Government bureaucrats can’t prevent data breaches

Sony’s popular PlayStation Network suffered a massive data breach earlier this year, exposing 100 million users’ credit card numbers, home addresses and more. Numerous other firms, including Morgan Stanley and marketing firm Epsilon, also have suffered major breaches in recent months. With this epidemic of data breaches making headline after headline, it was only a matter of time before Congress got involved. But more government intervention will only make things worse.

Data breaches can occur for any number of reasons, from the carelessness of employees, to the use of an exploit on a server, to a complex orchestrated intrusion of a system. This is similar to your house being burgled: It could be because you left the front door wide open, or maybe a window unlocked, or sophisticated burglars scoped out your place and struck, despite locked doors and an alarm system.

Many businesses need to do more to safeguard users’ personal information. But the federal government is not properly equipped to dictate how companies must safeguard customer data. America’s unrivaled information security industry is creatively responding to data breach concerns with new technologies that promise smarter, more effective approaches to combating data breaches. Congress can’t even ensure federal agencies secure their data, as illustrated by the recent WikiLeaks snafu and the Conficker worm, which has afflicted millions of government computers.

These lessons have fallen on deaf ears on Capitol Hill. Last month, a trio of Senate bills targeting data breaches passed out of committee. The most comprehensive of these, sponsored by Sen. Patrick Leahy (D-VT), would enjoin the Federal Trade Commission to regulate the security practices of businesses that collect personal data. The legislation would also require companies to promptly notify customers whenever breaches occur. The other two bills contain similar provisions, although they differ in their treatment of federal agencies and breach notification requirements.

Lawmakers’ current approach to data breaches wrongly treats companies as culprits, not the victims they are. Kevin Mandia, founder of the information security company Mandiant, recently told the House Intelligence Committee that data breaches are not necessarily indicative of a company’s security standards. Attackers only needs to find a single vulnerability, but defenders have to carefully guard their entire systems. Thus, breaches are a real risk even for companies with superlative security practices. By penalizing firms that take data security seriously, we risk encouraging businesses to focus more on keeping regulators at bay than on genuine security improvements.

As AT&T cybersecurity chief Edward Amoroso argues, the essence of robust security lies not in standardization, firewalls or antivirus programs, but in fostering a diversity of systems and methods. If federal bureaucrats ordain a finite universe of acceptable security practices, bad guys benefit from a more predictable set of platforms and technologies on which to focus their attacks.

The evolution of data security and the responsible stewardship of personal information should be driven by consumer demand, not by bureaucratic whim. Companies that fail to protect against data breaches will suffer as consumers seek better security with their competitors. Sony, for instance, took a huge reputational hit for mishandling the massive breach it suffered earlier this year, which also wiped out billions of dollars in shareholder value. This result is hardly surprising — consumers value the integrity of their data and will vote with their wallets against companies that make mistakes.