Putting teeth in cyberprivacy

A new California statute designed to protect the public from identify theft delivers the first in a series of warning shots to companies to get serious about protecting vital electronic information.

For the first time, government regulations will require organizations to be open about security breaches, which traditionally have gotten swept under the rug--or addressed without much fanfare.

California civil code 1798.82, which goes into effect Tuesday, requires any business or person who "maintains computerized data that includes personal information that the person or business does not own...(to) notify the owner or licensee of the information of any breach of the security."

It also wields an enforcement stick: Any company doing business in California that fails to provide the notice required by law opens itself to a damage suite by any customer injured. That includes the possibility of class-action lawsuits and injunctive relief. In layman's terms: Companies must alert customers if information that can be used to perpetrate identity theft--people's social security, driver's license and credit card numbers--is stolen or compromised. Otherwise, they can get sued for staggering amounts of money.

The statute provides a powerful incentive for companies to protect a narrow segment of valuable computer data maintained on electronic networks. Batten down the hatches, because California 1798.82 is just the tip of the iceberg for computing companies--in fact, all industries that store and use electronic data.

Just recently, Sen. Diane Feinstein sponsored a bill in Congress to make this California statute into national law. Both litigation over the theft of intellectual property and the enforcement of privacy violations are also picking up speed. The Federal Trade Commission is investigating a May security flaw in Microsoft's Passport service that put more than just its 200 million customers' accounts at risk of being hijacked. That could lead to hefty fines. And in June, Lockheed Martin filed suit against Boeing, accusing its rival of illegally obtaining and using tens of thousands of pages of proprietary Lockheed documents to win a large rocket contract with the U.S. government.

Baby steps or a brisk run?
Individually, each of these situations has significant impact, but when I step back and look at tall three trends, I see enormous daily risks facing companies that use electronic technologies. Companies face two choices: They can apply a Band-Aid for compliance with specific statutes, or be savvy and employ the broad protection and auditing measures needed to avoid an onslaught of coming regulations and litigation. And at the same time, companies will be able to protect their data from theft by competitors.

Just recently, Sen. Diane Feinstein sponsored a bill in Congress to make this California statute into national law.

One way to avoid liability under California statute is simply to encrypt the narrow segment of computer data covered by the law. The statue only applies to "unencrypted personal information." This avenue is a Band-Aid or a baby step at best. Limiting encryption to personal information does nothing to protect a company's confidential, proprietary and trade-secret information, which prior to the electronic age was maintained in hard-copy documents.

Today a company's crown jewels--marketing plans and strategies, financial information, customer information, employee HR records, acquisition strategies, product plans, manufacturing processes--are all maintained in computer data. Studies show that more than 90 percent of information created today by businesses is maintained in electronic formats, making it easier for a company's critical intellectual property to leak out of an organization. Nowhere is this more true than the technology industry, where operations are virtually entirely electronic and rely on the use of a plethora of technologies that make it easy for data to leak, particularly with the Internet and new data integration initiatives.

Companies need to step up to the plate and finally protect individual pieces of data--and track how that data is used and by whom. This is important not only to meet the dictates of the new California statute on personal information but also to protect a company's intellectual property. It is important for a company to be able to prove who stole its data and how it was stolen; otherwise there is no way a company can enforce its rights in court to retrieve stolen computer data and keep competitors from using or distributing its data.

Unfortunately, the computer security systems that companies have already bought--firewalls and intrusion detection--are not enough to comply with the new California statute or to protect data from theft by a competitor. They merely log activity in a small slice of the path of confidential data as it travels inside, outside and between today's companies--and do nothing to provide the encryption needed to comply.

The statute provides a powerful incentive for companies to protect a narrow segment of valuable computer data maintained on electronic networks.

That said, there is a new generation of technologies that sit squarely at the intersection of security and compliance. These allow companies to protect individual pieces of information no matter where they reside. And when necessary, they deliver the monitoring and reporting to demonstrate compliance and provide the evidence needed for companies to seek a court injunction under the federal Computer Fraud and Abuse Act or state trade-secret laws. They can even take advantage of the criminal justice system by reporting violations of criminal law with the confidence of knowing that they are providing admissible evidence of criminal activity.

Make no mistake: As of July 1, companies will have to impose closer control over their data. But California 1798.82 is just the tip of the iceberg if companies don't take that brisk run beyond mere compliance and toward preventive measures.