Skip the navigation

Q&A: IBM exec on breach notification laws, data security push

Companies must pay attention to how they secure their data, says Harriet Pearson

May 2, 2006 12:00 PM ET

Computerworld -

Breach notification laws and the growing globalization of business operations are forcing U.S. companies to pay more attention to the risks associated with having sensitive personal information under their control, according to Harriet P. Pearson, vice president of corporate affairs and chief privacy officer at IBM. Minimizing those risks is a challenge that requires a truly cross-functional effort involving security, technology, legal, audit and marketing organizations. In an interview with Computerworld, Pearson -- who is responsible for guiding information collection and use policies across IBM -- talked about some of those challenges.

Harriet P. Pearson, vice president of corporate affairs and chief privacy officer at IBM
Harriet P. Pearson, vice president of corporate affairs and chief privacy officer at IBM
What’s driving the privacy agenda today? What do CIOs and CEOs need to understand about data privacy and protection? CIOs, security people and privacy people are now working closer than ever before. The precipitating event that has brought them closer together has been this requirement that started in California and has now appeared in about 25 additional states to disclose to consumers if there’s a security incident that potentially compromises data about them. That simple thought differently expressed in different laws, but now becoming pretty much standard operating procedure, is very much on the minds of the security, privacy and CIO folks that I’ve been talking to. Depending on the industry and depending on the type of CIO, it varies a little bit. But to a person, they are all aware of the challenge of responding to the requirements of these laws.

What sort of challenge does this pose for companies? There is no doubt that this new set of requirements around security breach notifications [is] now a high-priority item for security and privacy managers and the CIO. Part of the challenge is that there are 25 states [with breach notification laws]. If you look at each of them, you will see that each one is slightly or significantly different, and that does cause challenges. It creates the requirement that if you are doing business across states, you have to go through and try to rationalize them across states. So what kind of information is covered by the law that you have to comply with? There are different definitions of personal information across states. The triggers that require you to notify differ across states. And you have to figure out what the company is comfortable with using as a trigger. Because if you are doing business across the country, basically, I don’t think you are going to sit down and [say], "Well, if it happened in Arkansas versus ... California, I am going to use radically different standards." The types of notices differ. The states are using different language [relating to] where you have to put it and who must be notified. I think the more interesting and very significant development here is that nobody wants to become really good at knowing how to notify when there’s a breach. It’s not a recipe for job success here. So I think what’s happening is that at some level, the CFO or the [chief risk officer] or the compliance officer or somebody is going to turn to the CIO and say, "How do we stop this?"

Our Commenting Policies