A friend asked me if I knew anything about Senate Bill S.495. I said no, but I could do a little research and get back to him. While I was researching S.495, I took notice of all of the other pending legislation relating to IT, and wondered how it would affect our industry. By my count, there are 24 House and Senate bills in some state of review. Keep in mind that these are only bills that I felt could directly affect the IT industry and have rippling effects in security. There are many other bills that could have some sort of impact as well. It would be impossible to fully comment on all 24 bills here; I'll focus on two in particular, S.495 and H.R.958, which are similar in nature.
S.495: Personal Data Privacy and Security Act of 2007
"A Bill to prevent and mitigate identity theft, to ensure privacy, to provide notice of security breaches, and to enhance criminal penalties, law enforcement assistance, and other protections against security breaches, fraudulent access, and misuse of personal identifiable information."
The heart of the bill requires an organization engaged in the collection of digitized or electronic personally identifiable information to have a personal data privacy and security program in place that ensures the privacy, security and confidentiality of sensitive information. Further, the program must protect against anticipated threats of the information as well as unauthorized access to it. The bill goes on to stipulate organizations shall design a risk management and control program that includes: detection of attempted access to the information; training; vulnerability testing; and periodic assessment of the technology, threats, and changes in business arrangements.
H.R. 958: Data Accountability and Trust Act
"To protect consumers by requiring reasonable security policies and procedures to protect computerized data containing personal information, and to provide for nationwide notice in the event of a security breach."
This bill requires organizations to establish policies for the collection, use, sale, dissemination, and maintenance of personal information. Regulation requires the identification of an officer, or individual, who is responsible for the management of the information, a process for identifying vulnerabilities, a process for taking preventative actions against the vulnerabilities, and a process for disposing of obsolete data.
The impact to organizations that collect and use consumer information could be major. IT organizations that are small will stretch their people and funds to meet regulatory compliance. Organizations that deal in large amounts of consumer data will need to hire more security and infrastructure people to meet the regulatory demand.
I feel that both of these bills are solid in principle and have been needed, and wanted, by both consumers and businesses for a long time. They provide protection for the consumer, guidance for businesses, and set out a clear and level playing field as there are few exceptions to the legislation. These bills are important to us as individuals and security professionals. Take some time to review the bill information and contact your congressional representatives with your opinions.