Companies pay a steep price for mishandling sensitive datain declining market capitalization, reduced profits and damaged reputations. ChoicePoint, which maintains as many as 19 billion data files that trace the financial, insurance and demographic backgrounds of nearly every adult in the U.S., took a charge of $11.4 million in the first and second quarters of this year in order to cover both the cost of notifying consumers that their private information had been stolen, as well as legal fees related to the incident.
This lowered ChoicePoint's operating earnings by almost 9 percent in the first half of the year.
Still, for most consumers, such financial penalties offer little consolation. What people really want is for companies to alter their behavior.
Admittedly, most consumers like the benefits of databases: quicker turnarounds on loan and credit applications, the convenience of shopping on the Web, greater accuracy of medical records, and finely filtered recommendations from e-commerce sites, to name a few.
Yet surveys indicate that these pluses are beginning to be outweighed by the dread of identity theft and data scams, not to mention spam and unwanted direct marketing, all of which are the result of a growing laxity toward safeguarding confidential data.
According to a May 2005 survey of 1,003 U.S. voters, conducted by the Cyber Security Industry Alliance (CSIA), a trade organization representing companies that make security products, 97 percent of respondents rate identity theft as a serious problem and are fearful of their personal information being stolen; 48 percent said they avoid making purchases on the Internet because they are afraid their financial information isn't safe, and 71 percent believe new laws are needed to protect consumer privacy.
"Companies have been in a state of denial about protecting datathey've held off federal regulation by promising to self-police, and instead they've done nothing," says Ray Ricks, former chief of privacy standards, security planning and global fraud investigations at Citibank, and founder of eCenturion LLC, a maker of network protection software based in Huntington Beach, Calif.
"Many companies have a budget that says, 'This is what we forecast will be our financial losses from data losses and identity theft and the like,' and then manage to that number," Ricks says. "As long as they don't go beyond that budget, data protection is not a priority."
Odds are, companies won't have that option much longer. As a result of the rash of data incidents and the subsequent consumer backlash, U.S. lawmakers are taking the strongest steps yet to replace the generally unregulated data environment with strict mandates for how individual privacy and confidential information must be protected.
The most far-reaching legislation is the Personal Data Privacy and Security Act of 2005, cosponsored by Republican Senator Arlen Specter, chairman of the Judiciary Committee, and Senator Patrick Leahy, the committee's ranking Democrat.
If this bill passes in anything like its current form, as it's expected to either late this year or early in 2006, it could affect companies in much the same way as the Sarbanes-Oxley Act has. The bill would require new and sometimes expensive procedures and systems to protect confidential data, just as Sarbanes-Oxley does in the realm of accurate financial and accounting disclosure.
And while the price tag to safeguard private information will not be as high as it was to rejigger accounting systems, the change in the way companies operate could be just as radical.
"Reforms like these are long overdue," Senator Leahy says. "Insecure databases are now low-hanging fruit for hackers looking to steal identities and commit fraud. [The Specter-Leahy bill] provides tough monetary and criminal penalties for compromising personal data or failing to provide necessary protections. This creates an incentive for companies to protect personal information."