More Security Regulations in Your Future?
Think you’ve seen the end of new regulations on IT? The RSA site lists 25 different regulations and that doesn’t include most of the state privacy laws. I think we are far from done with security regulation.
High profile security meltdowns are going to prompt some agency or legislative body to make a move. The way I see it there are four ways this could go:
1. A grassroots boycott of some retailer that loses millions of customer’s credit card records prompts boards and C-level execs to better understand the true cost of poor security. (Pretty much a fantasy).
2. Industry groups, like bankers associations, come down on members that violate credit card processing rules or try to skate by with insufficient security. This gives new hope to self-regulation. (Possible and probable to some degree, but will it be enough?)
3. Some kind of federal uber-legislation tries to encompass the patchwork of federal and state regulations. (Probable, but how effective such a law would be is the big question).
4. Nothing much happens and we continue to hear data losses of million plus customer records. (I hope not the most likely)
I think a combination of 2 and 3 will be the most effective as well as the most likely. What are others saying about this problem?
Bruce Schiner has argued that companies need to internalize the cost their poor security imposes on others. He is not a fan of regulation (he doesn’t see much benefit of big name regulations like SOX) but likes liability laws instead:
A much better example [than SOX] is the credit card law that limits personal liability for fraud to $50. Before the law, credit card losses were an externality to credit card companies, so they didn't do all that much to improve security. After the law, we got online verification terminals, systems for card activation and data-mining systems to detect fraudulent spending patterns.
That’s not enough for Ira Winkler, a former NSA analyst, who recently argued in ComputerWorld that the market driven approach doesn’t work:
Vendor hacks are the result of poor security on the part of the vendor and often lead to the theft of thousands, or millions, of credit card numbers, at once. The laws passed in this regard basically state requirements that vendors have to follow once data is stolen. However, they do not lay out computer security requirements. The hope is that if vendors have to act if their security fails, they will try to better protect themselves. All you have to do is browse Computerworld.com to see how well that's working.
Winkler goes on to advocate four things needed:
1. ISPs and organizations with more than 100 users must filter scan and attack traffic.
2. ISPs and organizations with more than 100 users must block botnet-infected devices
3. Make users responsible for loses due to outdated security software
4. Promote efficient security software
Now for your opinion. I'm interested in what readers think. Which outcome do you think is most likely? Which would be most effective? Post a comment below with your opinion.
Email This!
Digg it!
Sphere it!
Del.icio.us
Reddit!
Newsvine
Comments
While I hope that Mr. Schiner's vision will become our reality, I fear that Mr. Winkler's vision will materialize first. (Afterall, we have the vanguards of toothless, ineffective and publicly-funded intrusion rising to political power, to include a likely presidential win). In the end however, capitalism triumphs, and affecting the bottom lines of corporations that don't adequately protect themselves (and resultingly their customers), will likely have the most enduring effect - ...hopefully...
Posted by: Jim | February 8, 2007 12:42 AM
Here it comes ...privacy protection legislation is introduced in the US Senate.
http://www.realtime-itcompliance.com/laws_regulations/2007/02/privacy_law_leahy_specter_file.htm
Posted by: Dan | February 8, 2007 12:21 PM