Forty-eight of the 55 US states and territories have some form of data breach law on the books. Most of them require companies to simply notify their customers if their data has been stolen and possibly sold to an online criminal gang in Eastern Europe.
The problem with that approach to regulating security is that its reactionary. By the time you get the letter in the mail, its already too late.
But thats all changing now. New data encryption laws, and not just breach notification laws, are now making their way through state legislatures.
Data encryption laws, such as the ones in Nevada and Massachusetts, are designed to make it more difficult for the thugs roaming the wild, wild Web to steal your personally identifiable information (PII).
Personally identifiable information has many definitions, but basically, its a combination of a persons first and last name, along with his or her social security number, credit or debit card numbers, user name, password, fingerprints, iris scans, address or telephone number.
The Massachusetts law is the de facto national standard, because it protects the personal information of all Massachusetts residents regardless of which state the data is stored and stolen in.
At the federal level, US Senator Patrick Leahy, D-Vt., has been trying to pass a federal data encryption law since 2005.
In November, Leahys bill, with bipartisan support, advanced out of the Senate Judiciary Committee.
The Personal Data Privacy and Security Act will establish a much-needed national standard for breach notification, and clear requirements for securing Americans sensitive personal data, said Leahy.
If Leahys bill passes in its current form, it would override state laws and become the new national standard.
But now its up to Senate Majority Leader Harry Reid to schedule the bill for Senate floor time. Erin Skinner Cochran, Reids Deputy Director of New Media, said the Senator has not made a decision if or when Leahys would make the schedule.
Get beyond mere compliance
Security experts warn against chasing the requirements of any particular law or regulation.
Lumensions Directory of Marketing Chris Merritt said that legislatively theres an awful lot happening, but he cautioned IT departments against embracing a checklist mentality towards security.
For example, in a much-publicized wireless network data breach, TJX Companies, Inc. succumbed to hackers who were stealing data off the retailers network for at least 18 months, and possibly for years. The company, Merritt said, had a checklist mentality towards security.
Youve got to move beyond mere compliance, Merritt said. Its wise to watch whats happening with legislation, but he said companies and organizations should plan on creating a good holistic security plan.
Massachusetts agrees. Its regulations that went into effect on March 1, 2010 mandates employee training, regular security audits and a Written Information Security Plan.
That means if data is lost or stolen, and your organization cant provide proof of regulatory compliance, Massachusetts attorney general Martha Coakley might come knocking on your door with criminal charges and some hefty fines.
The regulations do not provide a safe harbor from enforcement per se, Massachusetts attorney general spokesperson Amie Breton said. To be in compliance, she explained that the organization will have to properly and accurately notify consumers of the breach and the company has to have effectively assessed its data risks.
The Commonwealth of Massachusetts defines encryption as the transformation of data into a form in which meaning cannot be assigned without the use of a confidential process or key.
To learn more about what it means to comply with these new data encryption laws, you might want to check out the National Institute of Standards and Technologys Federal Information Processing Standards publications. The FIPS is a collection of documents outlining the standards for non-military governmental agencies, contractors and vendors who work with the agencies for storing and encrypting data.
But FIPS is heavy reading, and difficult to relate to real world threats.
Wyatt Kash is the editor-in-chief for Government Computer News. He said, The problem for organizations trying to follow NISTs guidelines amid todays increasing cyber-threats is akin to confronting a raging new pandemic with an encyclopedic field guide to holistic health care.
An alternative to FIPS are the Consensus Audit Guidelines. This document establishes a baseline of 20 security measures and controls that all organizations should implement immediately.
The CAG is a subset of NIST guidelines compiled by a group of security experts from federal agencies, such as the National Security Agency, the Department of Defense and led by John Gilligan, former Air Force CIO.
The groups recommendations focus almost exclusively on technology solutions, and therefore are not a substitute for the much more comprehensive NIST guidelines. The CAG is a starting point for organizations that are reviewing or implementing a new security plan.
The new recommendations, Kash said, provide a much-needed priority list of essential security strategies and step-by-step measures that reflect lessons learned from some of the countrys most serious cyberattacks.
But whether you adhere to FIPS, or start with CAG, the bottom line for every organization is to secure your network, secure your data and train your employees as part of a broad security plan.
If you focus on true security, as opposed to checkmark compliance, Merritt said, you should have no difficulty complying with any state or federal laws.
Keith Vance is a software engineer and a journalist. He's been developing Web applications professionally since 1997, and he received his journalism degree from the University of Washington in 2008.