President Obama announced that he would propose laws aimed at protecting data after a horrendous year in cyber securitycybersecurity and data protection. Although all the facts are not all there yet, three new laws are being proposed. These laws will be addressed later this month at the president’s State of the Union. Already so far, information security experts are praising the attention President Obama is bringing to security issues with these proposals.
Among the proposals, the Personal Data Notification and Protection Act would require companies to notify customers within 30 days from the discovery of a data breach that their information had been compromised. Also, another proposal is the bringing back an upgraded version of the “Consumer Privacy Bill of Rights”, which gives internet users the right to control what data is collected and how their data is shared. The last proposed law, is the Student Data Privacy Act, which will prohibit tech companies from profiting from data collected on students in schools.
Although those of us in the information security industry know this is going in the right direction, based on the information provided, this is not enough protection. From some believing that 30 days is too long, to not enough security being announced in these proposals, all feel that this falling short of where it needs to be. Many are hoping that Congress will hopefully create standards that companies will have to meet in order to collect personal information from consumers.
One state to really note is New Jersey, who announced that they will require by law that patient health data be encrypted. Therefore even if the data is stolen, it will be encrypted no matter where it is. The bill states, ““A health insurance carrier shall not compile or maintain computerized records that include personal information, unless that information is secured by encryption or by any other method or technology rendering the information unreadable, undecipherable, or otherwise unusable by an unauthorized person.”
Such solutions as digital rights management, provide file-based security to prevent the exposure of sensitive, confidential and personal information against internal and external threats, as the data itself is protected throughout its whole life. This level of where the security of this information should be, should also be set by the government, as this will play a big role in securing personal data regardless if it stolen.
All of us know that these laws will face very little to no opposition, because of the horrible year we just had in terms of data breaches. Isn’t it time to get prepared ahead of time and protect your data now?
Photo Credit: Alan Cleaver