Sunday, July 2, 2006 - The Progress & Freedom Foundation Blog

More on Data Security Breaches

A thought on the spate of silly data regulation bills floating about the hill: Any legislator proposing rules for data retention for private industry should think about what it would mean to adopt those same rules for his party's next set of political campaigns. Only contacting voters that have agreed in advance to be contacted, and so on. Storing records of all their contacts with voters...

A comment from reader Michael Aisenberg of Verisign on foolish data retention legislation:

This will sound like old hat to those following ABA Info Sec or other lists where the data breach issue has been percolating since Sen. Feinstein's ill-advised 2005 draft bill. I agree with Solveig's conclusion without reservation. An EU-style data retention requirement, without other elements in an overall data custody architecture, would add fuel to the civil liberties portion of the debate without meaningfully impacting the data custody practices obligations of data custodians.

And that, I believe, is the real issue. The silly preoccupation with "breach notification" is tantamount to locking the barn door after the horses are out. For those who don't watch their barns, breach notifications, like GLB credit card bill insert mailings, MAY be useful information.

But in an eCommerce environment where most barns don't even have doors, the first obligation ought to be "building stronger barns"... We all know that PII in the wild can be abused. But we also know that a headline of "25 million veterans' SSNs compromised" (untrue when it appeared) sells more papers than "25 million veterans’ bit streams embedded on a hard drive recovered with no access when laptop returned by fence". Yet for over a year, the eMEdia's preoccupation has been with the (unsubstantiated) epidemic of "data breach" (losses of apparent custodial control over PII) and the threat that this will produce a companion epidemic of identity abuse and other bad acts (no evidence of much of that linked to all the noticed "data breaches", either).

If we wish to have more reliable and less fretful electronic commerce and electronic government, we must adopt a systemic approach to the deposit, transmittal, storage and custodial control of PII (and other valuable data). That means better data custody practice, end to end, not just "breach notification." Only the latest versions of House Commerce legislation on the subject come remotely close to reflecting the industry consensus on this important point, rather than dwelling on California's dubious "breach notification" model. Some might argue that the rush to the Congressional and state bill hoppers after the initial 2005 breaches is evidence of the sorry axis-of-banality between the uninformed press covering these events and the less informed legislative staffers pandering to them and hapless constituents. I am not sure why we see silly legislation in the technology area so often today. We used to see important, valuable legislation: R&D tax credit; Cooperative Research Act of 1984; Patent-Antitrust Reform,; ECPA amendments. Even section 214 of the Homeland Security Act on critical infrastructure information was worth getting -- even if DHS has botched the implementation.

Legislating by headline is usually bad. Legislating technology by headline, whether in the EU, in Washington or even in our smallest states, is certainly one of the worst example of that sad phenomenon. Technology is nimble when controlled by the marketplace. It is often brittle as all get out when controlled by a parliament...

posted by Solveig Singleton @ 3:35 PM | E-commerce