U.S. Data Security Laws: Is There Another SOX in your Future?

A recent Forbes feature, “The Year of the Mega Breach,” caught my attention last week. It includes a slideshow of 2009’s largest security breaches, and concludes that this year alone, more personal information was exposed through data breaches than ever before. The article appeared amid news about a T-Mobile data breach, and Health Net and Blue Cross Blue Shield admitting to losing patients’ personal information. A quick scan of SC Magazine’s Data Breach Blog reveals more breaches that occurred in November.

In the midst of this publicity storm of insecurity, the U.S. government has stepped up its focus on information security and privacy. Currently, two bills – the Data Breach Notification Act and the Personal Data Privacy and Security Act of 2009 – are making their way through Congress. The Senate Judiciary Committee passed the two bills in early November, which are now headed for a full Senate vote. The first bill is designed to protect consumers from having their personal information lost, stolen or exposed (similar to California’s landmark CA 1386 law). The latter bill establishes guidelines for protecting sensitive information and creates the Office of Federal Identity Protection inside the Federal Trade Commission.

It will be interesting to see whether one or both of the U.S. laws pass. Over the past 5 years, similar legislation has been proposed but failed to pass in the U.S. Congress. Proponents see great benefit in unifying various state breach notification laws into a single national law. Opponents fear the law imposes requirements that are too onerous for businesses to bear, in addition to creating more federal bureaucracy to oversee the mandate.

Given the number and frequency of data breaches, I believe that 2010 could be the year we’ll see a national privacy and security law in the U.S. There are clear benefits to simplifying and standardizing laws around data breach notification. The proposed bill will establish a single national standard to replace the patchwork quilt of state data breach laws (and will provide regulations for the few states that have no such legislation). And it will also establish some pretty stiff enforcements and penalties, which will satisfy those looking for real “teeth” in the law.

I have the least confidence about Congress’ ability to pass the Personal Data Privacy and Security Act. This law is more prescriptive than the Data Breach Notification Act. It would require all companies handling sensitive data to implement specific risk assessment and vulnerability testing measures (including controlling access to sensitive data, detecting and logging unauthorized accesses to the data, and protecting data while in transit and at rest). It also establishes a new office of the FTC to act as a watchdog.

Because the Data Privacy and Security Act federally mandates security controls, it’s bound to be a lightning rod for debate. No one disagrees that companies need to put in place the necessary controls to prevent security breaches, but there is volatile disagreement over the role of the federal government in forcing companies to comply with specific security practices. Many will invoke Sarbanes-Oxley as an example of the ills of overly aggressive federal regulation of private industry. Proponents will point to the fact that businesses are not doing a very good job at guaranteeing security and privacy left to their own devices.

What do you think? Should laws mandate how companies address and prevent security breaches, or should companies be allowed to address these on their own?