When privacy glitches are good for business

Security may sometimes seem as solid as Swiss cheese. But you won't find RSA chief exec Art Coviello complaining.

Declan McCullagh Former Senior Writer
Declan McCullagh is the chief political correspondent for CNET. You can e-mail him or follow him on Twitter as declanm. Declan previously was a reporter for Time and the Washington bureau chief for Wired and wrote the Taking Liberties section and Other People's Money column for CBS News' Web site.
Declan McCullagh
6 min read
A string of highly publicized security breaches in the last year has caused a series of headaches for data aggregators like ChoicePoint and Acxiom.

Subsequent Congressional hearings and threats of new laws to regulate data collection practices haven't helped. Neither have class action lawsuits like the one filed in California against ChoicePoint after the company admitted it sold information on 145,000 people to identity thieves.

But the privacy outcry has been a boon to at least one firm: RSA Security, a Bedford, Mass.-based company that sells a range of authentication technologies. It's best-known for its "SecurID" keychain fob and, in technology circles, for its popular conference held in the San Francisco Bay Area.

You didn't hear consumers complain when they were getting easy access to credit and got multiple credit cards and could do lots of things.

But its stock price has been battered recently over uncertainty caused by its chief financial officer's departure and an expensive $145 million acquisition of Cyota, which sells antiphishing and fraud detection services to financial institutions.

RSA CEO Art Coviello, however, says the prospects for growth are rosy in a political and business atmosphere charged with worry about encryption, data security and authentication.

CNET News.com spoke with Coviello about federal legislation, SecurID, and the company's February 2006 conference.

Q: You wrote an article with (RSA board member) Orson Swindle saying that regulations aren't enough and we already know best practices that some companies didn't follow. Do we need a law mandating best practices?
Coviello: I hope not. But again, it's really up to individual industries. If they self-regulate, government won't have to step in. I think a great example of government showing leadership is the (Federal Financial Institutions Examination Council's) announcement.

They didn't legislate or regulate anything. They said a best practice for online financial transactions is to have some kind of authentication beyond a password. They said we really strongly urge you to have something done by the end of 2006. What's wrong with that? Industry's on notice and it's the right thing to do.

What do you think the effect of those federal regulations will be? What will most banks do?
Coviello: Most banks won't have it implemented by the end of 2006. As I talk to financial institutions, they say, "We think this is something that needs to be addressed and we've been wrestling with how to do it. We'll do our best to get done but we may not be ready by then."

Have you seen interest in your SecurID product as a result? Coviello: Huge. It's not just SecurID. I should qualify that.

Because we're so successful with the token, people misunderstand and think it's the only authentication product we have. We're a victim of our own success in that regard. We have software versions of the token. We have digital certificates. We have USB devices that have resident on them a digital certificate. We've made no secret that we're going to expand authentication (products).

We are absolutely getting a lot of inquiries about our product lines and our plans. It's obviously going to be very good for our business.

I have four bank accounts. Does that mean I have to juggle four different SecurID tokens? That sounds like a pain.
Coviello: We launched a consumer-oriented service this quarter that will allow people who have tokens to register them with other consumer-facing organizations (such as banks) who can then proxy their token to our service and we will authenticate them.

So you're saying that I'd just need one, as long as all my banks cooperate?
Coviello: Yes. For instance, if you have an E*Trade account and have an E*Trade token and go to Wells Fargo and both companies sign up for the service, you can use the same token for both. It's our job to get them interested.

When E*Trade offered SecurID tokens to nearly 3 million customers, only 20,000 signed up, and almost all of those had qualified for a free promotion. Is that a success story?
Coviello: The takeup rate is ongoing...The takeup rate for ourselves and E*Trade we've been pretty happy with. It's something that consumers are going to get used to. E*Trade isn't mandating the use of the tokens. But over time, as awareness builds, we'll increase the penetration.

When someone sends me phishing mail saying, your E*Trade account needs validation, they'll direct me to a fake site. If I type in my SecurID number, couldn't that bot log in to the real E*Trade site simultaneously using that number?
Coviello: Possibly, if they're able to do it in that sophisticated a way. It doesn't necessarily solve (the problem of) identifying a particular Web site.

It seems some privacy activists have wanted a general-purpose regulate-all-data-practices law for decades and they're using recent data breaches to justify it. Do you think that's happening?
Coviello: This is clearly a case of the horse being out of the barn and it being pretty hard to get it back in. You didn't hear consumers complain when they were getting easy access to credit and got multiple credit cards and could do lots of things.

I get a kick out of these privacy groups saying there was malice aforethought with these companies. There wasn't. Does that mean we shouldn't go back and fix issues of confidentiality and protection of information? Of course we should. But we're not going to eliminate internal combustion machines because they create air pollution. I see the same thing here.

Let's say the U.S. Congress is going to pass a law when they return next year. What should it say?
Coviello: We think they should...pre-empt the states, which we think makes sense so companies don't have to wade through 32 different state laws. There's clearly a role regarding breach notification. We think there should be more specificity around the timing for breach notification, and some kind of safe harbor if you used encryption technology that protects you. There are a few bills that do that.

Should a federal law zap state laws by pre-empting them, or is it better to have no federal law and a variety of approaches by the states?
Coviello: What happened in the California bill (mandating disclosure of security breaches) was that California ended up legislating for the world. There are very few businesses that don't do business in California.

It's very difficult to expect companies to sort through a myriad of state bills and see which ones they haven't complied with. What, you don't do business in a smaller state because you can't bother to figure out what the rules would be? It's such a broad issue that it should be federally done.

What percentage of RSA's revenue comes from SecurID?
Coviello: From our authentication business, which is broader than SecurID, it's about 70 percent. The encryption business is about 10 percent.

Have you noticed an uptick in SecurID revenue--since the ChoicePoint and other breaches--that you can attribute to increased attention to this topic?
Coviello: I think what we've seen is a build in sales pipeline. It hasn't translated yet into as much revenue as we'd like to see. It's not just ChoicePoint and the other breaches. It's about ID theft globally.

We're building a deferred and subscription order base that will generate revenue in subsequent years. We made that clear on our last quarterly conference call. And stay tuned (for more).

For your February RSA security conference, you've lined up Bill Gates of Microsoft, Scott McNealy of Sun Microsystems, and John Chambers of Cisco. Any other highlights you'd like to mention?
Coviello: I'll be there. (Laughs.) Gary Bloom from Symantec Veritas will be there. The fact that last year we had Chambers join the group and this year we have McNealy join the group shows how much security has gone mainstream. Maybe the following year we'll have (Oracle CEO) Larry Ellison.

Let's say 2005 was the year of ID fraud and security breaches. What will 2006 be?
Coviello: I think you'll see an acceleration in sophisticated attacks. But you'll also see the Return of the Jedi: companies adopting stronger authentication and better and better antispyware and antimalware (techniques). It may get a little worse before it gets better, but we're about to make a comeback.