Home > Uncategorized > First Prediction for 2008

First Prediction for 2008

In my last blog I made ten predictions regarding events and trends that I believe will occur in 2008. The first was:

Cybersecurity legislation regarding prompt notification of individuals potentially affected by data security breaches will be signed into law in the US. Other major cybersecurity-related legislation will, however, once again fail.

Passing cybersecurity-related legislation in the US is anything but an easy feat. Over the years many very worthy pieces of proposed cybersecurity legislation have died in committee or have been tabled or voted down once they have reached the full House of Representatives or the Senate. You may well remember that even though nearly two-thirds of the states in the US have passed legislation mandating notification of individuals potentially affected by data security breaches, Senator Feinstein’s proposed federal legislation requiring such notification died in 2006.
What will be different in 2008 that will result in data security breach notification legislation finally getting passed? First, the momentum for such legislation has been building for several years now. The fact that such legislation is now law in most states has provided much of this momentum. Additionally, the number of reported and publicized data security breaches has continued to grow dramatically to the point that public concern has risen rapidly. Consider, for example, the numerous lost and stolen computers as well as intrusions into systems containing personal information within the US government (particularly within the Veterans Administration) over the last few years. (This type of incident is by no means limited to the US government, either—Her Majesty’s Customs and Revenue recently lost CDs containing information related to 25 million UK residents.) Numerous corporations, universities and research institutions have also experienced such incidents, increasing the public concern level even higher. Finally, resistance to legislation requiring notification of individuals who have potentially been affected by a data security breach has come mainly from legislators who have been worried that such requirements would unduly penalize businesses. The composition of the US Congress has been changing over the last few years, however, to the point that a greater number of Congresspersons who favor individual rights and privacy over business interests is now in Congress.
The second part of my prediction is that other security-related legislation in the US will fail. Unfortunately, the perception that somehow the loss and disruption resulting from computer-related crime is not nearly as severe as from other types of crime lingers; US Congresspersons are no exception. Clearly, US legislators, let alone the public at large, are in dire need of security awareness and training, yet the likelihood that they will ever get such training remains miniscule. Additionally, there does not appear to be much impetus for such legislation from lobbists, US agencies, and other groups that influence decisions concerning federal legislation. I would therefore not count on other significant security-related legislation passing any time soon.

Categories: Uncategorized Tags:
  1. No comments yet.
  1. No trackbacks yet.
You must be logged in to post a comment.