In the Wake of the Year of the Data Breach, Do we Need a Sarbanes Oxley for IT?
When scandals roil Wall Street or Corporate Boards, federal regulations soon follow. Five years into our data theft epidemic, however, there’s still no law demanding accountability for information security.
It would be accurate to say that 2014 was the 'year of the data breach,' what with Home Depot, and Staples, and P.F. Chang's, and Michaels Stores, and Dairy Queen (among others... you get the picture).
But the truth is that 2013 was the year of the data breach also. That year, Target, JP Morgan, Adobe Systems and the Internal Revenue Service were among the victims. And - frankly - 2012 wasn't what you'd consider sleepy on the matter of data theft and inadvertent data loss, either.
The circumstances of these incidents are different of course, but the regularity with which they occur suggests that there are bigger issues at play than merely unpatched software, poor password hygiene or vulnerable web applications. Uncomfortable as it is to say: data breaches may be more symptom than cause – the product of a business environment that treats IT failings differently than those in, say, the accounting or sales departments.
As President Obama prepares to use his State of the Union Address to Congress to promote a raft of new cyber security legislation, some security experts think it's time for this to change – and for the federal government to take a more forceful stand in holding businesses to high standards of conduct and efficacy when it comes to managing their information technology infrastructure.
There’s a precedent for this. In fact, there’s a long history of outsize scandals leading directly to legal reforms. After corporate accounting scandals at companies like Enron, Tyco International and Worldcom cost investors billions of dollars in the late 1990s, Congress passed the laws that have become known as Sarbanes Oxley in 2002 to set high standards for the reporting of corporate financial data and to establish clear guidelines for both accounting firms and corporate executives and boards.
Then, when the economic collapse of 2008 and 2009 exposed irregularities and shortcomings in the way that large Wall Street firms were doing business, the Dodd Frank Wall Street Reform and Consumer Protection Act of 2010 was enacted to right some of those wrongs.
In both cases, the legislation provided direct remedies for the problems that were perceived to have led to the crises. Sarbanes Oxley set clear standards for auditing firms that report on corporate financials. More important: it made senior executives in corporations directly responsible for the content of the financial statements the company issued. Dodd-Frank provided more checks on activities like the trading of derivatives and established a Consumer Financial Protection Bureau.
However, there has been no similar, federal response to the steady drum beat of data loss and hacking scandals from major corporations, non profits and government entities in the last 10 years. True: many states have enacted their own laws mandating disclosure of data breaches that effect citizens.
But, as Sumit Agarwal, a former Senior Advisor for Cyber Innovation and Deputy Assistant Secretary of Defense noted when I spoke to him earlier this week: informing customers that their data may have been stolen does little to address the underlying causes of the breach.
The evidence seems to support this. To date, 47 states have passed some form of data breach notification laws, and yet the pace and size of breaches has only increased during the same period.
What’s the solution? Agarwal, who is now the Vice President of Strategy at the firm Shape Security, suggests federal laws that would put information security and data protection on par with other sensitive corporate activities.
Heads have started to roll in the Executive Suite as a result of computer mishaps and successful hacks. But on paper, senior executives can still claim ignorance about the nitty gritty details of security audits, pen tests and patching – disregarding it as “geek stuff” (to use Agarwal’s term) that isn’t relevant to their job.
Forward looking cyber legislation wouldn’t merely force companies to disclose breaches to those affected by them, Agarwal notes. It would make senior executives liable for the accuracy of any statements about the integrity of the company’s information technology infrastructure and its operations.
Technology is becoming ever more important to the successful operation of companies. And that means the days of being able to dismiss it as “techy stuff” and mumbo jumbo are over.
“We’re coming into a realm where we all need to be more educated,” Agarwal said. I’ll second that!