Saturday, April 12, 2008

Utility of Regulations

Does computer security regulation actually improve security? No, says this article from Computer World. Instead, the article says that regulations which specify behavior for companies risk "actually weakening a business by enforcement actions that drive companies to spend unnecessarily on perceived but not genuine security risks." The article says that, instead of specifying behavior, regulation should be outcome based. The example of good outcome based regulation given in the article was California's SB 1386, which requires companies to notify consumers of unauthorized access to their personal data. However, after praising SB 1386, the article says that that legislation is also a problem, and advocates burying it with federal regulation which would preempt state security breach notification laws. The reason the article gives for needing this preemptive federal legislation: "to create a national baseline standard for protecting sensitive data."

As it happens, I disagree with almost everything this article said. First, I think the article's fear that regulation will cause companies to waste money on needless security measures is completely misplaced. I'm actually a little curious, what part of the current regulatory climate is it that he thinks is forcing businesses to spend money unnecessarily? Is it (for example) HIPAA's encryption requirements? It's unique user identifications? It's easy to complain about regulatory burden. However, I'm not sure that I'd want a business to have my health care records (or other personal data) if they didn't even bother to know who was on their systems, or properly encrypt my information. Second, I think the article's focus on SB1386 as the type of regulation that we need is completely wrong. Yes, that law is useful, in that it makes sure companies can't just sweep security breach incidents under the rug. However, it does nothing to prevent the breaches in the first place. To me, it makes sense to try and have regulations which prevent bad events (e.g., security breaches) from happening in the future place) rather than simply trying to clean up after when something goes wrong. Finally, the article advocates preemptive federal data security breach laws. I think this is dead wrong. Why not let individual states try and find their own balances between costs of notification and individual privacy? Having multiple state laws doesn't make it more difficult to just means that businesses need to know whose data they're storing, then comply with the most stringent standards which apply to that data. If we had some kind of federal amalgam of our current state legislation, the result would be that states could no longer make innovative laws like California's SB1386, and that would make people's information less, not more, secure.

Thus, while I think it's generally a good thing to discuss the appropriate level of regulation to protect information security, Computer World's article arguing that regulation is unhelpful can safely be skipped, as there isn't much there worth considering.

No comments: