Senator Richard Blumenthal, D-CT, recently introduced legislation that seeks to set up a punitive model for regulatory protection of consumer data collected and maintained by the private sector.
The Personal Data Protection and Breach Accountability Act of 2011, which would apply to companies collecting data in excess of 10,000 customers, would mandate strict data governance and harsh penalties in the event of a consumer data breach.
"My goal is to prevent and deter data breaches that put people at risk of identity theft and other serious harm both by helping protect consumers' data before breaches occur," Blumenthal said.
Given that most companies make an effort to avoid major data breaches that prove embarrassing publicly and may damage shareholder confidence, the drafting of punitive measures as a mechanism for ensuring data security is seen as misguided by many experts in the field.
"Philosophically, companies ought to be doing this already. The devil is in the details with these laws. But there are a number of questions here. We've had regulations, from Gramm-Leach-Bliley to HIPAA, that purport to help protect consumer data. Second, these companies are already victims in these attacks, so why are we penalizing them after a breach? I think that's because it's easier to issue fines than it is to track down the criminals and go after them," said Computer Sciences Corporation's Mark Rasch, director of cybersecurity and privacy consulting.
Larry Clinton, President of the Internet Security Alliance, recently criticized a similar model of punitive regulations proposed in the Obama administration in the recently released cybersecurity strategy.
Clinton believes the proposal for expanding the regulatory framework for data protection is too heavy on non-productive mandates, and too light on market incentives.
"There's really no doubt that they have proposed here developing a fairly extensive regulatory structure and again that is precisely the opposite of what the president himself promised when he released the cyberspace policy review back in 2009," Clinton stated during a recent taping of C-SPAN's "The Communicators".
The administration's proposal is seen as long on defining federal authority, but short on providing incentives for the private sector to make the necessary investments in security technology and best practices.
"They are fighting the last war. The model they are using for dealing with the private sector is largely antiquated... This is a punitive model where we're trying to blame the victims of the attack. I don't think that the administration's proposal really does anything that I can see to enhance cybersecurity," Clinton said.
Punitive measures also reduce the likelihood companies will make an effort to both detect and mitigate security lapses for fear of reprisal, further complicating the effort to share data breach and vulnerability intelligence.
ISA has continually articulated its pro-market approach to cyber security through the two editions of its “Cyber Security Social Contract.” When the Obama Administration released a policy paper for cyber security, the Cyberspace Policy Review, the first document it quoted was the ISA Social Contract.
Then there is the issue of redundancy with some of the data security proposals, as some analysts believe there are already enough mechanisms in place to put the fear of regulatory reprisal in the hearts of corporate entities.
"The Federal Trade Commission already seems to do a good job of punishing privacy violators -- and it doesn't seem to need yet another law," said Gartner security analyst John Pescatore.