Law vs. Technology: Which stops more breaches?

June 7, 2011 by bkrenek

With the recent rash of highly newsworthy data breaches, headlined by the Sony PlayStation Network breach that impacted 77+ million subscribers, there’s been much hand-wringing over how to best ensure the protection of customer privacy.  The debate seems to be centered around two different camps: those who believe that the force of law can best bolster security and those who argue that better technology holds the key to data breach freedom.

Camp #1: The Lawyers

While proposals for a national data breach law have so far failed to gain traction, most states now have laws in place that oblige companies to take certain steps when data breaches impact their customers, including requirements around breach notification.  Privacy advocates insist that the government needs to become more involved in serving as a national “data sheriff,” passing new laws that will force companies to take their security obligations more seriously.  In the meantime, as we reported recently, the Sony breach in particular has galvanized the Federal Trade Commission to begin levying fines against companies for insufficient security practices that allow data breaches to take place.  The argument for financial penalties against breached companies is that economic spankings will motivate organizations to plug security holes in ways that concern for consumer protection alone has not.

Camp #2: The Techies

While legal roadblocks may have their place, some believe that regulations can only go so far in protecting us.  Factors that make information control nigh impossible, according to Time’s Jerry Brito, include the proliferation of digitization, the vast scope of the Internet, the scale of communications made possible by the Internet, and the ease of online distribution.  Instead of punitive measures as a path to security, this argument goes, we should accept that data breaches are inevitable and instead focus on harnessing technology to improve security.  Proponents of this approach note, for example, the promise of the Obama Administration’s National Strategy for Trusted Identities in Cyberspace, which would establish an identity ecosystem that would utilize new technologies, policies and standards to help protect and authenticate consumer transactions.

As data breaches become bolder and more destructive, the debate about how to best protect ourselves from this online menace is sure to rage on.