A leading cybersecurity association says a report released yesterday by the President's Identity Theft Task Force falls short of adequately protecting Americans' privacy because the report's recommendations for the public sector are less stringent than those recommendations for the private sector.
According to a statement by the Cyber Security Industry Alliance:
[The report] offers several key data security measures for both the public and private sectors. Related to the public sector, the report calls for decreasing the unnecessary use of Social Security Numbers, educating federal agencies on how to protect data, monitor their compliance with existing guidance and ensure effective, risk-based responses to data breaches. For the private sector, the report states that national standards should be established for private sector data protection and breach notifications, better education on the safeguarding of data should be offered among private sector entities and to the general public, investigations should be initiated for data security violations and an online clearinghouse for current educational resources should be developed.
[Liz Gasster, general counsel for CSIA, said], "While the recommendations to limit the unnecessary use of Social Security Numbers, establish a National Identity Theft Law Enforcement Center and execute additional public awareness campaigns are important and necessary measures, one critical element is clearly missing the report stops short of requiring a national standard for the public sector that would mirror the mandatory data protection requirements and breach notification requirements suggested for the private sector. Merely re-issuing data security guidance to agencies is inadequate. Government agencies should be accountable to citizens for safeguarding their data, and compliance should not be optional."
Hat Tip: ComputerWorld