Thursday, May 14, 2009

Data Accountability and Trust Act

There's a new bill brewing in the US Congress that could have a major effect on the information security industry. The Data Accountability and Trust Act would pre-empt the patchwork of state data breach notification laws with one federal law. It would also require companies to have a basic security program in place.

I have no idea what the chances are of this bill being passed into law. Following legislation is tough because there are dozens of proposed bills that never make it anywhere near being enacted into law. I guess that's why lobbying is a full time job.

My somewhat uninformed opinion (from a few hundred miles north of DC ) is that this particular piece of legislation probably isn't headed anywhere in a hurry. For one thing, it's been sitting around for a while; apparently the current legislation was already introduced in the previous Congress. It's also being considered with an even less likely candidate for passage - "The Informed P2P User Act" which - regardless of its merits or lack thereof - seems unlikely to pass without some modifications.

So the exact details of the bizarrely named "Data Accountability and Trust Act" are not that important because they will probably change. But this bill is one example of a general trend in regulation that will have profound consequences on the security industry. Let me start with my conclusion - I believe that enterprises are currently spending too much on security products and too little on process. And I believe that the evolving regulatory regime will shine a spotlight on this disparity. Or to put it simply - new regulation will decrease hard dollars spent on security and increase the soft cost in FTEs and organizational capital.

Let's start with the why of security spending. Forget the FUD about hackers and criminals and Russian Business Networks. Compliance is the real driver behind security spending (an assertion recently backed up by the OWASP Security Spending Benchmarks Project). A close second is the desire to actually secure the enterprise; that is, to avoid security breaches and incidence. But this too is really motivated by data breach notification laws on the state level. So directly or indirectly, compliance requirements are the driving force behind security spending.

Both these spending pillars would be undermined by the Data Accountability and Trust Act - the law favors process/policy over technology, and weakens breach notification requirements by preempting stronger state laws.

The Rise and Potential Fall of Breach Notification

A weakened and preemptive federal data breach notification law would be a real game changer for the security industry. There are already federally mandated breach requirements related to HIPAA in the stimulus package, but the effect of a generic breach law would go much farther. By clipping the wings of the much more stringent state laws, they will greatly reduce the "keep us out of the newspaper" motivation for security spending.

The main difference between the proposed weakened federal law and many of the state laws is subtle but critical. As the CDT (Center for Democracy and Technology) pointed out in their testimony to Congress last week, the proposed law leaves it up to an organization to make the determination that there is a low risk of identity theft after a breach. There is obviously a very strong incentive for organizations to come to the conclusion that the risk is indeed low. Because there is little precedent (data breach laws have only been around for a few years) and measuring this kind of risk is inherently subjective, there is a significant risk that real incidents will be swept under the rug. A number of state laws reduce this risk by requiring informing the Attorney General's office of all breaches. But a federal law could preempt this requirement.

Security Narrative vs. Security Product

Why do companies spend so much money and so little time on security? One big reason is a mistaken interpretation of PCI. Some of the PCI requirements clearly require you to buy something or at a minimum enable certain features within deployed systems. Requirement 1 refers to firewalls as a given, and it's hard to maintain your anti-virus software in requirement 5 without, well, buying anti-virus software. Other requirements such as logging can sometimes be done with in house products and sometimes require something to be purchased. But - contrary to popular belief - the vast majority of the hundreds of PCI requirements are actually not about technology.

What about state regulations? The press often erroneously refers to "PCI laws" when talking about recent data security regulations in states like Minnesota and Nevada. The truth is that the only faint similarity between PCI and these laws is a requirement to encrypt data. Other than encryption, I do not know of any state regulation in the United States that mandates a specific information security technology in any meaningful way (and this is a good time to say that I am by no means a lawyer).

The new regulations that are pending in the United States (I haven't sufficiently analyzed this issue internationally) are much more focussed on processes and policy and not technology. They force organizations to have an overall security narrative that defines how they reasonably restrict access to sensitive data to authorized parties. The security narrative is the critical requirement. Security products are one piece of this narrative, but by no means the most important.

What does this mean for vendors? Walking the expo hall at RSA in San Francisco a few weeks back got me thinking that a large number of security vendors are selling products that do not help a business build its security narrative. Most companies today are spending too much money and too few resources and organizational capital in addressing security issues. The current and next generation of regulations are clearly focussed on process, not on technologies. The vendors that will thrive in the future are the ones that support organizational, and not technical, security processes.

And one final negative trend for security budgets is the erosion of the concept that it is an organization, and not law enforcement, that is responsible for preventing cybercrime. Increased prosecution and criminalization of cybercrime will shift the expectations as to what reasonable measures organizations need to take to secure their data. After all, no one expects an armed guard at the entry to every office building.

The European Angle

What about international data security legislation? Although I have heard anecdotally that there are certain technology-specific regs in small international jurisdictions, the vast majority of data security regs are centered around the question of who you can share data with, and not how. And even those few technology specific regs allow sufficient allowance for compensating controls that you are never really forced into buying or deploying a specific technology.

It's worth also debunking another common myth in the security industry, which is that there is any requirement for specific technologies mandated by European directives. In Europe the issue of security regulation is at the center of a very sensitive political debate about ceding sovereignty over security issues to Brussels. While member states of the European Union have ceded very siginificant economic sovereignty to Brussels, there hasn't been any significant movement to give up control over security issues. In the debate between so-called Euroskeptics and EU federalists, cybersecurity has (somewhat oddly) been labelled as a security, not an economic issue. This has stymied European attempts to produce any meaningful cybersecurity legislation at the European level.

When I had the privilege to be one of the founders of the European Network and Information Security Agency (ENISA) in Brussels back in 05, the Agency's remit was very clearly in the area of general cooperation and information sharing. Although the status of the Agency has been slightly expanded over the years, any actual security related regulations will come from the European Commission and not ENISA. There is currently a lot of back and forth about the future role of a European Telecoms Agency that would cover info sec, but these conversations are still in early stages and there is no way there will be any substantial enforceable regulations in this area coming from the EU any time soon. Other EU regulations like the Data Privacy Directive are focussed on the who, and not the how, of sharing sensitive data. So too make a long story short, European regulations also require more people-spend and less technology-spend on information security.

By the way, if you have some serious time to kill, the full testimony before the Congressional Committee on Energy and Commerce can be found here.

Update: The New York Times published an editorial on May 25th that is generally supportive of the Data Accountability and Trust Act but that is critical of the pre-emption of stronger state data protection laws.


  1. This is a nice treatment of the problem. I'm unsure that HR 2221 will pass in it's current state. It appears that this is not the first attempt for DATA (109th Congress 2005-2006, 110th Congress 2007-2008).

    We at the CIPP Guide see the preemption of State's Rights as a very big issue. The patchwork of privacy regulations in the US is not ideal, but having the Federal Government set the high-water mark nationally is not in the best interest of our citizens' privacy or security.

  2. Thanks for the feedback. I'm not sure why 2221 got stalled in the past but it's clearly been on the back burner for a while.

    The business community would want to see a federal breach notification law, but there are concerns about the effects on consumer protection and the ability for states to experiment with new regulations.