The Obama administration last week unveiled a set of legislative proposals to improve the security of computer systems, both in the federal government and in the private sector. Many of the most controversial proposals address systems owned by private companies that are considered part of the critical infrastructure, such as financial institutions, electric companies, transportation firms and gas companies.

It seems clear that policymakers are poised to establish incentives for companies to start making the necessary investments to secure their data. I think most would agree that it was important for the White House to make online security a priority. It can be a fine line, though, between incentives and mandates, and lawmakers need to proceed with caution. 

Under the White House proposal, the Department of Homeland Security would lead the effort to identify the main critical infrastructure operators as well as their main threats and vulnerabilities. The operators would then come up with plans to minimize the risks, but they would be required to have a third party audit the plans and make a summary available. Here's where it gets a little tricky, however: If this process doesn't result in a sufficiently strong framework, DHS could change it.

For those of you in the critical infrastructure industries, this kind of incentive--if carefully crafted so as not to result in government becoming overly intrusive in industry's technology decisions--could be enough to move your CEOs and CFOs to start making the necessary security investments. For everyone else, there's the hope that a rising security tide could raise all boats.

Another proposal that needs to be taken up with great care is the administration's recommendation for a national data breach notification law. While a national law makes a lot of sense, it is important for Capitol Hill not to roll back advances that states have made in enforcing their own notification laws. Where states have managed to motivate businesses to take the necessary steps to secure consumer data, they shouldn't be forced to abandon those efforts. A national breach notification law should set a baseline standard for notification, but states should be allowed to expand on it.

Lawmakers should also proceed cautiously when taking up the White House's proposal to give companies immunity when turning over information about their customers' communications to the Department of Homeland Security. Some in our communications sector do not have a good track record when it comes to respecting customers' privacy rights in the face of data-sharing exercises with the government. Under this proposal, companies would be required to make "reasonable efforts" to filter out identifying information that isn't related to a threat before giving it to the feds, but that kind of effort sounds very much open to interpretation. The White House emphasized that this proposal "mandates robust privacy oversight to ensure that the voluntarily shared information does not impinge on individual privacy and civil liberties." The key to ensuring that companies don't land in trouble, is to be sure that fox is not guarding the privacy oversight henhouse.

How do the White House proposals look from where you sit? - Caron