Cyber Security Industry Alliance Newsletter •  Volume 2, Number 8 • April 2006

CSIA Board Members Take Cyber Security Message to Congress

CSIA board members took their message to Congress. The Board distributed the letter below to the top leadership of both houses of Congress, calling for action on key legislation before the end of the year.


CSIA Letter to Congress On Data Protection




April 4, 2006


Dear Congressional Leaders:

Over the past year more than 52 million records of Americans’ private personal information – an average of 142,000 per day – have been hacked into, lost, stolen or otherwise compromised from digital databases.

These security breaches, from medical records to social security numbers and credit card accounts, were once front page news. Today they have become so commonplace as to hardly seem newsworthy, but their cumulative effect has been to corrode public confidence in the security of private personal information. For the first time, surveys now show a decrease in Americans’ interest in doing business online. Perhaps part of the reason is that the average identity theft victim – and there were 3.4 million of them last year – spends $834 and 77 hours just clearing their name.

This growing trust deficit is a serious threat to economic growth, which depends on technological innovation. It’s no surprise that these same voters are looking to Congress for action. Nearly two-thirds of both Republicans and Democrats told us in a survey last summer that the government should do more to ensure the security and reliability of the Internet.

Law enforcement and regulatory agencies have begun to crack down on companies that do not adequately protect consumer data, but they are constrained by a legal framework that largely predates the borderless global nature of the Internet. State governments have also begun to take action; led by California, nearly half have mandated consumer notification of data breaches, and a number are considering further steps to attempt to prevent new ones. Unfortunately, these good intentions will likely result in an unnecessarily complex and cumbersome web of regulations for businesses to comply with and consumers to understand.

Congress must demonstrate leadership by passing legislation to foster the adoption of best practices to protect consumers’ personal information – such as encryption that renders stolen data unusable – and standardize the requirements for reporting breaches that do occur. At the same time, overly prescriptive legislation, particularly specific technical mandates, would likely backfire. Criminal attacks are constantly evolving and adopting new techniques; the wrong bill could essentially legislate obsolescence, doing much more harm than good. Fortunately, existing federal standards, like 1999’s Gramm-Leach-Bliley Act, provide proven guidance.

More than one bipartisan bill under consideration would effectively accomplish these objectives and provide a realistic legal framework that organizations of all sizes can comply with – IF party leaders, committee chairmen and other members can set aside their differences and focus on protecting Americans’ private, personal information. The specific distinctions between the bills’ provisions are important, but not enough to justify derailing the process altogether. After all, even the most finely crafted legislation is meaningless if it never makes it to the floor for a vote. We urge you to use your leadership positions to secure a data breach bill now, for business and consumers alike.

Joseph Ansanelli, CEO & Co-Founder, Vontu

Russ Artzt, Executive Vice President, CA, Inc.

Philippe Courtot, Chairman & CEO, Qualys, Inc.

Arthur Coviello, President & CEO, RSA Security Inc.

Ken Denman, Chairman, President & CEO, iPass, Inc.

Phil Dunkelberger, CEO & President, PGP Corporation

John McNulty, Chairman & CEO, Secure Computing Corporation

Thomas Noonan, President & CEO, Internet Security Systems, Inc.

George Samenuk, Chairman & CEO, McAfee, Inc.

Steve Solomon, Chairman & CEO, Citadel Security Software

Mark Templeton, President & CEO, Citrix Systems, Inc.

John Thompson, Chairman & CEO, Symantec Corporation