[ISN] Swindle: 'Somebody Has Got to Pay'

InfoSec News isn at c4i.org
Wed May 18 03:11:05 EDT 2005


By Roy Mark 
May 17, 2005 

WASHINGTON -- Corporate America is acting irresponsibly in protecting
consumer data, Orson Swindle of the Federal Trade Commission (FTC)  
said today. The payback for that irresponsibility, he predicted, will
be painful.

In impromptu comments made during a think-tank panel discussion on
international cyber crime, Swindle, a Republican FTC commissioner,
took broad swipes at both private enterprise and Congress for their
efforts on consumer data protection.

"Everybody's screaming, all the political figures up on [Capitol]
Hill, about identity theft," he said. "It's not identity theft, it's
the theft of information."

And, he added, in today's global, digital marketplace, that
information is currency.

"While politicians raise hell about identity theft, what we're really
talking about is the failure to protect valuable currency," Swindle
said. "Corporate boards better start paying attention, because they
haven't been."

The daily headlines of various data breaches from ChoicePoint to Bank
of America to several colleges and universities, he said, "Indicates
to me the industry has, to a great extent, been irresponsible, and
somebody has got to pay."

He suggested the first people to pay might be corporate lawyers.

The lax data protection, according to Swindle, is "being driven in
part by those general counsels who sit around and say, 'Be careful
about what you promise in privacy and information security because you
might get sued for it.'"

Swindle called that attitude and said doing the right thing will
minimize the problem.

"That is irresponsible. Do the right thing and we'll have a heck of a
less problem," he said. "That'll give technology a chance to catch up
and keep building better reinforcements in multi-layer defenses."

One of the right things to do, according to Entrust (Quote, Chart) CEO
Bill Connor, is a uniform national breach notification law to cover
consumers exposed to possible ID theft.

Connor said he supports disclosure to consumers in breaches of both
encrypted and unencrypted data. But, like most in the technology
industry, Connor wants the notification law to exempt encrypted data
breaches from liability lawsuits or penalties.

"Information is what people are after. All encryption does is put some
locks on it, granted some pretty strong locks," Connor told
internetnews.com. "If they have the right credentials, encryption won
Encrypted data, according to Connor, takes away approximately 80
percent of the breach vulnerabilities of unencrypted data.

Liability for encrypted data breaches should be limited, or
"non-existent," according to Connor, since the company "practiced good
safekeeping. You've done duty of care."

Sen. Dianne Feinstein (D-Calif.) is proposing a national disclosure
law with liability for both encrypted and unencrypted data breaches.

"Encryption 'safe harbor' provisions benefit not only consumers and
citizens, but also provide incentives for business and organizations
to provide greater security throughout their operations," Connor told
the panel. "It is a win-win proposition, which ultimately benefits all
parties involved."

More information about the ISN mailing list