According to the website datalossdb.org, there were a total of 436 publicly-disclosed breaches in 2009, down from the disastrous 717 in 2008.  Does this decrease represent real improvement?  No — simply the luck of the draw.  It wouldn’t surprise me a bit if 2010 was a banner year for data breaches.  Heck, we are only 4 days in and there have already been two reported breaches — one at Larch County Correction Center (OR) and one at the TSA here in Boston.

While I’m afraid 2010 may be an especially bleak year for cybersecurity, there is a bit of good news with regard to data breach legislation.

First, there is significant momentum for this issue on Capitol Hill.  In December, HR 2221, the Data Accountability and Trust Act (i.e. the DATA Act) passed a House vote.  Of course, the Senate is working on its own similar legislation — S.1490, the Personal Data Privacy and Security Act (sponsored by Senator Leahy D-VT) and its companion bill, S.139, the Data Breach Notification Act (sponsored by Senator Feinstein D-CA).  The two bodies of Congress have to somehow merge these bills into some cohesive body of legislation but I do expect this to happen by the summer.

Data breach legislation is by no means limited to the United States.  The EU is contemplating new legislation that would cover all member countries.  Canada recently passed tougher criminal penalties for identity theft.  The UK passed the UK Data Protection Act and recently backed up this legislation with guidelines for businesses and the public.

While these federal laws come to fruition, my home state of Massachusetts will finally enforce the most stringent data breach notification laws to data, MA 201 CMR17.  Yes, this legislation has been delayed several times and watered down a bit, but it is still a milestone.

So what does all this mean?

1. Data privacy and security will be front and center in 2010.  You are bound to see much more public debate and mainstream news as data security, breach notification, and legislation gains traction.
2. Federal legislation will be the legal equivalent of a 1.0 software revision.  Expect the Feds to compromise with lobbyists, misunderstand security technology, and leave loopholes in bills.  For example, it is my understanding that the House bill only covers private data in electronic form; so if I print and steal a report with 100,000 Social Security Numbers, it is not considered a breach.
3. Compliance will continue to drive security spending as large organizations sort through new global legislation.  ESG recommends that CISOs stay on top of developments and prepare for changes proactively.
4. Lots more compliance rhetoric from the tech industry.

As for security breaches themselves, all of this legislation will be fairly ineffective in the short term — there are simply too many vulnerabilities and threats at this point.  Nevertheless, more attention to data privacy and security is a welcome change since we’ve given these issues little more than lip service in the past.  As long as we view legislation as progress and not a data security panacea, it can only help.

Related posts:

1. Interesting Data about Data Breaches
2. House Cybersecurity Bill Passes. What’s Next?
3. What Will be Hot at RSA 2010?
4. Interop 2010: What to Expect Beyond Cloud Computing Rhetoric
5. Federal data breach highlights difficulties of data security

Tags: Cybersecurity, data security, Federal Government, HR 2221, MC 201 CMR17, S.139, S.1490