Getting real about data security legislation
Vontu CEO Joseph Ansanelli says new laws targeting data theft need to focus on insider threats as well as attacks from outsiders.
Enforcing data security has become a top priority for both government and business. The good news is that with a combination of legislative action and business initiative, the risk of identity theft can greatly reduced. But only if we understand the big picture.
The current bipartisan effort in Congress to enact legislation requiring companies to help prevent identity theft is a positive sign. Whether the new laws succeed, however, will depend on how our legislators interpret the problem. If they focus exclusively on defense against outside attacks, their efforts will likely fall short. If the lawmakers also address the insider threat, we should all be able to breathe a lot easier.
We've all heard about the nefarious hacker breaking into corporate networks stealing information. What you may not realize is that today the biggest threat to your identity does not come from marauding cyber-bandits with laptops. Approximately half of this year's breaches were caused by company employees either accidentally or maliciously putting confidential data at risk.
It's not hard to see why insiders now pose a major threat. Think of all the people inside corporations who have ready access to your data, and to the Internet. How easy is it for an employee to e-mail a big batch of account numbers, including yours, to a friend or associate?
Last month, a call-center worker in New Delhi sold account data on 1,000 customers of a U.K. bank to an undercover reporter, and told the reporter he could supply confidential data from 200,000 accounts a month.
Tougher laws, better business practices
Proposed federal legislation extends existing data security requirements for banks and other financial institutions under Gramm-Leach-Bliley Act (GLBA) to create a national data security standard whereby every company will be required to protect the confidentiality of their customers' records and notify them when a breach occurs. Those who don't will face fines and maybe even individual liability.
This is a good first step. But the proposed legislation tends to focus on the external threat only. Since half of all breaches are now caused by insiders, the law should also require that companies enforce policy compliance by their own workforce as well as by third parties.
Take the Health Insurance Portability and Accountability Act (HIPAA), for example. HIPAA security rules closely mirrored GLBA regulations, but added a requirement for "workforce compliance." Workforce compliance is important for protecting patient medical information, and it's just as important for consumer financial information. Without active enforcement of workforce compliance, continued data leaks are a sure bet.
The new data security standard will likely simplify compliance by pre-empting all of the existing state laws and putting everybody on the same page. But the ultimate responsibility for protecting our personal data lies with the corporations to whom we entrust it.
Fortunately, corporate America is stepping up to the challenge. Many of the nation's top corporations are taking a leadership position on data security by enforcing strict access control, encryption and data loss prevention policies. These business leaders understand that the cost of implementing tighter controls is minor compared to the damage caused by media and legal exposure following a major data security breach.
It is important to remember that businesses too are victims, not perpetrators, of identity theft. For their role in tightening data security, our business leaders should be commended, not attacked.