Web Security Takes a Village, Experts Say
A data retention mandate for ISPs, while unpopular in the high-tech community and among civil libertarians, could help fight cyber crooks, the incoming National Assn. of Attorneys Gen. (NAAG) pres. said Tues. “It is a sensitive issue [and] a very complex issue,” Ga. Attorney Gen. Thurbert Baker (D) at a conference in Atlanta. A minimum 2-year retention mandate would apply to AOL, Yahoo, Microsoft and other companies under a recent proposal by U.S. Attorney Gen. Alberto Gonzales and DoJ staffers. Gonzales and DoJ staffers have met recently with Internet and privacy experts, but details on specific data the Bush Administration wants ISPs to keep are unclear.
Sign up for a free preview to unlock the rest of this article
If your job depends on informed compliance, you need International Trade Today. Delivered every business day and available any time online, only International Trade Today helps you stay current on the increasingly complex international trade regulatory environment.
The debate recalls one over privacy when online buying first became popular, Baker said at a Cyber Security Industry Alliance (CSIA) town hall meeting. As occurred then, consumer groups, businesses and law enforcement are at odds, he said. But as in debates on Internet privacy, “we've all got to be able to find some common ground and get through it,” he said. Those in law enforcement, “who have an obligation to prosecute crime,” feel strongly about data retention, he said. Making ISPs preserve records could ensure “we're able to get the data we need” to put electronic evildoers behind bars, he said.
There have been “many instances” in which law enforcement has sought data logs from ISPs in criminal inquiries, only to find the companies destroyed the logs “in the normal course of business.” Gonzales has cited this problem in online child predation cases. “There has to be some reasonable approach to how long companies have to retain this data,” he said. All parties must “find a balance” between Internet safety and consumers’ and businesses’ “growing appetite” for online transactions. “If we don’t get handle on it, we're going to see ourselves in a bad fix in the decade to come,” Baker said.
Less divisive topics also were discussed. High-profile data breaches the past 15 months -- including a mammoth Dept. of Veterans Affairs breach revealed last month -- animated industry and academic experts. Breaches, phishing spyware and other types of online fraud are altering consumer and business activity in the digital world, CSIA said. A recent survey by the trade group showed that only 44% of Americans feel their data are safe in e-commerce and half avoid buying online out of fear their financial information will be stolen.
“Against this backdrop of waning consumer confidence, questions of roles and responsibilities remain unanswered,” said CSIA Exec. Dir. Paul Kurtz. That’s caused Congress to consider legislation on data security and spurred corporations to reevaluate business practices, CSIA said. If firms ignore key security issues, they risk regulatory and image trouble, said Internet Security Systems CEO Thomas Noonan. Companies that “land on the front page” due to data breaches “find themselves losing the trust of the very people they're in business to serve,” he said.
States are moving a flood of data security and breach notification measures, with more than 30 state laws addressing data security in various ways. And in Washington Congress is hammering at a comprehensive nationwide standard with summer recess looming.