An interesting article is here, that describes the impact of data breach laws. The article rightly credits the California data breach law with starting the ball rolling on requiring companies to disclose security breaches. To date 43 other states have followed suit. And in the five years that these laws have been in existence, a reported (disclosed) 245 million individuals have had their PII exposed.
The article calls into question whether the data breach laws are having any impact in the reducing identity theft, and it cites a study by Carnegie Mellon researchers that compared the incidence of identity theft in states with and without security breach laws in place. The conclusion of the study was there was little actual difference.
I can’t quibble with the conclusion, nor with the study results, but I do think there’s a different point to be made, which is that the existence of these laws has (IMHO) caused companies to “raise the bar” with respect to information security, spending more to protect critical IT assets, and to protect our PII. Not that companies or industries are where they need to be in terms of providing adequate security, but the existence of the laws has helped- no organization wants to be sending out those letters to their customers that start “We’re sorry to inform you…”.
Think about all of those breaches getting reported (now) to
do with lost laptops, tapes, USB drives. Encryption solutions for this market
segment are a big deal now, as they should be. Now rewind about five years.
Were laptops going missing back then? Sure. Did companies spend much on
securing the data on these devices then? Not so much. The problem (pre-breach
laws) was pretty much swept under the rug. Disclosure (or the threat of it)
forces companies to be more responsible. And it probably helps to get Sr. Management a little more focused on spending adequately on IT security.
Jim Hietala, CISSP, GSEC, is Research Director and a
principal of Compliance Research Group,
providing research, analysis, and consulting services in the areas of
compliance, risk management, and IT security. He is also the Vice President,
Security for The Open Group, where he manages all security and risk management
programs and standards activities.
Jim has provided research and consulting services to
organizations such as SANS, The Open Group, and a number of IT security and
compliance vendors. He is a frequent speaker at industry conferences, and he
recently authored a comprehensive course on IT risk management. He participates
in the SANS Analyst/Expert program, having written several research whitepapers
and participated in several webcasts for SANS. He has also published
numerous articles on information security, risk management, and compliance
topics in publications including The ISSA Journal, Bank Accounting &
Finance, Risk Factor, SC Magazine, and others.
An industry veteran, he has held leadership roles at
ControlPath, Avail Networks, Alternative Technologies, eSoft, Qwest, Concentric
Network, and Digital Pathways. He developed and launched the industry’s first
remote access VPN service (Concentric RemoteLink) and encrypting ISDN router
(at Network Express), and launched a compliance and risk management software
start-up in the IT-GRC market.
He holds a B.S. in Marketing from Southern Illinois
University.
Blog: www.compliancefocus.com
Twitter: http://twitter.com/jim_hietala
LinkedIn: http://www.linkedin.com/in/jimhietala
Blogging focus: Compliance, Risk Management, IT Security, IT-GRC software, HIPAA, GLBA, Privacy
Jim can be reached at: jim@compliancefocus.com