IPcentral Weblog
  The DACA Blog

Sunday, July 2, 2006

More on Data Security Breaches
(previous | next)

A thought on the spate of silly data regulation bills floating about the hill: Any legislator proposing rules for data retention for private industry should think about what it would mean to adopt those same rules for his party's next set of political campaigns. Only contacting voters that have agreed in advance to be contacted, and so on. Storing records of all their contacts with voters...

A comment from reader Michael Aisenberg of Verisign on foolish data retention legislation:

This will sound like old hat to those following ABA Info Sec or other lists where the data breach issue has been percolating since Sen. Feinstein's ill-advised 2005 draft bill. I agree with Solveig's conclusion without reservation. An EU-style data retention requirement, without other elements in an overall data custody architecture, would add fuel to the civil liberties portion of the debate without meaningfully impacting the data custody practices obligations of data custodians.

And that, I believe, is the real issue. The silly preoccupation with "breach notification" is tantamount to locking the barn door after the horses are out. For those who don't watch their barns, breach notifications, like GLB credit card bill insert mailings, MAY be useful information.

But in an eCommerce environment where most barns don't even have doors, the first obligation ought to be "building stronger barns"... We all know that PII in the wild can be abused. But we also know that a headline of "25 million veterans' SSNs compromised" (untrue when it appeared) sells more papers than "25 million veterans’ bit streams embedded on a hard drive recovered with no access when laptop returned by fence". Yet for over a year, the eMEdia's preoccupation has been with the (unsubstantiated) epidemic of "data breach" (losses of apparent custodial control over PII) and the threat that this will produce a companion epidemic of identity abuse and other bad acts (no evidence of much of that linked to all the noticed "data breaches", either).

If we wish to have more reliable and less fretful electronic commerce and electronic government, we must adopt a systemic approach to the deposit, transmittal, storage and custodial control of PII (and other valuable data). That means better data custody practice, end to end, not just "breach notification." Only the latest versions of House Commerce legislation on the subject come remotely close to reflecting the industry consensus on this important point, rather than dwelling on California's dubious "breach notification" model. Some might argue that the rush to the Congressional and state bill hoppers after the initial 2005 breaches is evidence of the sorry axis-of-banality between the uninformed press covering these events and the less informed legislative staffers pandering to them and hapless constituents. I am not sure why we see silly legislation in the technology area so often today. We used to see important, valuable legislation: R&D tax credit; Cooperative Research Act of 1984; Patent-Antitrust Reform,; ECPA amendments. Even section 214 of the Homeland Security Act on critical infrastructure information was worth getting -- even if DHS has botched the implementation.

Legislating by headline is usually bad. Legislating technology by headline, whether in the EU, in Washington or even in our smallest states, is certainly one of the worst example of that sad phenomenon. Technology is nimble when controlled by the marketplace. It is often brittle as all get out when controlled by a parliament...

posted by Solveig Singleton @ 3:35 PM | E-commerce

Share |

Link to this Entry | Printer-Friendly

Post a Comment:

Blog Main
RSS Feed  
Recent Posts
  EFF-PFF Amicus Brief in Schwarzenegger v. EMA Supreme Court Videogame Violence Case
New OECD Study Finds That Improved IPR Protections Benefit Developing Countries
Hubris, Cowardice, File-sharing, and TechDirt
iPhones, DRM, and Doom-Mongers
"Rogue Archivist" Carl Malamud On How to Fix Gov2.0
Coping with Information Overload: Thoughts on Hamlet's BlackBerry by William Powers
How Many Times Has Michael "Dr. Doom" Copps Forecast an Internet Apocalypse?
Google / Verizon Proposal May Be Important Compromise, But Regulatory Trajectory Concerns Many
Two Schools of Internet Pessimism
GAO: Wireless Prices Plummeting; Public Knowledge: We Must Regulate!
Archives by Month
  September 2010
August 2010
July 2010
June 2010
  - (see all)
Archives by Topic
  - A La Carte
- Add category
- Advertising & Marketing
- Antitrust & Competition Policy
- Appleplectics
- Books & Book Reviews
- Broadband
- Cable
- Campaign Finance Law
- Capitalism
- Capitol Hill
- China
- Commons
- Communications
- Copyright
- Cutting the Video Cord
- Cyber-Security
- Digital Americas
- Digital Europe
- Digital Europe 2006
- Digital TV
- E-commerce
- e-Government & Transparency
- Economics
- Education
- Electricity
- Energy
- Events
- Exaflood
- Free Speech
- Gambling
- General
- Generic Rant
- Global Innovation
- Googlephobia
- Googlephobia
- Human Capital
- Innovation
- Intermediary Deputization & Section 230
- Internet
- Internet Governance
- Internet TV
- Interoperability
- IP
- Local Franchising
- Mass Media
- Media Regulation
- Monetary Policy
- Municipal Ownership
- Net Neutrality
- Neutrality
- Non-PFF Podcasts
- Ongoing Series
- Online Safety & Parental Controls
- Open Source
- PFF Podcasts
- Philosophy / Cyber-Libertarianism
- Privacy
- Privacy Solutions
- Regulation
- Search
- Security
- Software
- Space
- Spectrum
- Sports
- State Policy
- Supreme Court
- Taxes
- The FCC
- The FTC
- The News Frontier
- Think Tanks
- Trade
- Trademark
- Universal Service
- Video Games & Virtual Worlds
- VoIP
- What We're Reading
- Wireless
- Wireline
Archives by Author
PFF Blogosphere Archives
We welcome comments by email - look for a link to the author's email address in the byline of each post. Please let us know if we may publish your remarks.

The Progress & Freedom Foundation