A US task force has backed calls for the introduction of national laws that would require firms to notify the public of cyber security breaches.
The task force, operating under the US Department of Commerce, noted that while state laws had been successful in getting private sector organisations focused on security, “the differences among these state laws present undue costs to American businesses”.
“A legislated and comprehensive national approach to commercial data breach will provide clarity to individuals regarding the protection of their information throughout the United States, streamline industry compliance, and allow businesses to develop a strong, nationwide data management strategy,” the task force said.
It was supportive of disclosure laws because they served as a “light handed negative incentive… to encourage firms to better secure the personal information that they hold about individuals and take steps to prevent the breaches that cause them.”
The proposed national law is part of sweeping reforms announced by the Obama administration in May.
Such laws have been talked about in the United States for several years.
A series of recent high-profile security breaches have put the issue firmly back on the political agenda.
Only today, Citigroup was copping flak over revelations of a breach that occurred back in May.
The task force report said that combating cyber security threats had to occur in partnership with industry.
The report stressed the need for “multi-stakeholder groups” to develop, when necessary, nationally recognised, consensus-based standards and practices for the Internet and Information Innovation sector.
It said the industry was behind in adopting protective technologies and reviewing company liability structures and cultures that discouraged the uptake of best practice.
The report promoted using government procurers to vet the security of products purchased by agencies against “common criteria”.
It also proposed further research on automated security and compliance ahead of the expected increase in use of cloud computing.