In the midst of all the excitement around healthcare reform, the fact that both the house and senate made some progress on their (separate) bills for protecting personal information hasn’t received the attention it deserves.  Sure, I think we’re up to 46 states that now have their own breach notification laws, but simplifying this and raising the bar in some of the states with more lax regulations, is certain to improve the state of database security overall.

So, where does this stand?

The biggest advance was in the house, where the “Data Accountabilty and Trust Act” (aka H.R.2221) passed on December 8th, and has been sent to the senate.  It includes provisions aimed at improving security policies, as well as breach notification requirements.  See:

The senate, has 2 of their own bills that made it out of “committee” in November, and await a floor vote.  The “Personal Data Privacy and Security Act of 2009” (looks like they’ll have to update the name) and the “Data Breach Notification Act” address the need to better secure sensitive information and notify individuals in case of a breach, respectively.   See:

There is still work to be done in Washington (the senate must pass their bills, then on to reconciliation to get the house and senate versions aligned, and of course they all get to vote again), but even so, I’m optimistic that something will come of this next year.  Maybe I should have put that in my predictions for 2010.  If that’s the case, I think it will bring more focus in virtually every company on the need to better secure databases.  Those that have already taken the step to deploy tools to monitor activity will be in the best position to meet the new requirements with minimal disruption, and for those that have been looking for ways to justify the expense to management, this will make it much easier.

You know that data breaches have become part of big business reality when the Harvard Business Review publishes a hypothetical case study entitled “Boss, I Think Someone Stole Our Customer Data”. The case study does a very good job of illustrating the initial confusion and many gray areas that enterprises face when confronted with a possible breach.

When the first signs of a possible breach are raised, often there would be some uncertainty regarding the nature of the breach, its extent and whether there has been a breach at all. Insider breaches are especially tough, because insiders have a better shot at covering their tracks than intruders from the outside, and have more visible attack surfaces to begin with (this is one place where database monitoring can help).

Once it is established that a breach had occurred – and this does not have to be with 100% certainty, it’s enough to establish that a breach is likely – there are many things an enterprise needs to do, and do quickly.

Finding the culprit(s) (the “who done it”) would be many people’s instinct, but actually this should be quite low on anyone’s list, and usually takes a long time to do anyway. The top 3 immediate steps that I would take are as follows: