Those of us in the information security business have been hoping with each passing year that the “next year” would be the one in which our elected representatives recognize the threats to our privacy and actually DO something about it. I think we can now say with a fair amount of certainty that in 2010, we’ll get our wish.
On both sides of the Atlantic the public sector has recently taken concrete steps to protect our personal information. Here in the U.S. the Senate has passed not one, but two bills out of committee that would materially protect U.S. citizens from the affects of large data breaches. The first (S.1490) is the Personal Data Privacy and Security Act; also known as the Leahy bill. The primary provision of S. 1490 prohibits the concealment of a data breach. The companion bill (S.139) is the Feinstein Data Breach Notification Act. The Feinstein bill requires enterprises both public and private engaged in interstate commerce to notify American residents if their personal information is accessed during a known breach.
At roughly the same time, the Information Commissioner’s Office in the UK published a watershed document entitled the Guide to Data Protection. It is a very thorough examination of the UK’s Data Protection Act and what it means for both businesses and consumers. Besides being comprehensive it’s also written in the sort of plain English we rarely see from the public sector on either side of the Atlantic.
When you layer atop these two developments the provisions in the American economic stimulus bill that essentially provides a national breach law for healthcare information, it becomes clear that the landscape is changing very rapidly on the data protection front
Phil Zimmermann predicted in 1991 that the commercial development of the Internet would put our privacy at risk from actors in the public and private sectors. As the statistics on DataLoss DB show, he could not have been more prescient. We’re now at the point where not a week passes without the disclosure of a material data breach somewhere in the world. So while I’m heartened by the actions of the public sector in the both the UK and here in the U.S., it’s clear that actually protecting ourselves from the negative affects of the ongoing pandemic of breaches is going to require vigilance on all our parts.
I’ve written previously about steps you can take to prevent the loss of personal information both online and offline. Unfortunately, most of the world’s cybercriminals have concluded the conducting attacks on individuals is a very low yield approach to collecting data with which they can perpetrate other profitable crimes. Most significant identity thefts now begin with the kind of data breaches that DataLoss DB tracks and about which many of us are now receiving notifications from our credit card companies on a regular basis.
What this means is that taking the steps I outlined earlier while still necessary, achieve less than they used to in protecting you from such crimes. Particularly with the advent of social networking platforms such as Facebook, there are now more large repositories than ever that cybercriminals can use to vacuum up large amounts of personal information.
As I said at the top, it would appear that 2010 is indeed the year that we get some of the legal protections required to protect our personal and sensitive professional information. This doesn’t mean, however, that the world is going to be a safer place for that information. If anything, more individual vigilance will be required to protect ourselves from the growing number and sophistication of the threats we all face each day.
At PGP Corporation we are committed to assisting our customers to address these threats and protect their confidential information. To learn how the PGP Encryption Platform achieves this protection in large and small enterprises, click here.