Security by Design
Modernizing Authentication — What It Takes to Transform Secure Access
Businesses are paying the closest attention to Title IV of the bill. This section requires that companies involved in interstate commerce, and that have at least 10,000 files on individuals in digital form, design a data security program that ensures confidentiality of sensitive records and protects against unauthorized access and use of personally identifiable information.
Such companies must publish their data privacy procedures and regularly conduct tests to assess system vulnerabilities. Businesses that violate these rules could face fines and government prosecution.
There has been a lot of discussion already about Title IV among company executives and security experts, and, although Specter-Leahy doesn't list specific steps that must be taken, a picture has gradually emerged of what an acceptable data privacy system might look like under the legislation.
This informal blueprint, while useful, only serves to highlight the lax stance most businesses have taken toward data security: Few companies have adoptedor even considered adoptingthe full range of privacy measures that security experts believe would satisfy Specter-Leahy regulations.
This means that after years of neglect, increased spending on data security will likely become a staple of IT budgets for the foreseeable future.
"More companies are starting to evaluate the risk to their operations and financial performance from neglecting to protect sensitive information," says Paul Kurtz, executive director of the CSIA. "They don't want their names plastered on the front page of the newspaper, or to be prosecuted for failing to live up to the standards federal and state governments are demanding they adopt to protect consumers. They know that wouldn't be good for business."
Security consultant and former National Security Agency spook Ira Winkler says simple and widely available technology can greatly increase data securityif only companies would use it.
The minimum requirement for meeting Specter-Leahy benchmarks is a data encryption program, according to security experts. The federal government and U.S. companies have bickered for years over what level of encoding corporations should be allowed to use in order not to run afoul of national security guidelines.
Now, 128-bit encryption systems have emerged as a standard that can adequately protect company data from hackers and other information thieves, while still giving intelligence agencies the confidence that they could crack the code if they needed to. But although encryption programs are not particularly expensive to implementeven a large company with a lot of data wouldn't have to pay more than $100,000 or so to adopt such a systema mere 7 percent of companies encrypt information when it is backed up to tape, according to storage industry researchers Enterprise Strategy Group.
Encryption not only protects a company's secrets from prying eyes, it also potentially shields the organization from expensive litigation, penalties and damage to its reputation. A central component of Specter-Leahy is a section modeled after the two-year-old California Data Privacy Act, which has since been mirrored by seven other states.
The law compelled companies to disclose data losses and thefts involving residents of the state, and, as eCenturion's Ricks puts it, "forced the bubble of gas to the surface and exposed how badly managed private information really is." Under Specter-Leahy, companies would be required to reveal all data breaches, immediately, through public statements and letters to everyone whose personal information had been put at risk.