All but 2% of respondents surveyed at an international gathering of computer security professionals earlier this month believe the law should address data breaches that expose consumers' personal information, and 16% advocate criminal charges against offending companies' CEO or board members.
The respondents -- 102 of the 700 IT security pros attending the E-Crimes Congress in London -- said legal punishments should include fines (65%), mandatory disclosure (68%) and compensation for the consumers affected (55%).
Conducted by security solutions provider Websense at the event, the survey also found a sizable majority (70%) believe the CEO is ultimately responsible in the event of a data breach, followed by those who believe responsibility lies with the chief security officer (13%), board members other than the CEO or CSO (9%), the IT department (5%) and the individual employee involved (4%).
The E-Crimes Congress was held March 11-12, coinciding with the introduction of the “Data Security and Breach Notification Act" in the House Commerce, Manufacturing and Trade Subcommittee. The bill, cosponsored by Rep. Marsha Blackburn (R-Tenn.) and Rep. Peter Welch (D-Vt.), would require entities that collect personal information to secure the data and provide notice to individuals if the data security is breached. Additionally, it would pre-empt the current "patchwork" of state and local laws with a single, national protection/notification standard.
That was a point of contention among committee members in a March 18 hearing on the bill, with Democrats arguing that the approach merely replaces stronger laws with weaker ones. The bill's critics also complained that it doesn't deal with information provacy protections.
Meanwhile, the Senate Select Committee on March 17 released the final version of a separate data security bill, the Cybersecurity Information Sharing Act, it passed in a closed session on March 13. The National Cable & Telecommunications Association last week praised the bill, saying it would make it easier for its members to share information about potential cyber attacks, while others objected to a lack of privacy protections.