Alliance: Government must help guard personal data

Find opportunities — and win them.

Congress should require both private companies and government agencies to notify people if their personal data has been breached or stolen online, the leader of a cybersecurity industry group said this week.

Congress should require both private companies and government agencies to notify people if their personal data has been breached or stolen online, the leader of a cybersecurity industry group said this week.

"You cannot exclude government from this process," John Thompson, chairman of Symantec Corp. and also chairman of the Cyber Security Industry Alliance, said at a board meeting of the group.

Congress also should establish basic cybersecurity standards for all caretakers of such data, Thompson said. The standards should be the same as, or similar to, best practices recognized by entities such as the International Organization for Standardization, he and other alliance board members said.

About 10 board members of the alliance met with House and Senate lawmakers on Thursday to promote national legislation for breach notification that would supersede a hodgepodge of breach notification laws and pending data security bills in 35 states.

Several breach notification, anti-identity theft and cybersecurity bills have been submitted in Congress, and Thompson said the group supports those efforts. It is unclear whether there will be a comprehensive cyber bill or whether various provisions will be folded into other bills, he said. "Getting a unified bill is a big challenge," Thompson said.

The alliance is pressing forward to restore confidence in the Internet and in online commerce, Thompson said. "The time for action on the Hill is now in protecting against data breaches," he said.

Various enforcement penalties, as well as incentives, are being considered to encourage companies and public agencies to secure personal data better.

One motivating factor may be the high cost of cleaning up IT systems and records after a breach, Thompson said. Citing recent studies, he said the cost to an IT company of a single exposed item of personal data is $175 to $185.