Do we need more government regulation?


I was giving a presentation in 2009, and a CEO of a successful corporation talked about how he received one of those letters saying, “Your data may have been obtained by hackers due to a data breach.” He asked, “What can we do to get the other businesses in the world to keep our data safe?”

Before I could catch them, these words spewed out of my mouth: “We need more government regulation of businesses.”  I immediately stopped, appalled at what I had just said, and stood there in disbelief.

The fact is, due to a number of problems in organizations, IT security too often gets pushed to the back burner. Next week’s blog entry will deal with those reasons. Do we need more laws to force companies to be secure? For the responsible companies I work with, I say “No! Enough regulation already!” I know they are taking steps to be more secure. But for those companies that send the rest of us letters notifying us of breaches, I think we all would have been happy if some regulation forced them to be more careful with private information. PCI-DSS standards for companies that accept payment cards is still a regulation—except in Nevada where it is now a law. Minnesota also has laws around the core requirements of PCI-DSS.

I used to be totally against some government regulations, but as I see some organizations being careless with your private data, I wonder if a little regulation might go a long way? Please respond with your comments on this blog.


2 Responses to “Do we need more government regulation?”

  1. Andrew Cooper says:

    I am a IT Director in the Healthcare Sector and from my perspective having regulation is at times the fuel that is needed unfortunately to get the Boards of Organizations to allow the spending on IT Security.

    HIPAA in its early forms did very little to allow organizations to increase thier security. It in fact was largely ignored as a bother and something that would just cost money. The reason for this was that the enforcement and penalty was both weak and minor. Therefore it was not worth the investment from the eyes of a budget minded organization. However with the HITECH Act where penalties are now up to 1.5 million and it is now the State AG that is investigating the violations, Organizations are realizing that the risk is too large.

    It unfortunately is small items that are often ignored that are the weak links, it is not that organizations do not have well established firewalls and corportate policies to enforce security, but it is the items behind the scene that “only cost money” or are “only for HR” that need to be invested in to ensure the security of the organization.

    Mike, I am like you I do not want the Government meddling in my buisnessness, but on the other hand, I am not opposed to regulations from a body that would be a requirement to ensure security and privacy. In this economy where cash is analyized down to the dollar, Compliance is often the buzzword that allows IT to achieve it’s goals.

  2. Mike Foster says:

    Exactly. I wonder why it has to be this way?

Leave a Reply