Last years barrage of corporate data breaches spurred the Federal Trade Commission to impose the largest civil fine in its history—$15 million on ChoicePoint—and prompted federal lawmakers to call for greater security safeguards in the private sector.
As the breaches subside from the headlines, however, there is growing pressure on Washington to move cautiously.
The Progress & Freedom Foundation, a market-based think tank in Washington, released a position paper Feb. 20 calling on policy makers to move carefully before imposing any new rules on companies that hold data.
PFF notes that the cost of not investing in improved security is rising, but the foundation maintains that consumers perception of insecure data may be more harmful than the actual harm caused by breaches, especially if the perception prompts hasty legislative action.
“Information security breaches have appeared on the covers of national news magazines, been featured on numerous television news programs and has consumed thousands upon thousands of column inches in newspapers,” wrote Orson Swindle, distinguished fellow at PFF, and Patrick Ross, senior fellow at PFF.
“The increased attention can itself be a cause for concern, as irrational anxiety can depress consumer spending, lead to ineffective or even harmful legislation, and stifle economic growth.”
According to PFF, the best role for government is to work with the private sector to develop an international framework to improve law enforcement efforts to combat data breaches.
The government can also help industry educate users, but it should not rush into enacting new laws, PFF warned.
“Hasty and perhaps emotion-driven action to regulate data security on the Internet would violate an essential consideration when deciding to let government solve any problem: First, do no harm,” PFF wrote.
“Given the tremendous personal and economic benefits that flow from private markets, government officials must resist the urge to do something to quickly satisfy political needs, and they must always be mindful of the oft-proven laws of unintended consequences of government solutions.”
Another data security paper released this week found that substantial legislative backing for information technology was one of the main factors leading state and local governments to invest in data security, however.
The paper by CDW Government, Inc., examines state and local government IT investments since 2000, focusing on network and security hardware, and security, anti-virus, anti-spyware and anti-spam software.
CDW found that Ohio, Michigan, Wisconsin, Washington and Massachusetts invest in IT security at levels well above average. In addition to legislative support, the IT security initiatives in these five states typically enjoyed support from leadership at the state, county and municipal levels and strong academic programs in information assurance.
They also got an earlier start in deploying data security programs than other states.