Regulations Can Only Do So Much to Protect Against Breaches

Sue Marquette Poremba
Slide Show

Top 10 Cyber Security Threats of 2011 and Beyond

The next decade portends new threats that surpass those of years past in both intensity and impact.

A few years ago, Massachusetts passed a state law that requires companies doing business within the commonwealth to report any security breach that could result in identity theft to customers.


The law is a good step forward, and if you read my blog regularly, you know that I think government needs to step it up when it comes to cyber security and user protection. However, the recent announcement from Massachusetts shows that while it is great to have a law that promises consumers notification if their information is compromised, companies still need to step up and prevent the breaches in the first place.


It has just come to light that nearly one out of every three Massachusetts residents has had his or her personal information compromised through data theft or loss since the beginning of 2010. As Josh Shaul, CTO at Application Security told me, that may be the largest scope of criminal activity ever witnessed in this country's recent history. He said:

MA passed legislation (MA 201 CMR 17) in 2009 requiring organizations to better protect residents personal information. The spirit of that law is exactly on target, but with no proactive enforcement or oversight, the impact on real world data security has turned out to be minimal. By implementing a program to randomly audit organizations compliance with MA201 that will actually test the security controls in place around resident personal information, Attorney General Martha Coakley's office would really make a dent in this problem. It's likely that any such audit program would be easily self-funded by the fines the state could issue for non-compliance. That's a win for the state, a win for the residents, and a program that makes clear that all organizations will face a cost for non-compliance not just those that have been forced to disclose data breaches.

Organizations have to step up their efforts to do a better job of protecting their data, he added. If that doesn't happen, Shaul expects that the numbers of people who are breached will only increase.


According to the attorney general's office, 1,166 notices have been received since January 2010, with nearly 500 notices coming between January and August of this year.


At least the people of Massachusetts - and the attorney general's office - have a law in place where notification is required. If there is no regulation in place, what incentive do businesses have to incorporate better security methods for the data they store? As Beth Givens, director of the Privacy Rights Clearinghouse, pointed out in an article at, consumers don't have a lot of options available to them when their information gets compromised. They can sue, but it doesn't get them far because it is hard to prove they were harmed by that specific compromise. The article added:

Givens said that laws like the one in Massachusetts are the next best thing. They force companies to publicly acknowledge the problem and take action to upgrade their security policies.

It would be nice, though, if they would step up the security policies before the breach.

Add Comment      Leave a comment on this blog post
Sep 21, 2011 5:28 AM Amber N. Yoo, Privacy Rights Clearinghouse Amber N. Yoo, Privacy Rights Clearinghouse  says:

Great points, Sue!  We agree! We've been tracking breaches since 1995 -- you can see all our data here:


Post a comment





(Maximum characters: 1200). You have 1200 characters left.



Subscribe to our Newsletters

Sign up now and get the best business technology insights direct to your inbox.