Big Data, national data breach standard among issues government may soon tackle

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.insidecounsel.com/2014/05/09/big-data-national-data-breach-standard-among-issue

A new report released by White House science and technology advisors has
addressed some important privacy issues given the increasing prominence of
Big Data.

Called “Big Data: A Technological Perspective,” the report – developed by
the Council of Advisors on Science and Technology (PCAST) – points out that
gathering, analyzing, disseminating, and preserving data raise “new
concerns about the nature of privacy and the means by which individual
privacy might be compromised or protected,” according to a statement from
the White House. Among the issues addressed in the report are concerns
about protection of data in the cloud. The report provides some
recommendations, too. These include:

- Federal agencies should strengthen research in privacy-related technology
and in relevant areas of social science.
- There should be more education and training on privacy protection.
- And the nation should adopt policies that “stimulate the use of practical
privacy-protecting technologies.”

When it comes to the recent White House report, Paul Luehr, managing
director at Stroz Friedberg, and former attorney with the U.S. Department
of Justice and the Federal Trade Commission, said it gave many examples
which show how complex data impacts people each day.

“And while the report left many difficult questions about privacy open, it
was clear about data security – all businesses need to protect personal or
sensitive information, no matter how it is used or where it is stored,” he
added.

In a related issue, Luehr says it is time for the setting of a national
data breach standard.

“Companies currently struggle to comply with 47 complex, overlapping,
evolving, and sometimes contradictory state data breach notification laws,”
Luehr said in a statement sent to InsideCounsel. “In our incident response
work, we’ve seen examples where companies with customers in 24 states had
to research, draft and approve 17 different versions of the same basic
notification letter to comply with different laws, which is clearly a
time-consuming and costly process.”

But a single, comprehensive federal law would provide “more consistent
protection to consumers, provide greater clarity for businesses, and still
allow vigorous enforcement by both federal and state officials,” he added.

He has also called for a mandatory 60-day period for reporting and
notifying parties of a data breach.

“Individual consumers deserve to know if their data has been compromised,
but that notice should be based on a scientific assessment by forensic
experts, not political pressures or concerns about the daily news cycle,”
Luehr said.  He explained that some proposals call for notification within
24 to 72 hours.

“But we know that data from compromised servers is often not even preserved
in that period of time, much less analyzed. It often takes several weeks to
conduct a thorough investigation and determine if a breach occurred, what
damage ensued, and who was affected,” he added. “Therefore, we recommend
following the reasonable 60-day deadline already established by HIPAA in
the healthcare industry.”

In addition, InsideCounsel reported that after the Target data breach, many
members of Congress focused their attention on data security and data
breaches. The Target data breach exposed personal information of some 110
million customers late last year – and the company’s CEO recently resigned.

Since the breach, hearings were held in Congress on preventing data
breaches, improving data security standards, improving protection of
consumers’ personal data, and providing more notice to consumers when a
compromise takes place.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!