Subscribe to this blog's feed

Amazon

Recent Posts

Bio

  • David Rice is a globally recognized cybersecurity leader, Executive Director of The Monterey Group, a strategic consulting firm, and Consulting Director for Policy Reform at the U.S. Cyber Consequences Unit. Called upon by high-performance organizations for his ability to achieve, integrate, and drive deep corporate objectives in the face of globalized competition, rapid technological advances, and increased sophistication of cyber adversaries, David is a key figure shaping the discussion and practice of cybersecurity.

    Prior to his current roles, David served as an Global Network Vulnerability Analyst for the National Security Agency and Special Duty Cryptologic Officer for the United State Navy. The U.S. government recognized and awarded David for “significant contributions” to the Department of Defense and the National Security Agency for developing security configuration and design guidance for critical national infrastructure and global networks.

Archives

More...

Links

Blog powered by TypePad

The views and opinions expressed are those of the author and do not reflect the official policy, position, or recommendations of the author's affiliations, partners, employers, or clients.

« News Flash: The Internet is Infected | Main | Hold Them to a Higher Standard »

March 31, 2009

New State Data Breach Laws Wrong

Eric Ogren is spot on regarding prescriptive data breach legislation going into effect for Massachusetts and Nevada.

Mass., Nev. data protection laws wrong, ineffective

To quote:

These state regulations represent exactly the wrong kind of laws to be passing, but legislators compelled to take on identity theft seem intent on establishing legal requirements for technical solutions.

While Nevada Revised Statutes Title 597, Section 970 (NRS 597.970) calls for personal information to be encrypted when transferred over public networks, Massachusetts 201 CMR 17 Standards for The Protection of Personal Information of Residents of the Commonwealth is even more encompassing. When MA 201 CMR 17 goes into effect in January of 2010, all non-government entities that handle personal information must document and follow a set of security procedures that appears to have been heavily inspired by the PCI DSS.  

The security industry can't agree if servers, networks or laptops are the most vulnerable to attack. It is hard to imagine any government regulation dictating how to secure data being enforceable and effective. Government should be looking towards legislating behavior, perhaps extending existing frameworks for fraud, trespassing and trafficking across state and national borders...

Small and midsized organizations have the greatest problems complying with prescriptive "how to" regulations as investments in a complex technical infrastructure can drive the overhead costs per business transaction through the roof. They simply seldom have the skills necessary to fulfill the requirements of the statutes.

I agree. In short, bad regulation begets bad regulation. Worse, legislators appear to be enamored with prescriptive mandates as the path of least resistance; that is, it is tempting just to tell everyone what to do regarding data protection and then audit against the rule.

Prescriptive regulation may indeed be the path of least resistance - the allure is compelling, no doubt - but it is also historically the path of least effectiveness and the progenitor of unintended consequences, unacceptable cost, and perverse incentives.

Massachusetts and Nevada legislators should know better. It is a shame they do not.

Posted on March 31, 2009 |

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a00e54f9408a3883401156eaa568e970c

Listed below are links to weblogs that reference New State Data Breach Laws Wrong:

Comments

Feed You can follow this conversation by subscribing to the comment feed for this post.

The comments to this entry are closed.