But there is one exception to this rule in both the California law and the Specter-Leahy bill: Companies that have used encryption to make sensitive information unreadable to information thieves need not report data thefts to consumers. The idea of using data encryption as a safe harbor has received mixed reactions from security experts, but, overall, they believe that it at least gives companies a clear incentive to live up to the goals of the legislation.
In fact, in large part because of the California law, Addison, Texas-based Credant Technologies has seen a surge in sales of its mobile encryption software, from 700,000 licenses in the first quarter of 2005 to 1.2 million licenses in the second quarter.
"Encryption is an important and elegant approach to data protectionit's absolutely essentialbut it still must be part of a holistic data protection system," says CSIA's Kurtz. "I don't want to think that companies will believe they've done enough because the law lets them off the hook if they encrypt."
Kurtz says he would prefer that the legislation call for third-party certification of data protection programs as the mechanism that would trigger the safe harbor. Privacy auditing firms could conduct these assessments and produce reports detailing the areas in which companies have met the highest information security standards and in what ways they could improve.
"With this approach," Kurtz adds, "it may be possible to drive insurance companies to underwrite policies that cover losses for data security breaches because they would have real data that could help them determine risk."
Most companies believe that because they have antivirus software on their network, and have installed a firewall, they've sufficiently protected sensitive information. But that's a false sense of security. Poorly configured firewallsthe norm at most companies, according to security expertsprovide at most 1 percent of the filtering required to keep out hackers, viruses, worms and other intruders. The problem, often enough, is that CEOs and CIOs relegate data protection to low-level staffers who may have taken a course given by, say, Microsoft Corp. about information security, but who don't have the credentials necessary to handle such an important aspect of a company's operation.
Feds Flunk Security 101 In the first major study of government agencies, the GAO finds "pervasive weakness" in information-security at 24 major U.S. agencies.
For that reason, it's little wonder that two-thirds of companies surveyed by Enterprise Strategy Group this year were victims of Internet worms.
One way to protect networks is by installing intrusion protection software. Essentially, this software monitors networks for areas that are unprotected, and temporarily closes these vulnerabilities when companies are unable to keep up with the required security patch updates necessary to solidify firewalls. A better option, though, is a full-fledged network security program that creates a shield around every link and node on the network, watches the activity of every user, and monitors for break-ins or attempts to steal information.
None of this, however, is useful if unauthorized people can easily gain access to corporate data (see "The Customer Did It," page 44). As a result, experts have identified vastly improved authentication of individuals, before allowing them to view or download information, as another essential aspect of a data security program that would meet the requirements of Specter-Leahy.
"Passwords are a lousy way to protect consumers," says Chris Voice, vice president of technology at Entrust, an Addison, Texas-based encryption company. "At an ATM, you have to have a debit card or you can't access the system. That's more than a password. So why do we guard credit data, health records and other sensitive data behind only a password on the Web, or in most corporate networks?"
A variety of techniques have been suggested to help authenticate people, including so-called tokens that are plugged into a USB port of a computer or a socket in a kiosk-based machine, as well as numeric grids on which people would type assigned numbers before their user name and password.
All of these add cost to database transactions, however, and some inconvenience for customers.
Yet as the government moves closer to regulating data environments, companies should view less permeable authorization techniques as "necessary and inevitable, because consumers are under relentless assault by fraudsters and identity thieves," says Jonathan Penn, an analyst at Forrester Research Inc.