2 MINUTES ON… Data breaches and the law

"Legislation is necessary, but it's not going to solve the problem," said Mark Rasch, chief security counsel at managed security provider Solutionary.

"What we really need to do is have a national debate and consensus on the whole concept of privacy."

Congress held hearings in the wake of the disclosures. Lawmakers voiced outrage, and proposed a variety of measures to protect consumers' personal information, including regulating the data broker industry, restricting the sale of social security numbers, and requiring notice to consumers if personal data has been breached.

Ray Everett-Church, principal at consulting firm PrivacyClue, said that the data aggregation industry needs stronger regulation.

"Data aggregators are operating in an ultra-hazardous business and they haven't realized it," he said, "or they try to pretend otherwise."

Several security experts said that they support a national security breach notification law, like the one which already operates in California.

Unless there is a law that requires companies to notify customers of a security breach that compromises their data, it is hard to say if they would go to the expense of doing it, noted Jeff Curie, chief strategist at IBM Tivoli.

But Chris Zannetos, CEO of provisioning software supplier Courion, said there are pitfalls with legislating security in general. Government requirements can lead companies to focus on passing an audit, which can lead to a false sense of security, he said.

John Pironti, enterprise solutions architect at Unisys, agreed, noting that companies will look at what they need to do to meet government requirements, not necessarily what is the best way to protect data.

Despite the breaches – which had more to do with social engineering than cyberattacks – it is important to note that the "sky is not falling," said Robert Holleyman, president and CEO of the BSA. A recent survey by the BSA and the ISSA showed that the private sector is making cybersecurity progress, he said.