As news about the iPhone’s location tracking remind us, data privacy is important. Certainly, with virtually our entire lives digitized today, knowledge regarding the use of data is critical.But Sony has provided us with a sobering reminder: Giving data to a large company and having it stolen are two different things.
Hackers are a lot less trustworthy and a bit more cavalier with data than Steve Jobs. Yet Congress seemed squarely focused on taking a bite out of Apple in the Senate Judiciary subcommittee hearing on Tuesday. This makes little sense: Data insecurity will do much more harm to individuals, businesses and our government.
By focusing on privacy and not security, all Congress will ensure is that we know what information has been stolen. Wouldn’t it be better if the information was never stolen? To paraphrase business professor Aaron Leventhal, “Data is like a bikini. What it reveals is suggestive, but what it conceals is vital.”
Consider all the personal information stored by entities from retailers to the Internal Revenue Service. While it is important to know what information they have and how they use it, imagine the impact if any of that information were stolen. Large private firms such as Sony, Heartland Payment Systems, Epsilon, RSA and Google all have experienced significant breaches at the hands of private and government-sponsored hackers. Nations continue to reel from Pvt. Bradley Manning’s purported file disclosures to WikiLeaks.
Yet Washington politicians seem focused elsewhere. Sen. John Kerry, Massachusetts Democrat, and Sen. John McCain, Arizona Republican, have proposed a Computer Privacy Bill of Rights to compel companies to explain the data they collect on consumers. On May 1, Rep. Darrell Issa, California Republican, conducted hearings to determine if, by using iPads, “administration employees could ‘circumvent’ federal law on presidential record-keeping.”
Privacy is important. However, the more immediate concern must be stopping cybertheft. Financial Times reporter Joseph Menn estimates that hacking has become a $1 trillion industry specializing in the theft of intellectual property and data, bank fraud and more. Yet Washington conducts hearings on archiving?
In the past year, something occurred that few noticed outside those in the software-security field. The number of credit card records stolen dropped from 170 million in 2009 to just 13 million in 2010. Simultaneously, according to the Verizon Data Breach Report, the number of cyber-attacks increased fivefold. So how did this huge drop happen?
There are many reasons, but one significant factor is that the credit card industry decided to take action and created standards for security. This mandate, the payment card industry’s Data Security Standard (DSS), has quickly proved its effectiveness since initial implementation in 2004. During this time, compliant organizations experienced a much lower rate of data breaches, while those that were not compliant suffered many more.
What are the lessons for Washington? First, allowing industry to come up with its own solutions is possible; certainly here, private regulation worked. Second, the industry’s framework should be adopted as part of a larger federal data privacy and security initiative. It’s already the de facto standard in many states such as Nevada and Ohio. In the private sector, federal health insurance auditors are starting to use the standard as a model to protect patient data. The trend has gained momentum, and any data legislation proposed by Washington will have to accommodate the DSS’ growing footprint.
Much of the reason for the success of the payment card industry standard is that it is an industry-imposed, self-enforced standard. As such, it is far more flexible than any legislative act. Because hackers are, by definition, early adopters, the standard’s organic approach enables it to be adjusted constantly as cybertheft evolves. Not only that, it also uses both prescriptive, upfront requirements and a punitive approach that takes away the ability to process credit card transactions. By contrast, most regulations, especially recent legislative proposals, emphasize only a punitive approach - a method that enables companies to game the system. They simply can risk a breach without having put in place the basic elements of cyberdefense. The industry’s prescriptive method makes this much tougher.
Data security is a critical issue - one likely to continue to dominate news stories as cybercriminals continue to have their way. If Congress wants to avoid being left behind, it must focus on the critical issue of hackers and insiders and on what already is working to mitigate that threat. The Data Security Standard is an established system that works well - one that several industries and states already have embraced and that would give a quick and effective data security framework. Congress should acknowledge the precedent and results already in place and ensure that citizen data is secure immediately by applying the DSS model to all federal agencies and also to legislation.
Rob Rachwald is the director of security strategy at Imperva. Robert Bird is a professor of law and business at the University of Connecticut.