Ask Lee Dittmar to describe legislators and regulators’ newfound interest in data security, and he responds without missing a beat. “It’s a sleeping giant.”
Dittmar is not some idle speculator, either. A principal at New York–based Deloitte Consulting, Dittmar has been advising on information technology for some 25 years and is a frequent speaker at conferences on compliance.
Therefore, his warning that this issue will soon become a priority for Corporate America should concern finance executives. Currently, Congress is pondering at least a dozen data-security bills, each of which mandates that businesses do a better job protecting consumer data and identities. At the same time, federal agencies, state representatives, and even some municipal officials are also jumping on the data-security regulation bandwagon.
This hodgepodge of requirements could prove to be a compliance bear over the next few years. “We’re now in a world where 23 states, plus New York City, have specific data-breach notification statutes in place,” notes Deborah Birnbach, a partner at Boston-based law firm Goodwin Procter LLP. “If you’re a company that does business nationally and globally, it just makes no sense.”
It’s a Jungle Out There
The increased interest in information security comes on the heels of several massive data disasters last year.
In February 2005, for example, financial-services giant Bank of America announced that it had somehow lost backup tapes containing more than 1.2 million financial records on credit cards held by federal employees. That same month, data-collection specialist ChoicePoint revealed that con men had made off with the names, addresses, and Social Security numbers of nearly 150,000 people. Management at LexisNexis admitted that the company had misplaced personal information regarding some 300,000 people. And in June 2005, CardSystems reported that hackers had stolen a staggering 40 million credit-card numbers from its database, which is used by Visa and MasterCard.
In response, House members introduced, among others pieces of legislation, the Notification of Risk to Personal Data Act and the Data Accountability and Trust Act. The Senate countered with companion legislation, as well as such measures as the Comprehensive Identity Theft Prevention Act and the Personal Data Privacy and Security Act, sponsored by Arlen Specter (R-Pa.) and Patrick Leahy (D-Vt.).
All told, there are at least a dozen information-security proposals currently before Congress. While all address the issues of data protection and theft notification, some go easier on business. The Specter-Leahy proposal, for example, does not allow customers to freeze their credit reports — a sticking point for consumer-advocacy groups. Many of those groups want federal legislation to mimic tough data-security laws already on the books in a number of states. California and New York, for example, require companies to notify all customers whenever any breach of a sensitive database occurs.
Disclosing a data-security breach constitutes a public-relations nightmare, which may explain shy many businesses are taking steps to strengthen their security policies ahead of incoming regulation. “Most companies have started to get their ducks in a row because of the number of breaches and incidents out there,” says Michael Rasmussen, vice president of enterprise risk/compliance management at Forrester Research, a Boston-based technology research company. “They don’t want to be the poster child for this sort of thing.”
At the Philadelphia Stock Exchange, officials are guarding everything from clients’ E-mail addresses to brokers’ Social Security numbers. “We recognized that once you open the network, you need to put multiple layers of security into place,” says Bernie Donnelly, the exchange’s vice president of quality assurance. “We feel we’ve built something that far exceeds what Congress is asking for today, or is likely to ask for in the future.”
Of course, guessing what level of protection Congress will ultimately require is next to impossible. The Notification of Risk to Personal Data Act, for example, requires businesses to notify customers about a breach only when “there is a reasonable basis to conclude it has resulted in the unauthorized acquisition of an access to personal information maintained by the person or business.” Those kinds of judgment calls are the stuff of class-action lawsuits.
Another complication: some of the data-security proposals currently in Congress take a “one-size-fits-all” approach, failing to recognize any difference between global conglomerates and corner stores. “Small-to-midsize companies cannot afford to put in the same level of security as a General Motors or Microsoft,” says Donnelly. “It’s just not practical.”
It’s possible a compromise bill will ease the regulatory burden for smaller businesses. Some observers believe the raft of federal data-security proposals will coalesce into a single — and less punitive — law. “What normally happens with pending bills is that they eventually converge,” says Robert Weiss, a partner in the information technology practice at Neal Gerber & Eisenberg LLP, a Chicago law firm. “There’s a lot of horse trading that occurs, and the end result is usually one principal piece of legislation that gets voted on.”
Freeze and Thaw
It remains to be seen if that principal piece of legislation supersedes strict local statutes. Of the dozen or so measures before Congress, several would limit or roll back existing state laws governing information security.
Consumer groups aren’t thrilled by that prospect. According to the Consumers Union, 23 states currently have data-security regulations on the books. In many cases, the state laws carry a much lower threshold for triggering notification about a breach. A handful of states have also enacted freeze laws, which limit the commercial use of credit reports. New Jersey’s freeze law, which went into effect on January 1, allows consumers to close their credit reports. They then pay a $5 fee to each credit bureau to open the report when they apply for a line of credit.
While such laws might prove profitable to consumer credit-rating agencies, they could hamstring companies with captive finance operations. Not surprisingly, says attorney Birnbach, “companies have been lobbying, in various forms, for some type of federal comprehensive statute that’s more uniform and will preempt the states’ statutes.” Even if Congress does blot out those laws, businesses still face a welter of mandates from federal agencies. In January, for example, ChoicePoint agreed to pay a $15 million fine to settle charges brought against it by the Federal Trade Commission.
For corporate officers in charge of compliance, the prognosis is not good. “I don’t think there’s a company out there that could tell you for certain whether or not its policies, procedures, and executions are in compliance with all the laws and regulations,” says Dittmar. “That’s how complicated it is.”
John Edwards is a technology writer based in Gilbert, Arizona.