October is National Cybersecurity Awareness Month
October 2011 is the eighth annual National Cybersecurity Awareness Month. Activities and resources for companies and individuals interested in cybersecurity are being co-sponsored by the Department of Homeland Security, the National CyberSecurity Alliance, the Multi-State Information Sharing and Analysis Center, and the National Association of State Chief Information Officers.
While cybersecurity awareness efforts are to be applauded, designating October as Cybersecurity Awareness Month hardly seems necessary given the near-constant public attention to cybersecurity issues in 2011. The already-high interest in cybersecurity at the beginning of the year reached a new peak after breaches at Epsilon, Sony, and RSA were made public in March and April, and the Anonymous and LulzSec groups began Operation Anti-Sec, a series of coordinated hacking attacks, in June. In response to the breaches and public calls for more protection for sensitive data, the White House and members of Congress issued various proposals for new cybersecurity legislation, including the following:
- White House cybersecurity proposal: In May, the White House released a comprehensive package of proposed cybersecurity and privacy legislation. See our previous post about the White House proposal here.
- Republican cybersecurity proposal: Not to be outdone by the White House, the Republican leadership released their cybersecurity proposal earlier this month, emphasizing the need for industry incentives instead of government regulations.
- Congressional privacy and security bills: So far this year, members of Congress have introduced eleven bills with various cybersecurity provisions, three general privacy bills and eight data breach bills. Each of the privacy bills and seven of the eight data breach bills contain provisions that would require businesses not covered by Gramm-Leach-Bliley (“GLB”) or HIPAA security regulations to comply with information security regulations to be promulgated by the Federal Trade Commission (“FTC”). A chart comparing the eight data breach bills can be found here.
Regulatory agencies are stepping up their efforts, too. As we discussed in a prior post, just last week the Securities and Exchange Commission released guidance for companies regarding disclosure of cybersecurity risks and cyber incidents. Venture Beat reported that the FTC’s David Vladeck stated in a speech at this week’s Web 2.0 Summit that companies aren’t taking the necessary steps to protect consumer information:
“We’re not making much progress here,” he said. “Even big companies are not protecting with the vigilance that is required. The social contract says that if you store my data, you have to take reasonable measures to keep the information secure. If you want to steer clear of the Federal Trade Commission, the easiest way is to read our educational materials.
“A trick to keep me at bay is to pay attention to data security,” he said. “It should not be relegated to the back burner. It should be foremost in your mind at all times. We have plenty to do. We don’t want to see you. You don’t want to see us.“
How does your company secure its information? Do you know all the things you should be doing to protect sensitive customer, employee, and company information? Over the next two weeks, we’ll give an overview of the current legal requirements for data security in the U.S. and talk about some data security best practices to help your company protect its information.