Privacy Breach Legislation and Adopting a Code of Conduct

Our new member forums, such as the IT Security Community, are generating some great discussions. In the most recent web meeting/conference call, the group of industry thought leaders (IT vendors, solution providers and tech security experts), moved the needle on some major topics. By joining a CompTIA community, members can engage with others with similar business needs, tacking projects that will advance the industry. 

The IT Security Community is focusing its efforts on a few key initiatives, including efforts to establish national breach laws and a group code of ethics. In addition, they are developing best practices education tracks and industry research, while discussing other IT security needs and projects.

Elizabeth Hyman, our new VP for Public Policy,  started the meeting by discussing an opportunity proposed by an attorney that works closely with the association. With Congress likely tied up through the end of the year with several pieces of high profile legislation, Privacy-Breach issues could be held up until the early 2011, if not longer. Hyman gave an overview of the National Council of Commissioners on Uniform State Law, which drafts a template of legislation a state could adopt to address complex issues. The IT Security Community initiative to implement privacy-breach legislation could be advanced significantly with support of the NCCUSL. Collaboration between the organizations could create a model approach to building a law that could be implemented by any state.

When federal legislation does not move forward, a state model law is the next best thing according to Hyman. With the current situation in Congress, this option may be the best way to accomplish the group’s goals, at least for the time being. Digital signature legislation was developed in this manner, states could adopt all or the core of the tenants, as long as they don’t pre-empt the federal law. There can be variations in the law, but they can’t conflict with the national legislation. Members in attendance at the IT Security meeting agreed the opportunity was intriguing, and a meeting with the legal expert was proposed as soon as it can be arranged.

Why is breach law such a priority?
The current patchwork of laws makes it difficult to comply with each state’s legislation, a major issue when an issue occurs with a multistate client.  For example, New Jersey requires a data holder to contact the state police crime unit BEFORE it issues a breach notification, while other states don’t. It’s difficult for solution providers to master the basics of a handful of states’ laws, let alone the intricacies of all 50. Many states either go too far with their regulations, or not far enough. Either way, consistent and fair privacy and breach laws are needed for providers and end users, and the IT Security Community is making a major push to ensure it happens.

The group is also moving ahead with its Code of Conduct, a one-page document to ensure members follow the obligations of the community. One of the first actions of the group is to create a solid foundation of rules and standards each member should follow, in order to ensure the community meets its obligations to the industry and all its constituents.

Among the goals for this document is ensuring the protection of customers and their infrastructure, responsible and legal actions, reliable service provision, and advancement of group and CompTIA goals. The draft was distributed to the group, and members hope to ratify the final version in the not-too-distant future.  

The CompTIA IT Security Community is actively recruiting new members to collaborate, network and advance the industry in which they serve. If you’re interested in attending a meeting, or contributing to the group, let us know.