whether companies are legally at fault when data is breached -- as it inevitably will be -- and how to assess the penalties.  One of the things the cyber securitiy framework does, at least, is establish a minimum security measures across industries on which to build a case for critical infrastructure protection.  We still need a comparable document for consumer data protection.
BobH088
50%
50%
BobH088,
User Rank: Apprentice
4/23/2014 | 9:16:17 PM
security solution
One of the most common causes of data getting in the wrong hands is the loss of mobile devices that often contain a frightening amount of private information. I want to share a protection option that worked for me. Tracer tags (mystufflostandfound.com) let someone who finds your lost stuff contact you directly without exposing your private information.  I use them on almost everything I take when I travel like my phone, passport and luggage after one of the tags was responsible for getting my lost laptop returned to me in Rome one time.


Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Tech Digest, Nov. 10, 2014
Just 30% of respondents to our new survey say their companies are very or extremely effective at identifying critical data and analyzing it to make decisions, down from 42% in 2013. What gives?
Video
Slideshows
Twitter Feed
InformationWeek Radio
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.