RSA, Symantec call for unified US data breach laws

Security vendors RSA and Symantec have called for a single US Federal data breach notification law, just as the Australian government looks to update privacy laws — including data breach laws.

At the RSA security conference in San Francisco on Tuesday, both John Thompson, the chief executive officer of Symantec, and Art Coviello, the president of RSA, called for unified data breach legislation in the US. Similar calls were made in the UK by the House of Lords Science and Technology Committee last year.

"Policy makers need to drive regulation that focuses on outcomes. Data-breach regulations focus on results and force companies to solve security problems. Congress needs to pass pre-emptive data-breach notification laws, not the 40 different laws we have at the moment in different states. Congress should pass a law to establish baseline security practices," said Coviello.

In the US, a patchwork of regulations cover information assurance, but these tend to be by sector. For example, the retail sector, which deals with major credit-card companies, is starting to be globally regulated under the Payment Cards Industry Data Security Standards regulation (PCI-DSS), which began to come into force for large companies last summer.

Symantec's Thompson agreed with Coviello that the US should pass nationwide data-breach notification legislation.

"It's completely impractical to have 40 states, each with data-security laws," said Thompson. "What we really need is a Federal law to protect consumers. When we're plugging the flow of data breaches, we need to recognise these are problems that are not limited to one state, country, or continent."

Both RSA and Symantec have purchased data-loss prevention companies in the past year. RSA acquired Tablus in August 2007, while Symantec announced it was to purchase Vontu in November.

The Australian Law Reform Commission proposed a major shake-up of current privacy laws in Australia last year, including data breach disclosure laws, which it hopes will simplify complex and overlapping state and Commonwealth privacy legislation, including the Commonwealth Privacy Act 1988, which has not been reviewed for 20 years.

Yesterday, Senator John Faulkner said the government was looking to update the Privacy Act after reading the final report of the Commission, and was planning to tackle the laws and "build a privacy regime to serve modern Australia".

In the UK, the House of Lords has repeatedly called for a data breach notification law. In September last year Lord Harris of Haringey said: "I support the recommendation the [Lords Science and Technology] Committee made that there should be a data-breach notification law. Manufacturers of equipment, producers of software, holders of data, and Internet service providers should all be much more security conscious than is currently the case. In some cases [of data breaches] the financial penalties are not strong enough."