What do Time Warner, Lexis-Nexis, ADP, and Bank of America all have in common? They all suffered breaches in customer data security in 2005, and the incidents all fueled calls for federal legislation that could lead to onerous security demands on organizations holding consumer information. Even if legislators show restraint in demanding new controls, it's time for corporations to create C-level security positions.

Security breaches now lead to high-profile public disclosures thanks to state laws such as California's Security Breach Information Act (SP 1386) and Washington's "Breach Disclosure" law (SB 6043), which require that consumers in those states be notified when their personal data is compromised. With other states eyeing similar bills, some in Congress say it's time for a nationwide approach-an outcome business might favor, too, as long as the law isn't too demanding.

Thus far, Congressional committees have proposed at least six bills. One of the most comprehensive is "The Personal Data Privacy and Security Act of 2005" (S.751), proposed by Senator Arlen Specter (R-Pa.), Chairman of the Senate Judiciary Committee and Senator Patrick Leahy (D-Vt.). The bill calls for corporate accountability for data privacy and security programs, but there's controversy over how to define and enforce such a mandate.

"The government must assess the risk associated with certain data types so companies aren't notifying consumers every time a breach of even noncritical data occurs," says Jerry Cerasale of the Direct Marketing Association (DMA), a trade association representing more than 5,200 direct, database and interactive marketers.

Just what is "critical" personal data? Some would limit that definition to social security numbers, addresses, phone numbers, family members' names and credit or debit numbers, but a broader definition, such as that in California's law, would encompass "marketing" data about hobbies and buying patterns.

Cerasale warns that companies will face enormous costs if forced to build departments and systems for detecting and reporting breaches. What's even more troubling to some is the fact the Specter-Leahy bill calls for data brokers to give consumers a chance to "access and correct" their information. "That would open up an entirely different avenue for identity thieves to come in and undercut antifraud efforts," says Cerasale.

If such measures are passed, "COSO as a main risk structure and standards such as COBIT, GAAP and GAISP, are no longer going to be adequate," warns Fred Cohen, a principal analyst at Burton Group.

Cohen says enterprises should consider creating new positions or morphing existing ones to prepare for such legislation. "The position of a chief information security officer (CISO) exists at many large firms, but it has not been a 'C-level' position," says Cohen. "The CISO will have to be a position right up there with the CEO, CFO and CIO."

Federal legislation will demand changes in hiring practices, HR policy, legal issues, risk management, auditing and policy, says Cohen, a situation that will demand leaders who can grasp the physical and technical security issues and devise an effective program companywide. "They must have the management skills so that what they write becomes rules followed by the CIO and those running networks, databases, software and operating systems. This person must make sure that management implements the controls and that audit then checks to make sure those controls are in place."