Tuesday, June 05, 2007

PCI Might Become Law in CA As Well?

Wow, is this (and this) a trend or what? CA is also looking at "PCI"-like law.

"The legislation would also require merchants to use so-called strong encryption routines and access controls while storing or transmitting other types of data, such as card numbers and the names of account holders."

Well, hopefully they mandate logging and log management as well :-)

So, all this "security as a law" makes some people (MJR?) uneasy. Why? Here are the reasons I've heard:
  • People will fall to the lure of "checkbox security" and only adopt the bare minimum
  • Law will be abused (see DMCA)
  • Legal Depts will determine what security measure are "necessary"
However, I don't think that this stuff is necessary all that bad and the above points are debatable at best. I see the world becoming more secure overall as a result of such regulation (in any case, it seems more compelling than fake ROI studies as a driver for security adoption ...)


UPDATE: this blurb shows some of the reasons folks hate "legalized security." It even equates future security with "lawyer-driven regulatory compliance-centric checkbox." Further in the piece it covers some of the reasons why it is not so bad (which I happen to agree with). This might be premature ("Information security as a whole moves from a poorly defined, immeasurable cost center to a clearly specified, predictable compliance function."), but it seems like an overall progress.

Dr Anton Chuvakin