Marketers question data security bill impact
Jennifer Barrett Glasgow, Chief privacy officer, Acxiom Corp.
Marketers have expressed skepticism about whether a new data security bill introduced in the U.S. Senate would be effective in solving what Wes Nguyen, head of marketing at Privacy Data Systems, said is a common problem for companies in an age where most information lives online.
"Many companies are either good at the storage of data or the transmission of data," said Nguyen. "Very few companies have the technology practice and protocols to do both. Companies may protect their own firewalls, but what about the data downloaded by an external party? Even if it takes a second for an email to get to you, it usually goes through a minimum of eight servers. At each touchpoint of that process, some of that data is copied and stored."
The Personal Data Protection and Breach Accountability Act of 2011 would require specific storage guidelines and security procedures — including regular risk assessment evaluations and systems tests — for companies in possession of the information of more than 10,000 customers.
Even if passed into law, the legislation wouldn't impact a number of companies who don't access or store the sensitive data defined in the bill, or who fall below the 10,000-customer threshold. While those who retain data on thousands — or even just dozens — of consumers are encouraged to implement security procedures to protect that valuable and private information, it would remain voluntary that they do so.
Legislation currently varies slightly in each state, which can make it difficult to figure out what data is covered and how a notice should be delivered, said Jennifer Barrett Glasgow, chief privacy officer of Acxiom Corp., a global interactive marketing services company.
The proposed legislation, introduced in September by Sen. Richard Blumenthal (D-Conn.) isn't the first of its kind — there are six similar bills currently in the House and Senate. Forty-six states, the District of Columbia, Puerto Rico and the Virgin Islands already enforce data-breach notification laws.
Barrett Glasgow is among those who are in favor of the proposed law, which she believes would simplify compliance.
"Legislation on the federal level is practical," she said.
Companies that violate the law would be subject to government fines as well as consumer lawsuits. Some question whether the proposed legislation has any teeth. The threat of fines and lawsuits could indeed prompt some companies lax about data security to invest in adopting new protocols and following best practices. But Alexis Moore, a privacy expert and marketing consultant, said she has doubts about the power of a bill that doesn't have a well-defined implementation plan and a method by which security practices could be regularly audited by the government.
"The Personal Data Protection and Breach Accountability Act reminds me of the Truth in Caller ID Act of 2007 or the national Do Not Call Registry," Moore said. "These laws were written and passed with good intentions, but [with] no funding for follow-up."