So far, in the first 6 months of 2011, there have been 9 different Information Security related proposals put forward by different Senators that would create new laws or reform existing ones.
February 20 2011 – Rep. Rush (D-Ill) reintroduces BEST PRACTICES Act
April 7 – SEC Regulation S-P mandates that financial firms safeguard confidential info
April 12, 2011 – Senators Kerry and McCain introduce Privacy Bill of Rights
April 13,2011 – Stearns introduces Consumer Privacy Protection Act of 2011
May 9, 2011 – Rockefeller Introduces Do-Not-Track Online Act of 2011
May 12, 2011 – White House Proposes Cybersecurity Legislation
June 7, 2011 – Senator Leahy reintroduces Personal Data Privacy and Security Act of 2011
June 13 2011 – SAFE Data Act
June 15 2011 – Location Privacy Protection Act
By my count, in 2009, there were approximately 18 different Health Care Proposals in 2009 before the House and Senate both adopted their own proposals. Comparing such a hotly debated and controversial issue, it seems difficult to accept that there is such a lack of consensus on what the next steps are or should be for Information Security legislation at the Federal Level. With the dramatic increase in hacking related incidents since the Sony DDOS and subsequent compromise, it seems likely that other groups will add their proposals to the mix.
Does this mean that the time is right for legislation to finally be passed? Does this mean that the different interest groups will begin working together? Does this mean that there is a lack of understanding of the issues and that further inaction can be expected until this is a larger issue with constituents? The issue with any legislation will be that it is difficult to mandate how a particular industry or company implements security in their environment. The Credit Card industry has been very successful in coming up with their own design, but typically this is one one part of a whole company's structure, and as we saw with Sony and more recently Citigroup, even big companies have trouble being compliant.
Whatever it does mean, it is still a very positive thing that so many individuals are putting their ideas forward. It may be that multiple laws could be passed, each on their own or all of these proposals could be refined down to one larger law.