In the midst of all the excitement around healthcare reform, the fact that both the house and senate made some progress on their (separate) bills for protecting personal information hasn’t received the attention it deserves. Sure, I think we’re up to 46 states that now have their own breach notification laws, but simplifying this and raising the bar in some of the states with more lax regulations, is certain to improve the state of database security overall.
So, where does this stand?
The biggest advance was in the house, where the “Data Accountabilty and Trust Act” (aka H.R.2221) passed on December 8th, and has been sent to the senate. It includes provisions aimed at improving security policies, as well as breach notification requirements. See: http://www.scmagazineus.com/national-data-breach-notification-bill-passed-in-us-house/article/159404/
The senate, has 2 of their own bills that made it out of “committee” in November, and await a floor vote. The “Personal Data Privacy and Security Act of 2009” (looks like they’ll have to update the name) and the “Data Breach Notification Act” address the need to better secure sensitive information and notify individuals in case of a breach, respectively. See: http://www.eweek.com/c/a/Security/Senate-Committee-Passes-Data-Breach-Laws-590570/
There is still work to be done in Washington (the senate must pass their bills, then on to reconciliation to get the house and senate versions aligned, and of course they all get to vote again), but even so, I’m optimistic that something will come of this next year. Maybe I should have put that in my predictions for 2010. If that’s the case, I think it will bring more focus in virtually every company on the need to better secure databases. Those that have already taken the step to deploy tools to monitor activity will be in the best position to meet the new requirements with minimal disruption, and for those that have been looking for ways to justify the expense to management, this will make it much easier.