Security vendors RSA and Symantec have called for a single US federal data-breach notification law, echoing similar demands in the UK.
At the RSA security conference in San Francisco on Tuesday, both John Thompson, the chief executive officer of Symantec, and Art Coviello, the president of RSA, called for unified data-breach legislation in the US. Similar calls were made in the UK by the House of Lords Science and Technology Committee last year.
"Policy makers need to drive regulation that focuses on outcomes. Data-breach regulations focus on results and force companies to solve security problems. Congress needs to pass pre-emptive data-breach notification laws, not the 40 different laws we have at the moment in different states. Congress should pass a law to establish baseline security practices," said Coviello.
In the US, as in the UK, a patchwork of regulations cover information assurance, but these tend to be by sector. For example, the retail sector, which deals with major credit-card companies, is starting to be globally regulated under the Payment Cards Industry Data Security Standards regulation (PCI-DSS), which began to come into force for large companies last summer.
Symantec's Thompson agreed with Coviello that the US should pass nationwide data-breach notification legislation.
"It's completely impractical to have 40 states, each with data-security laws," said Thompson. "What we really need is a federal law to protect consumers. When we're plugging the flow of data breaches, we need to recognise these are problems that are not limited to one state, country, or continent."
Both RSA and Symantec have purchased data-loss prevention companies in the past year. RSA acquired Tablus in August 2007, while Symantec announced it was to purchase Vontu in November.
In the UK, the House of Lords has repeatedly called for a data-breach notification law. In September last year Lord Harris of Haringey said: "I support the recommendation the [Lords Science and Technology] Committee made that there should be a data-breach notification law. Manufacturers of equipment, producers of software, holders of data, and internet service providers should all be much more security conscious than is currently the case. In some cases [of data breaches] the financial penalties are not strong enough."