Ask Lee Dittmar to describe legislators and regulators’ newfound interest in data security, and he responds without missing a beat. “It’s a sleeping giant.”
Dittmar is not some idle speculator, either. A principal at New York–based Deloitte Consulting, Dittmar has been advising on information technology for some 25 years and is a frequent speaker at conferences on compliance.
Therefore, his warning that this issue will soon become a priority for Corporate America should concern finance executives. Currently, Congress is pondering at least a dozen data-security bills, each of which mandates that businesses do a better job protecting consumer data and identities. At the same time, federal agencies, state representatives, and even some municipal officials are also jumping on the data-security regulation bandwagon.
This hodgepodge of requirements could prove to be a compliance bear over the next few years. “We’re now in a world where 23 states, plus New York City, have specific data-breach notification statutes in place,” notes Deborah Birnbach, a partner at Boston-based law firm Goodwin Procter LLP. “If you’re a company that does business nationally and globally, it just makes no sense.”
It’s a Jungle Out There
The increased interest in information security comes on the heels of several massive data disasters last year.
In February 2005, for example, financial-services giant Bank of America announced that it had somehow lost backup tapes containing more than 1.2 million financial records on credit cards held by federal employees. That same month, data-collection specialist ChoicePoint revealed that con men had made off with the names, addresses, and Social Security numbers of nearly 150,000 people. Management at LexisNexis admitted that the company had misplaced personal information regarding some 300,000 people. And in June 2005, CardSystems reported that hackers had stolen a staggering 40 million credit-card numbers from its database, which is used by Visa and MasterCard.
In response, House members introduced, among others pieces of legislation, the Notification of Risk to Personal Data Act and the Data Accountability and Trust Act. The Senate countered with companion legislation, as well as such measures as the Comprehensive Identity Theft Prevention Act and the Personal Data Privacy and Security Act, sponsored by Arlen Specter (R-Pa.) and Patrick Leahy (D-Vt.).
All told, there are at least a dozen information-security proposals currently before Congress. While all address the issues of data protection and theft notification, some go easier on business. The Specter-Leahy proposal, for example, does not allow customers to freeze their credit reports — a sticking point for consumer-advocacy groups. Many of those groups want federal legislation to mimic tough data-security laws already on the books in a number of states. California and New York, for example, require companies to notify all customers whenever any breach of a sensitive database occurs.
Disclosing a data-security breach constitutes a public-relations nightmare, which may explain shy many businesses are taking steps to strengthen their security policies ahead of incoming regulation. “Most companies have started to get their ducks in a row because of the number of breaches and incidents out there,” says Michael Rasmussen, vice president of enterprise risk/compliance management at Forrester Research, a Boston-based technology research company. “They don’t want to be the poster child for this sort of thing.”