Opinion: Overregulation Isn't The Answer To Security Breaches

These aren't isolated cases. In a recent survey by Deloitte & Touche, Harris Interactive and Privacy & American Business, 20 percent of respondents said they've been the victim of identify fraud or theft. That response, from a representative sample of the U.S. population, suggests a total of 44 million victims nationally. The FTC puts the number at 10 million, but even so, it estimates annual damages at $5 billion for individuals and $48 billion for businesses.

More Regulations?

Any problem that inflicts such damage is bound to invite political intervention, and momentum is building for U.S. legislation akin to the data-protection laws in Canada, Europe and Japan. Under a bill introduced last month by Sens. Patrick Leahy (D-Vt.) and Arlen Specter (R-Pa.), companies that store information on more than 10,000 people would have to create formal programs to train employees in security practices, perform vulnerability tests and ensure that third-party service providers have adequate security. Consumers would get regular access to their data files so they could make corrections. Under a similar plan backed by Sens. Charles Schumer (D-N.Y.) and Bill Nelson (D-Fla.), an office of identity theft would be created within the FTC, funded at $60 million a year for five years.

While $60 million may sound like a bargain to solve a $50 billion problem, consider the funding and red tape already behind the Health Insurance Portability and Accounting Act, Graham-Leach Bliley Act, Fair Credit Reporting Act, Driver's Privacy and Protection Act and the myriad other federal and state acts of good will that ostensibly protect privacy and ensure information security. The FTC Act, which prohibits "unfair or deceptive acts or practices in or affecting commerce," served as the legal grounds for the infosec actions against BJ's Wholesale and four other companies. Do we need yet another layer of regulations?

A better next step would be to extend nationwide a California law requiring companies to notify customers whenever personal information is believed to be compromised. Faced with the public embarrassment of such national disclosures, companies will get their infosec acts together, while immediate notification of security breaches will let those affected head off fraud.

If you think public embarrassment isn't a big enough stick, consider how fast Enron fell from favor--not so much because of its considerable crimes and misdeeds, but because those crimes and misdeeds grew larger than life under the media klieg lights. It became a symbol of corporate malfeasance, turning off customers, business partners, regulators, investors and anyone else who had a say in its future. The same fate could await companies that play fast with their customers' data.

Meantime, find and punish the data and identity thieves. Under a law signed by President Bush last year, the federal penalty for identity theft was increased to five years from three, with even stiffer penalties for insiders. Now let's rack up some high-profile convictions.

Rob Preston is editor in chief of Network Computing. Write to him at [email protected].