Symantec CEO Calls for Federal Data Breach Legislation

Data exposure grows more frightening as the amount of malicious software released in the second half of 2007 outpaced the release of legitimate software.

Symantec CEO John Thompson called for the federal government to pass legislation governing data breach notification and standards on how to handle and report an exposure of customer or proprietary data during his keynote at the RSA Conference in San Francisco.

In his remarks, Thompson noted that the number of exposed privacy records due to data breaches has risen dramatically. Though he said he is glad policymakers realize the importance of protecting data, he added that a comprehensive, overarching data breach law is necessary.

"What we really need is the federal law to set one very high standard," he told the audience.

The comments were part of a speech spent mostly arguing that organizations and vendors alike need to rethink their approach to security.

Malware Development Outpaces Legitimate Software

Along with Steve Trilling, Symantec's vice president of security technology, Thompson painted a bleak picture for data security during his keynote. Citing the company's latest Internet Security Threat report, Trilling noted the amount of malicious software released during the second half of 2007 actually outpaced the release of legitimate software. According to the report, Symantec detected 711,912 new threats in 2007 compared to 125,243 in 2006.

All this means it is time for an information-centric approach to security, Thompson said. For enterprises, executives need to understand where the data is and how it is being used, Thompson said. CFOs, CEOs and other business executives need to be involved in setting policies around data access and protection across the business, he said.

"Security is now everyone's job - not just the IT department," he said.

Vendors, meanwhile, need to enhance content-awareness technology and extend it to mobile devices, Thompson said. When Symantec acquired data leak prevention (DLP) provider Vontu last year, it deepened the company's content-aware abilities. But beyond DLP, the technology can also be brought to storage in the form of intelligent archiving, allowing businesses to make informed decisions about archiving data and controlling storage costs, the CEO told the audience.

Thompson predicted it would be another five to 10 years before the market sees a system that integrates information and security in a truly holistic way. Vendors focused solely on protecting the network or providing point products to address a given threat instead of holistic solutions will not be able to meet the needs of customers, he said.

"I argue they are fighting yesterday's battle," Thompson said.