{"id":82887,"date":"2013-08-30T08:27:50","date_gmt":"2013-08-30T12:27:50","guid":{"rendered":"https:\/\/today.uconn.edu\/?p=82887"},"modified":"2013-09-04T10:30:48","modified_gmt":"2013-09-04T14:30:48","slug":"cybersecurity-expert-urges-congress-to-consider-comprehensive-information-security-provisions","status":"publish","type":"post","link":"https:\/\/today.uconn.edu\/2013\/08\/cybersecurity-expert-urges-congress-to-consider-comprehensive-information-security-provisions\/","title":{"rendered":"Cybersecurity Expert Urges Congress to Consider Comprehensive Information Security Provisions"},"content":{"rendered":"
\"David<\/a>
David Thaw, visiting assistant professor of law, is an expert on legal issues pertaining to information security. (Peter Morenus\/UConn Photo)<\/figcaption><\/figure>\n

It\u2019s one of the most unpleasant, yet relatively common, experiences of the downside of the digital age: the notice from a company, employer, or public agency letting you know your most personal and valuable information \u2013 Social Security number, credit card information, online passwords \u2013 may have been compromised by a security breach.<\/p>\n

Congress is currently considering legislation that would make such notifications a federal requirement; right now, 46 states and 4 U.S. jurisdictions have similar laws, but they don\u2019t always match up with each other. Industry groups want one national standard, on the theory that complying with one law instead of 50 would be easier for all parties.<\/p>\n

But David Thaw, a visiting assistant professor at the University of Connecticut School of Law and an expert on legal issues pertaining to information security, isn\u2019t so sure. Last month, Thaw testified before a congressional committee, urging lawmakers not only to pass a national notification law, but to combine it with comprehensive information security requirements.<\/p>\n

Thaw\u2019s research, which will be published in 2014 in the Georgia State University Law Review<\/i>, shows that such a combined approach is roughly four times more effective in protecting consumers from data breaches than notification requirements alone.<\/p>\n

\u201cIf the federal government is going to pass a comprehensive law, it should adopt a standard that provides protection as well as notification,\u201d says Thaw. \u201cThis is really an opportunity for us to be ahead of the curve.\u201d<\/p>\n

While notification laws are fairly straightforward, comprehensive information security regulations are lesser known, but already required in, for example, the health care industry. In practice, Thaw says, Congress wouldn\u2019t write legislation that requires specific security practices, but would rather give regulatory agencies broad authority to develop those practices in consultation with private industry.<\/p>\n

\u201cThe legislation needs to be flexible, because not everyone in a given industry is going to have the same data security needs,\u201d he says, using health care as an example. Both small, one-physician medical practices and huge metropolitan hospitals have to abide by information security procedures set up by the Health Insurance Portability and Accountability Act, better known as \u201cHIPAA,\u201d Thaw points out, but they don\u2019t have to use the exact same practices.<\/p>\n

\u201cIf my hometown doctor were to follow the same breadth and depth of information security procedures that Massachusetts General Hospital has to follow, my doctor would be out of business in a day because of the cost,\u201d he says. \u201cThe law allows for that flexibility.\u201d<\/p>\n

Similar legislation could be drafted for industries that collect and store sensitive data, Thaw says, which, his research shows, makes breaches less likely.<\/p>\n

Ideally, such legislation would also go beyond what\u2019s commonly understood as \u201ccybersecurity,\u201d and address other security vulnerabilities. While it may be less glamorous than devising software to thwart hackers, it\u2019s just as important to have rules in place about keeping doors to server rooms locked, Thaw says, or requiring employees to keep sensitive documents in locked file cabinets.<\/p>\n

\u201cWhat Congress is considering, in terms of notification only, underestimates the amount of risk out there right now,\u201d Thaw warns. \u201cNot to be a doomsayer, but it\u2019s important that we address not just the breaches that are happening now, but the breaches that could be happening very soon. Here\u2019s an opportunity for us to be one step ahead.\u201d<\/p>\n","protected":false},"excerpt":{"rendered":"

A visiting professor at the Law School says his research suggests this could be far more effective than a plan requiring only notification.<\/p>\n","protected":false},"author":68,"featured_media":82850,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"_crdt_document":"","wds_primary_category":0,"wds_primary_series":0,"wds_primary_attribution":0,"footnotes":""},"categories":[1],"tags":[],"magazine-issues":[],"coauthors":[131],"class_list":["post-82887","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized"],"pp_statuses_selecting_workflow":false,"pp_workflow_action":"current","pp_status_selection":"publish","acf":[],"publishpress_future_action":{"enabled":false,"date":"2026-05-20 13:32:29","action":"change-status","newStatus":"draft","terms":[],"taxonomy":"category","extraData":[]},"publishpress_future_workflow_manual_trigger":{"enabledWorkflows":[]},"_links":{"self":[{"href":"https:\/\/today.uconn.edu\/wp-rest\/wp\/v2\/posts\/82887","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/today.uconn.edu\/wp-rest\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/today.uconn.edu\/wp-rest\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/today.uconn.edu\/wp-rest\/wp\/v2\/users\/68"}],"replies":[{"embeddable":true,"href":"https:\/\/today.uconn.edu\/wp-rest\/wp\/v2\/comments?post=82887"}],"version-history":[{"count":5,"href":"https:\/\/today.uconn.edu\/wp-rest\/wp\/v2\/posts\/82887\/revisions"}],"predecessor-version":[{"id":82897,"href":"https:\/\/today.uconn.edu\/wp-rest\/wp\/v2\/posts\/82887\/revisions\/82897"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/today.uconn.edu\/wp-rest\/wp\/v2\/media\/82850"}],"wp:attachment":[{"href":"https:\/\/today.uconn.edu\/wp-rest\/wp\/v2\/media?parent=82887"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/today.uconn.edu\/wp-rest\/wp\/v2\/categories?post=82887"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/today.uconn.edu\/wp-rest\/wp\/v2\/tags?post=82887"},{"taxonomy":"magazine-issue","embeddable":true,"href":"https:\/\/today.uconn.edu\/wp-rest\/wp\/v2\/magazine-issues?post=82887"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/today.uconn.edu\/wp-rest\/wp\/v2\/coauthors?post=82887"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}