It’s one of the most unpleasant, yet relatively common, experiences of the downside of the digital age: the notice from a company, employer, or public agency letting you know your most personal and valuable information – Social Security number, credit card information, online passwords – may have been compromised by a security breach.
Congress is currently considering legislation that would make such notifications a federal requirement; right now, 46 states and 4 U.S. jurisdictions have similar laws, but they don’t always match up with each other. Industry groups want one national standard, on the theory that complying with one law instead of 50 would be easier for all parties.
But David Thaw, a visiting assistant professor at the University of Connecticut School of Law and an expert on legal issues pertaining to information security, isn’t so sure. Last month, Thaw testified before a congressional committee, urging lawmakers not only to pass a national notification law, but to combine it with comprehensive information security requirements.
Thaw’s research, which will be published in 2014 in the Georgia State University Law Review, shows that such a combined approach is roughly four times more effective in protecting consumers from data breaches than notification requirements alone.
“If the federal government is going to pass a comprehensive law, it should adopt a standard that provides protection as well as notification,” says Thaw. “This is really an opportunity for us to be ahead of the curve.”
While notification laws are fairly straightforward, comprehensive information security regulations are lesser known, but already required in, for example, the health care industry. In practice, Thaw says, Congress wouldn’t write legislation that requires specific security practices, but would rather give regulatory agencies broad authority to develop those practices in consultation with private industry.
“The legislation needs to be flexible, because not everyone in a given industry is going to have the same data security needs,” he says, using health care as an example. Both small, one-physician medical practices and huge metropolitan hospitals have to abide by information security procedures set up by the Health Insurance Portability and Accountability Act, better known as “HIPAA,” Thaw points out, but they don’t have to use the exact same practices.
“If my hometown doctor were to follow the same breadth and depth of information security procedures that Massachusetts General Hospital has to follow, my doctor would be out of business in a day because of the cost,” he says. “The law allows for that flexibility.”
Similar legislation could be drafted for industries that collect and store sensitive data, Thaw says, which, his research shows, makes breaches less likely.
Ideally, such legislation would also go beyond what’s commonly understood as “cybersecurity,” and address other security vulnerabilities. While it may be less glamorous than devising software to thwart hackers, it’s just as important to have rules in place about keeping doors to server rooms locked, Thaw says, or requiring employees to keep sensitive documents in locked file cabinets.
“What Congress is considering, in terms of notification only, underestimates the amount of risk out there right now,” Thaw warns. “Not to be a doomsayer, but it’s important that we address not just the breaches that are happening now, but the breaches that could be happening very soon. Here’s an opportunity for us to be one step ahead.”