US Announces Cyber Security plans and breach notification law tidy up

Great. I don’t live in the US? Why are you telling me?

The US Department of Homeland Security (DHS) is publishing the cyber security plans of the Obama administration. This will include a prune of the unkempt privet that is US breach notification law with different variants across 47 States, and statutory protection for critical national infrastructure.

In an article in eWeek Europe there is a whole raft of detail, which you are at liberty to read yourself. The reason why I raise this as a topic is two-fold:

1. UK and Europe pretty much follow the US technically and legally
2. It looks like they will be giving the DHS a fairly big stick to wave about
3. There’s some comment in the article (note pleasingly cheesy picture of Obama against a digital globe) about how people would like to see stronger penalties, or more detail, and my view is ‘hogwash’

Those of us who have been in InfoSec for long enough will know what Senate Bill 1386 (SB1386) means (and here’s a link for those of you who were still in shorts when Nirvana were tearing the place up to help explain ). SB1386 hit all of us after a while, because most big companies do business in the US, and most big companies doing business in the US have usually got a footprint in the economic powerhouse of California. At some point, SB1386 and its brethren across the other states hit non-US companies. And then of course we get breach notification law here in the UK. And now we’re 30 months from an EU Directive on the topic. This stuff starts in the US and flows to all of us.

Except that next time around the world will have moved on significantly technically. Having just spent a week in the US, I can say that they are some way further down the line with Cloud than us, and even I am beginning to feel that resistance is futile. So, accepting that we may be some years from the G-Cloud and similar stuff, it’s not beyond the pale to think that US cloud operators may be holding some of our IL2-down data soon, and therefore we will want them to have this nailed. So bigger fines, rationalised statute and a clearer path to remedy are all to be applauded, especially when you compare it with the hotchpotch of stuff over here right now. So yet again, precedent suggests that for purely economic reasons, we will end up with comparable legislation and remedy.

My point is this. DHS may not have gone as far as some would have liked, but it has added clarity and structure to matters. And given that our data is going to be over there very soon, and comparable legislation will be over here just a bit later, this is a good thing.

Advertisements

About Graeme Stewart, McAfee

I work for McAfee as Director of Public Sector Strategy and Relations, UK&I
This entry was posted in Cloud, Cloud Computing, Cyber, Data Breach, Data Breach Fine, Government ICT strategy, Govt ICT Strategy, ICO, Information Security, InfoSec, Legal, Security, Sophos. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s