Americans want better data security laws

The U.S. public wants stronger federal data security legislation as its confidence wanes in current laws intended to protect them on the Internet, according to a new survey the Cybersecurity Industry Alliance released today.

The April survey of 1,150 adults found that only 18 percent – less than one in five – believe that existing laws are sufficient to protect them on the Internet.

The survey’s results come a day after the Department of Veterans Affairs revealed that personal information of about 26.5 million veterans – including their names, Social Security numbers, disability ratings and birth dates – was stolen sometime in the past month from the home of a VA employee who took the information home without authorization.

With so many Americans vulnerable to exploitation, “the survey reiterates that Americans are concerned with this issue and want to see an adequate legal framework” to protect them, said Shannon Kellogg, director of government and industry affairs at RSA Security and a member of the National Cyber Security Alliance’s Board of Officers.

"Identity theft isn't just a Washington, [D.C.], issue, it's a kitchen table issue, and this is a strong signal that Americans want their government to take action on the problem -- before this November's elections," said Chris Voice, chief technology officer at Entrust.

Sixty-six percent of the survey’s respondents thought Congress should make protecting information systems and networks a higher priority, and 71 percent thought Congress should pass a strong data security law, such as one resembling California’s.

Of that group, 46 percent said they would have “serious” or “very serious” doubts about political candidates who do not support quick action to improve existing laws.

“While data security alone won’t be a deciding factor in an election, the survey does reveal that voters have serious doubts about candidates opposed to strong data security laws,” said Paul Kurtz, executive director of the Cybersecurity Industry Alliance. The survey also revealed little difference between Republicans and Democrats on cybersecurity policy issues.

Data security has become personal for Americans, and constituents are complaining to their legislators to enhance protections, Kellogg said.

The VA breach adds to a rash of high-profile data breaches in the past 18 months that have compromised more than 55 million personal records, Kurtz said.

Congress has debated data security legislation for a year without passing anything, Kurtz said. At the same time, the public has become more aware of how data security protects their privacy and how the government must take a proactive role in ensuring data security, he said.

Congress should pass comprehensive federal data security legislation this year that sets reasonable security measures, makes notification consistent and predictable, implements industry best practices, and strengthens enforcement, Kurtz said.

The legislation should include a safe harbor provision that encourages organizations to encrypt their stored data, said Liz Gasster, the alliance’s general counsel. The provision would protect the organizations from liability and remove their need to notify customers if they can prove they encrypted their data, she said.

“Rewarding organizations that do the right thing is a solid public policy approach,” Kellogg said.