America awoke this morning to a new President-Elect, Barack Obama, who swept to power in an historic election. With the change in administration, our attention as information security professionals naturally turns to the effect of the election on information security regulation and regulatory enforcement. In the past eight years, the Bush administration has neither pushed new information security regulation nor sought vigorous enforcement of the data protection laws on the books. With the election, however, “change has come to America” in many ways, as President-Elect Obama said last night, and change will also come to information security regulation in the next four years.
In general, Democrats tend towards favoring more regulation, and Republicans less. That tendency explains President Bush’s aversion to greater information security regulation over the last eight years. As another general statement, Republican administrations are more “hands off” than Democratic administrations when it comes to regulatory enforcement. The Bush Administration generally supported deregulation and placed comparatively few resources into regulatory enforcement, under the belief that the marketplace will sort out good business practices from bad. In the information security field, the Bush Administration focused little on information security enforcement and provided relatively few resources for enforcement, in keeping with this “hands off” philosophy.
What will we see in the Obama Administration? If the general trend holds, an Obama administration, partnered with new Democratic majorities in the Congress and the Senate, will put a much greater emphasis on regulatory controls and enforcement. The public sees the “hands off” philosophy in the financial sector as one cause of our current financial crisis, and therefore is more supportive of greater regulation than at any time since the 1960’s. This supportiveness may lead to new data protection legislation at the federal level. A federal security breach notification bill might be the first step. Moreover, I believe the Obama Administration will fund more vigorous enforcement of the laws on the books already, such as HIPAA.
The pace of change, however, may not be as quick as we might see in any other year by any other new Democratic administration. The current financial crisis, the need to manage two wars, the urgent call for energy independence, and health care stand as top concerns for the new administration. These critical issues may delay the onset of attention to cybersecurity. Nonetheless, we should expect the new administration to turn to cyberseucrity sometime during the next term, and we should expect larger budget numbers for regulatory enforcement.
What does this mean for the CISO? CISOs should watch carefully for new legislative developments, and should expect to spend more resources in the next four years on regulatory compliance. Moreover, if there were any CISOs out there that were postponing key security initiatives because of the belief that regulators won’t come after them, yesterday’s election should cause them to rethink their beliefs.
Times and administrations come and go. The regulatory pendulum swings back and forth. After this election, the pendulum will swing towards greater regulation. CISOs should start preparing for more regulation – now. Regulatory change is coming to America.