Enterprise Data Security: Definition and Solutions

The committee approved the Personal Data Privacy and Security Act of 2009 (S.1490) by a vote of 15-5. The bill now is headed to the full Senate for consideration.

If it becomes law, the bill, which was introduced by Sen. Patrick Leahy (D-Vt.), would require companies and government agencies to follow specific rules for protecting sensitive and personally identifiable data.

Under the proposed law, all private and government entities handling sensitive data would be required to implement specific risk assessment and vulnerability testing measures. They also would be required to deploy measures for controlling access to sensitive data, detecting and logging unauthorized accesses to the data and for protecting data while it is in transit and at rest.

The bill would introduce a federal breach notification standard under which companies would be required to notify not just affected individuals of a data breach, but also in some cases, credit reporting agencies and the U.S. Secret Service. It would establish a new Office of Federal Identity Protection within the Federal Trade Commission and stiffen penalties for identity theft and related fraud.

The law would also provide notification exemptions for companies that have taken adequate measures -- such as encryption -- to protect sensitive data. Companies would also not be required to immediately disclose a breach, if it would hinder a criminal investigation. But such exemptions would need to be vetted by the Secret Service. The law provides for penalties against executives of companies that willfully conceal a data breach.

If approved, S.1490 would likely pre-empt similar data protection laws that have been passed already in 46 states. Many security analysts have been calling for such a federal bill , arguing that it would be easier for companies to comply with one national law rather than a patchwork of 46 different state laws.

Several attempts at passing similar federal legislation over the past three years have failed, howeer, and it remains unclear whether S.1490's fate will be any different. Growing concerns related to ID theft and the criminalization of cyberspace have added an element of urgency to the bill.

Even so, the bill includes provisions that are unnecessary and burdensome, said John Pescatore, an analyst with reserach firm Gartner Inc. in Stamford, Conn.

"A federal level disclosure law to make sure affected individuals are notified would be a very good thing, mostly to stop the growth of individual state laws with differing requirements," he said. But the provisions in S.1490 which would require breached entities to report to the government "will create an entire new set of bureaucracy within the U.S. Secret Service and the FTC," Pescatore said.