Do we need more government regulation?

by | Feb/3/2010

I was giving a presentation in 2009, and a CEO of a successful corporation talked about how he received one of those letters saying, “Your data may have been obtained by hackers due to a data breach.” He asked, “What can we do to get the other businesses in the world to keep our data safe?”

Before I could catch them, these words spewed out of my mouth: “We need more government regulation of businesses.”  I immediately stopped, appalled at what I had just said, and stood there in disbelief.

The fact is, due to a number of problems in organizations, IT security too often gets pushed to the back burner. Next week’s blog entry will deal with those reasons. Do we need more laws to force companies to be secure? For the responsible companies I work with, I say “No! Enough regulation already!” I know they are taking steps to be more secure. But for those companies that send the rest of us letters notifying us of breaches, I think we all would have been happy if some regulation forced them to be more careful with private information. PCI-DSS standards for companies that accept payment cards is still a regulation—except in Nevada where it is now a law. Minnesota also has laws around the core requirements of PCI-DSS.

I used to be totally against some government regulations, but as I see some organizations being careless with your private data, I wonder if a little regulation might go a long way? Please respond with your comments on this blog.