Sponsored By

Identity Theft Laws Elevate Security to the C-Level

Federal legislation could lead to onerous security demands on organizations holding consumer information.

InformationWeek Staff

December 14, 2005

4 Min Read

What do Time Warner, Lexis-Nexis, ADP, and Bank of America all have in common? They all suffered breaches in customer data security in 2005, and the incidents all fueled calls for federal legislation that could lead to onerous security demands on organizations holding consumer information. Even if legislators show restraint in demanding new controls, it's time for corporations to create C-level security positions.

Security breaches now lead to high-profile public disclosures thanks to state laws such as California's Security Breach Information Act (SP 1386) and Washington's "Breach Disclosure" law (SB 6043), which require that consumers in those states be notified when their personal data is compromised. With other states eyeing similar bills, some in Congress say it's time for a nationwide approach-an outcome business might favor, too, as long as the law isn't too demanding.

Thus far, Congressional committees have proposed at least six bills. One of the most comprehensive is "The Personal Data Privacy and Security Act of 2005" (S.751), proposed by Senator Arlen Specter (R-Pa.), Chairman of the Senate Judiciary Committee and Senator Patrick Leahy (D-Vt.). The bill calls for corporate accountability for data privacy and security programs, but there's controversy over how to define and enforce such a mandate.

"The government must assess the risk associated with certain data types so companies aren't notifying consumers every time a breach of even noncritical data occurs," says Jerry Cerasale of the Direct Marketing Association (DMA), a trade association representing more than 5,200 direct, database and interactive marketers.

Just what is "critical" personal data? Some would limit that definition to social security numbers, addresses, phone numbers, family members' names and credit or debit numbers, but a broader definition, such as that in California's law, would encompass "marketing" data about hobbies and buying patterns.

Cerasale warns that companies will face enormous costs if forced to build departments and systems for detecting and reporting breaches. What's even more troubling to some is the fact the Specter-Leahy bill calls for data brokers to give consumers a chance to "access and correct" their information. "That would open up an entirely different avenue for identity thieves to come in and undercut antifraud efforts," says Cerasale.

If such measures are passed, "COSO as a main risk structure and standards such as COBIT, GAAP and GAISP, are no longer going to be adequate," warns Fred Cohen, a principal analyst at Burton Group.

Cohen says enterprises should consider creating new positions or morphing existing ones to prepare for such legislation. "The position of a chief information security officer (CISO) exists at many large firms, but it has not been a 'C-level' position," says Cohen. "The CISO will have to be a position right up there with the CEO, CFO and CIO."

Federal legislation will demand changes in hiring practices, HR policy, legal issues, risk management, auditing and policy, says Cohen, a situation that will demand leaders who can grasp the physical and technical security issues and devise an effective program companywide. "They must have the management skills so that what they write becomes rules followed by the CIO and those running networks, databases, software and operating systems. This person must make sure that management implements the controls and that audit then checks to make sure those controls are in place."

[ KEY PERFORMANCE INDICATORS ]

Free Web Site Analytics

Google promised too much to users of its AdWords advertising service when it offered free (although limited) Web-site analysis. One week after bowing Google Analytics in November, the company was forced to stop adding new customers when systems reached capacity. At deadline, there was no word on when or whether the service might reopen to new customers.

Corporate Information Security

Security is rising out of obscurity and gaining top-level attention. Nearly 21% of CEOs now take responsibility for data security, up from 12% in 2004, says a December study by the International Information Systems Security Certification Consortium. CISOs/CSOs now head security at 24% of member firms, up from 21%, while CIO accountability dropped from 38% to 30%.

Applications in a Box: All Clear

SAP is working with Cisco Systems to develop network applications for small businesses. The collaboration will yield routers with business apps sitting on top. The advantage? Fewer routers and less software to install and configure. Theoretically, you'd only need one box, and networking and app settings would be ready to go. Plug in the power cord and the Internet, and you're in business.

Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.

You May Also Like


More Insights