Home » Policy Priorities » Current Policy Priorities
CSIA 2007 Policy ObjectivesObjective 1: Achieve data security legislation in the U.S. Congress that protects the security of consumer data.What is the issue?The U.S. Congress must enact a comprehensive national law that aims to both prevent further data breaches and address leaks once they occur. This legislation should set reasonable security standards that apply both to government and the private sector; require clear and consistent notice for breach notification, provide for strong enforcement and include incentives to apply best practices for security. Why is it important?Since February 2005, more than 150 million records of personal information have been lost or stolen in the U.S., according the Privacy Rights Clearinghouse. Beyond the obvious risks to consumers, such as exposure to identity theft, security breaches are eroding public confidence in the security of consumer data. This growing trust deficit is a serious threat to economic growth, which depends on continued consumer acceptance of technological innovation. Objective 2: Achieve legislation in the U.S. Congress that strengthens consumer protection from spyware.What is the issue?The U.S. Congress should ensure that clear criminal penalties are in place to prosecute those who propagate spyware and enable anti-spyware firms to identify, detect and remove spyware and potentially unwanted software from their customers’ computers without the threat of lawsuits. Why is it important?Spyware is a serious threat to the security of consumer data. These unwanted computer programs are surreptitiously placed on users’ systems in order to gather confidential information such as credit card details and user names and passwords. Recent studies show that approximately 90 percent of computers in the U.S. are infected with some form of spyware. As with data security, spyware threatens consumer confidence in the information systems underlying our economy. Objective 3: Strengthen security provisions in the EU e-privacy directive concerning electronic communications by introducing data breach notification obligations and minimum security requirements for electronic communication providersWhat is the issue?The EU is currently reviewing the EU regulatory framework for electronic communications of which the e-privacy directive is a part. The European Commission has already indicated that it would like to enhance the security provisions of the e-privacy directive as current provisions are not deemed sufficient. Currently, there is no obligation to notify in case of a security breach. Although the directive does stipulate that electronic communication providers must notify in case of a risk of a breach, with networks being under constant risk of a breach, this provision has never been adhered to. The scope of the e-privacy directive is limited to electronic communication network providers. Why is it important?By introducing data breach notification and minimum security measures obligations, electronic communication network providers will be obliged to take security more seriously resulting in a more secure electronic environment with all related benefits (increased consumer confidence in the on-line world, economic gains, etc.). Once these requirements have been adopted in this context, CSIA will make it its mission to broaden the requirements for data breach notification and minimum security measures to any entity holding sensitive personal information. Objective 4: Provide input and expertise to EU initiatives in the area of critical infrastructure protection.What is the issue?The European Commission put forward in December of last year its proposal for a European Programme for critical infrastructure protection. The objective of the programme is to enhance European cooperation and protection of European critical infrastructures. Work will be done on a sector by sector basis, following identification of priority sectors by the European Commission. It is expected that ICT will be one of the first priority sectors. Why is it important?Critical information infrastructures are critical for the continued and efficient functioning of services across Europe. CSIA members have extensive expertise in this area as well as an interest to ensure that EU initiatives take account of existing best practices and lessons learned in other countries and regions. Objective 5: Strengthen the policies governing the security of federal information systems.What is the issue?The U.S. Congress and Administration should work together to strengthen the Federal Information Security Management Act (FISMA). Additionally, federal agencies must address data security and should be held accountable to the mandatory data protection and breach notification requirements suggested for the private sector. Why is it important?The security of federal information systems is inadequate. The annual FISMA report card for all U.S. federal government agencies reported an average grade of C- for securing computer systems and networks in 2006. Since 2003, the overall average grade for agencies has never exceeded a D+. In addition, a number of government agencies have reported high-profile data security breaches. In fact, a recent study revealed the government sector accounted for 25 percent of all identity theft-related data breaches, more than any other sector. |