This week, President Obama called for The Personal Data Notification and Protection Act and Student Data Privacy Act made in a speech at the Federal Trade Commission. Here to comment are a number of prominent security experts. VASCO Data Security, Tripwire, Inc., and Voltage Security are represented.
Free eBook: Modern Retail Security Risk – Get your copy now.
John Gunn, VP of Corporate Communications, VASCO Data Security:
“We applaud the efforts of President Obama. It’s hard to recall any other crime that has victimized so many millions of Americans without a significant response from the government on both a state and national level. These proposals should be welcomed by all Americans.
“The Personal Data Notification and Protection Act and the Student Data Privacy Act are important measures, and we support them. We would prefer to see a greater emphasis placed on preventing breaches and fraud rather than just informing the victims faster. In other industries, such as air travel and food safety, regulations are effective in averting tragedies instead of just making sure they are properly reported.
“The success of any new regulation really depend on twos factors: the enforcement efforts and the penalties imposed. If the regulations don’t have teeth and some real bite to them, then they will be ineffective regardless of how honorable the intentions are.
“The SDPA is important, but we think people should be more concerned about criminals stealing the identities of students rather than pushing ads for songs and sneakers at them. As the shift to EMV makes it more difficult for hackers to steal and use credit cards, they will shift their criminal efforts to stealing identities. Unfortunately, students are relatively easy targets.”
Ken Westin, Senior Security Analyst, Tripwire:
“Although many states already have laws in place regarding breach notification, with federal legislation it will remove any doubt with regards to the notification periods. Particularly with the number of high profile breaches over the past year, many companies are reticent to notify consumers when credit card and other data are compromised, simply because of the effect it can have on the business, from loss of trust, lawsuits, fines and fees and other related expenses to clean up the mess after a breach occurs.
“It will be interesting to see how the government will enforce these new rules and if it will have any effect on companies seeking assistance from law enforcement when there is a breach.”
Mark Bower, VP of Product Management, Voltage Security:
“When the mechanics of the economy can be manipulated and gamed by attackers from adversarial nation states and crime rings, actions, not words, are needed to change the balance in asymmetric cyber-warfare in the United States’ favor. Despite the best prepared organizations using traditional IT defenses and controls, 2014 saw targeted attacks obliterate them, and the nation witnessed the theft of unprecedented volumes of private data with tremendous economic damage. Firms were held to ransom with threats of data exposure, and consumers were exposed, their lives and trust disrupted.
“Leading enterprises have demanded robust data-security technology to neutralize U.S. cybersecurity risks, and the industry has responded with powerful innovative data-centric solutions used today with great success. If this legislation is to be effective to encourage wholesale adoption, it must be aligned to modern innovations and methods with built-in agility in enabling an effective data-security defense strategy. Today’s attackers are agile innovators too, and nobody wants to be compliant to regulations at great cost but still be a sitting duck in the line of sight of their next new attack.”
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.