Industry executives ask for new notification law

An industry group is asking Congress to pass a law requiring companies to notify consumers of security breaches, in part to stem the tide of state laws that threaten to create a patchwork of regulations.

This is just one of several recommendations made by the Business Software Alliance at a forum it co-hosted May 17 with the Center for Strategic and International Studies to discuss its new report, Securing Cyberspace in the 21st Century.

Recent high-profile incidents involving the loss or theft of personal data on thousands of people have triggered significant interest from Congress, the business community and the general public on taking steps to combat cybercrime, panelists at the forum agreed.

But the ability of law enforcement to keep up with these crimes is lagging, as criminals make use of computers and the Internet while government agencies struggle with outdated equipment and laws that never envisioned cybercrimes.

"Law enforcement is dying by Moore's Law," said Albert Sisto, chairman, president and CEO of Phoenix Technologies Inc. of Milpitas, Calif. "The forensic challenge in finding the evidence is growing harder and harder."

Brian Nagel, assistant director in the Office of Investigations at the Secret Service, said three things are needed to better fight cybercrime. Lawmakers have to provide more funding, "because these [investigations] are more costly and the technology is expensive," investigators need more extensive training and agencies have to undertake a strong effort to share criminal intelligence.

Sisto credited one "simple piece of legislation" for changing institutional indifference to cybercrimes?California Senate Bill 1386, the Database Security Breach Notification Act. "It has us all aware: If you're breached, you must notify." Companies can be sued if they fail to tell their customers about security breaches.

BSA is proposing a federal law that would require companies to notify consumers if their personal information is lost or stolen. There are two incentives for the business community to support such a law. First, numerous states either have or are moving to adopt legislation similar to the California requirement, and a federal law would prevent the development of "an onerous regulatory environment," according to BSA. Second, BSA has suggested providing immunity from lawsuits if lost or stolen data was in encrypted form, giving companies a reason to invest in additional security measures.

Other recommendations for policymakers include:

• Ratifying the Council of Europe Convention on Cybercrime


• Creating a presidential commission on organized cybercrime and identity theft and


• Increasing enforcement by creating an interagency organized cybercrime task force.