Today, close to half the states have enacted data privacy laws modeled after California's SB-1386, requiring companies to out themselves when a breach occurs. And late last month, the Senate approved the Personal Data Privacy and Security Act, which requires businesses holding the personal data of more than 10,000 U.S. residents to conduct risk assessments and implement data-protection policies.
With consumer confidence shaken and politicians clamoring for stiffer laws and penalties, if companies can't make sufficient headway against the problem in 2006, the loss of customer data will become the big security issue of the year.Customer data is the most valuable data that thieves can make off with, and in recent years it has been among the most unprotected data. Companies that follow comprehensive encryption practices, make immediate security patches, and educate and train their employees on how to comply with their data protection policies are ahead of the game. Some even promote their policies and best practices for competitive gain. Improving your data security posture and protecting customer data is just good business.
And that's why I think the customer data theft problem will be reduced next year. Security officers no longer have to pull out a bullhorn to get heard in the din of the corporate budgeting process. The horror stories are too fresh. Just this week we heard that Scottrade had to notify as many as 140,000 customers that their personal information may have been compromised due to a security breach at one of its vendors. And the list of high-profile customer data breaches for 2005 is a long one. Companies like ChoicePoint, LexisNexis, and CardSystems can all testify that dealing with data theft after the fact is not a tenable position.
But the solution has to be more than outing the companies that lose the data and leaving it up to the potentially affected customers to contact their credit service bureaus and their banks with fraud alerts. Corporations have to take it upon themselves to make it more than a risk of doing business. Looking at the problem from a corporate perspective will go a long way toward reducing its occurrence.
The well-publicized debacles of 2005 should serve as more than a wake up call. Sure, we can expect the thieves to grow more sophisticated. But in looking back, the breaches weren't all that sophisticated to begin with, many involving preventable oversights such as losing tapes in transit or stolen laptops with unencrypted data.
In 2006, we can do better.