Identity Theft Laws Elevate Security to the C-Level - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Software // Information Management

Identity Theft Laws Elevate Security to the C-Level

Federal legislation could lead to onerous security demands on organizations holding consumer information.

What do Time Warner, Lexis-Nexis, ADP, and Bank of America all have in common? They all suffered breaches in customer data security in 2005, and the incidents all fueled calls for federal legislation that could lead to onerous security demands on organizations holding consumer information. Even if legislators show restraint in demanding new controls, it's time for corporations to create C-level security positions.

Security breaches now lead to high-profile public disclosures thanks to state laws such as California's Security Breach Information Act (SP 1386) and Washington's "Breach Disclosure" law (SB 6043), which require that consumers in those states be notified when their personal data is compromised. With other states eyeing similar bills, some in Congress say it's time for a nationwide approach-an outcome business might favor, too, as long as the law isn't too demanding.

Thus far, Congressional committees have proposed at least six bills. One of the most comprehensive is "The Personal Data Privacy and Security Act of 2005" (S.751), proposed by Senator Arlen Specter (R-Pa.), Chairman of the Senate Judiciary Committee and Senator Patrick Leahy (D-Vt.). The bill calls for corporate accountability for data privacy and security programs, but there's controversy over how to define and enforce such a mandate.

"The government must assess the risk associated with certain data types so companies aren't notifying consumers every time a breach of even noncritical data occurs," says Jerry Cerasale of the Direct Marketing Association (DMA), a trade association representing more than 5,200 direct, database and interactive marketers.

Just what is "critical" personal data? Some would limit that definition to social security numbers, addresses, phone numbers, family members' names and credit or debit numbers, but a broader definition, such as that in California's law, would encompass "marketing" data about hobbies and buying patterns.

Cerasale warns that companies will face enormous costs if forced to build departments and systems for detecting and reporting breaches. What's even more troubling to some is the fact the Specter-Leahy bill calls for data brokers to give consumers a chance to "access and correct" their information. "That would open up an entirely different avenue for identity thieves to come in and undercut antifraud efforts," says Cerasale.

If such measures are passed, "COSO as a main risk structure and standards such as COBIT, GAAP and GAISP, are no longer going to be adequate," warns Fred Cohen, a principal analyst at Burton Group.

Cohen says enterprises should consider creating new positions or morphing existing ones to prepare for such legislation. "The position of a chief information security officer (CISO) exists at many large firms, but it has not been a 'C-level' position," says Cohen. "The CISO will have to be a position right up there with the CEO, CFO and CIO."

Federal legislation will demand changes in hiring practices, HR policy, legal issues, risk management, auditing and policy, says Cohen, a situation that will demand leaders who can grasp the physical and technical security issues and devise an effective program companywide. "They must have the management skills so that what they write becomes rules followed by the CIO and those running networks, databases, software and operating systems. This person must make sure that management implements the controls and that audit then checks to make sure those controls are in place."

Free Web Site Analytics

Google promised too much to users of its AdWords advertising service when it offered free (although limited) Web-site analysis. One week after bowing Google Analytics in November, the company was forced to stop adding new customers when systems reached capacity. At deadline, there was no word on when or whether the service might reopen to new customers.
Corporate Information Security

Security is rising out of obscurity and gaining top-level attention. Nearly 21% of CEOs now take responsibility for data security, up from 12% in 2004, says a December study by the International Information Systems Security Certification Consortium. CISOs/CSOs now head security at 24% of member firms, up from 21%, while CIO accountability dropped from 38% to 30%.
Applications in a Box: All Clear

SAP is working with Cisco Systems to develop network applications for small businesses. The collaboration will yield routers with business apps sitting on top. The advantage? Fewer routers and less software to install and configure. Theoretically, you'd only need one box, and networking and app settings would be ready to go. Plug in the power cord and the Internet, and you're in business.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
11 Things IT Professionals Wish They Knew Earlier in Their Careers
Lisa Morgan, Freelance Writer,  4/6/2021
Time to Shift Your Job Search Out of Neutral
Jessica Davis, Senior Editor, Enterprise Apps,  3/31/2021
Does Identity Hinder Hybrid-Cloud and Multi-Cloud Adoption?
Joao-Pierre S. Ruth, Senior Writer,  4/1/2021
White Papers
Register for InformationWeek Newsletters
Current Issue
Successful Strategies for Digital Transformation
Download this report to learn about the latest technologies and best practices or ensuring a successful transition from outdated business transformation tactics.
Flash Poll