With the recent rash of highly newsworthy data breaches, headlined by the Sony PlayStation Network breach that impacted 77+ million subscribers, there’s been much hand-wringing over how to best ensure the protection of customer privacy.  The debate seems to be centered around two different camps: those who believe that the force of law can best bolster security and those who argue that better technology holds the key to data breach freedom.

Camp #1: The Lawyers

While proposals for a national data breach law have so far failed to gain traction, most states now have laws in place that oblige companies to take certain steps when data breaches impact their customers, including requirements around breach notification.  Privacy advocates insist that the government needs to become more involved in serving as a national “data sheriff,” passing new laws that will force companies to take their security obligations more seriously.  In the meantime, as we reported recently, the Sony breach in particular has galvanized the Federal Trade Commission to begin levying fines against companies for insufficient security practices that allow data breaches to take place.  The argument for financial penalties against breached companies is that economic spankings will motivate organizations to plug security holes in ways that concern for consumer protection alone has not.

Camp #2: The Techies

While legal roadblocks may have their place, some believe that regulations can only go so far in protecting us.  Factors that make information control nigh impossible, according to Time’s Jerry Brito, include the proliferation of digitization, the vast scope of the Internet, the scale of communications made possible by the Internet, and the ease of online distribution.  Instead of punitive measures as a path to security, this argument goes, we should accept that data breaches are inevitable and instead focus on harnessing technology to improve security.  Proponents of this approach note, for example, the promise of the Obama Administration’s National Strategy for Trusted Identities in Cyberspace, which would establish an identity ecosystem that would utilize new technologies, policies and standards to help protect and authenticate consumer transactions.

As data breaches become bolder and more destructive, the debate about how to best protect ourselves from this online menace is sure to rage on.

If you thought that data breaches were already expensive – what with the manpower and resources needed to issue breach notifications, offer compensatory protection services such as free identity theft protection, identify the source of leaks and tighten up security, and bolster marketing efforts to hang on to customer loyalty – add a new line item to the list.

Fines.

In an effort to make data breaches even more unpalatable and motivate companies to strengthen their security practices, the Federal Trade Commission is beginning to levy punishments for security holes that invite intrusions.  For example, the FTC recently settled with two companies, a payroll and HR firm and an immigration law services firm, both of which maintain a great deal of sensitive information about the employees of their business customers, including Social Security numbers.  The organizations were charged with violating federal law by failing to provide reasonable and appropriate measures to protect sensitive data, in spite of the fact that the companies advertised their security measures with claims such as “worry-free safety and reliability.”  As part of the settlements, each firm is required to obtain comprehensive information security programs and independent security audits every other year for 20 years.

Taking a cue from this new practice in the U.S. and other countries, and asserting her deep concern with the large number of recent breaches, Canada’s privacy commissioner also wants to start implementing hefty “attention-getting fines” against firms that have allowed customer data to be compromised through preventable data breaches.

This decision followed news that Canadian lawyers have announced a $1 billion class-action lawsuit as a response to two massive Sony PlayStation Network breaches that exposed the information of 102 million customers.  A U.S. House of Representatives subcommittee is also demanding answers from Sony about the circumstances surrounding these breaches and has scheduled a hearing to address the “threat of data theft to American customers.”

Not all security experts think that punitive measures towards breached organizations help protect customers from data theft, noting that it is akin to fining a store after it has been robbed.  In fact, some think that fines have the opposite effect by deterring companies from reporting data breach incidents in the first place.

As they say, the best defense is a good offense.  Protect your organization from the threat of breaches and expensive regulatory punishments by ensuring that you have a strong and defensible security program in place.