Bracing for the New Privacy Laws

One would think that, some eight years into the Internet age, enlightened self-interest would have motivated financial services and e-commerce vendors to put a higher value on maintaining the integrity of customer data. But companies' seeming inability to follow a consistent and reliable security model for the use of customer data, and the secretive approach taken to handling credit card security breaches, have helped create a consumer backlash - and a torrent of state and federal legislation.

The latest regulatory salvo, California Senate Bill 1386 (SB 1386), becomes law July 1, and more regulations are coming. The law requires companies to disclose any compromise of customer data to every affected consumer residing in California within 48 hours. And if you don't have up-to-date contact information for those consumers, you must post a notification on your Web site—the e-commerce equivalent of a scarlet letter.

Financial services companies worry that the negative publicity associated with disclosing data compromises could wreak havoc with consumer confidence in both e-commerce and the financial services industry. Consumer fears have been fueled by a string of high-profile data losses, including the compromise of some 8 million credit card numbers at card processor Data Processors International Inc. (DPI) last February. Most of the affected card associations' member banks didn't notify affected customers, despite the possibility that those numbers could be used in conjunction with so-called skip-trace database services online to gain enough information for identity theft.

E-commerce vendors, left in the dark about which card numbers were affected, had to make doubly sure they were checking card verification codes to protect themselves against chargebacks. Fear of negative publicity has kept the issue under wraps. Fear of legal penalties and lawsuits under new laws will now push the issue to the forefront as never before.

In the case of credit card number theft, card associations do provide security guidelines to merchants and banks, but not all organizations abide by them, says Julie Fergerson, chairman of the Merchant Risk Council in New York. "If DPI had done the [MasterCard] Site Data Protection program ... the break-in never would have occurred," she says. Now legislatures have stepped in to enforce change.

That leaves IT professionals to struggle with the intricacies SB 1386 and similar federal legislation, called the Database Security Breach Notification Act, that Sen. Dianne Feinstein (D-Calif.) introduced last week. Bills pending in the Senate include the Social Security Number Misuse Prevention Act and the Privacy Act, which prohibit the display, sale or purchase of Social Security numbers and other personally identifiable information without the consumer's permission. Another bill, the Identify Theft Prevention Act, would prohibit the printing of full credit card numbers on receipts.

Ever aware of a sales opportunity, IT security vendors are madly waving red flags, hoping to cash in on the SB 1386 bonanza. Since this law exempts data that's encrypted from the disclosure rules, storage security vendors like Kasten Chase Applied Research Inc. are trumpeting the risks of network storage—and promoting PKI-based authentication and encryption at the storage device level for "at rest" data. But encrypting stored data isn't as easy as vendors make it sound. "It breaks a lot of indexing and backup schemes," says John Pescatore, an analyst at Gartner Inc.

Encryption also doesn't protect companies from insider attacks, which analysts say are at least as common as external threats. Liquid Machines Inc. in Lexington, Mass., extends encryption to data retrieved in queries. Policies set in Active Directory or another LDAP-compliant directory service control user access; results can be pasted into and viewed locally within supported applications such as Excel and Word. All usage is centrally monitored.

Another start-up, San Francisco-based Vontu Inc., offers a surveillance tool to help monitor access to sensitive data and "quarantine" it when issues arise, while Cupertino, Calif.-based StrongAuth Inc. offers compliance management and SB 1386 policy templates.

Such technologies can provide tactical support, but do you need them? Organizations with well-designed security policies and infrastructures will probably exceed the legal hurdles these rules set, analysts say, although compliance-monitoring tools may also be needed. And every organization handling sensitive consumer data should be using encryption. Implementing that is no picnic, and that's where vendors could be of help.

"The product vendors should focus on making it easier, not on trying to drum up fear, uncertainty and doubt with every new law that comes along," says Pescatore. Fortunately, vendors seem eager to rise to that challenge.

Robert L. Mitchell is Computerworld's technology evaluations editor. Contact him at robert_mitchell@computerworld.com.

1pixclear.gif

A sampling of pending and recently passed privacy legislation

Legislation What it does Status
California Senate Bill 1386 SB 1386 Requires businesses to notify California consumers when their data is compromised. Becomes law on July 1, 2003.
Database Security Breach Notification Act Upcoming U.S. Senate bill said to be similar to California's SB 1386 Sen. Dianne Feinstein (D-Calif.) planned to introduce this as a U.S. Senate bill on June 26.
Privacy Act of 2003 S.745 Sets a national standard for protecting Social Security numbers, driver's license numbers and health and financial data.

Prevents commercial entities from collecting Social Security numbers and other "personally identifiable" information without the subject's permission.

Introduced in the U.S. Senate.
Social Security Number Misuse Prevention Act S.228 and H.R. 637 Prevents commercial entities from collecting selling or displaying Social Security numbers without the consumer's permission. A subset of the Privacy Act. Introduced in the U.S. House and Senate.
Identify Theft Prevention Act S.223 Requires businesses that accept credit cards to include no more than the last five digits on transaction receipts. Introduced in the U.S. Senate.
Identity Theft Penalty Enhancement Act S.153 Increases the penalties on identity theft crimes for those convicted of a serious felony; makes prosecution easier. Introduced in the U.S. Senate.
California Financial Information Privacy Act SB 1 Prohibits financial institutions from sharing or selling personally identifiable nonpublic information without obtaining a California consumer's consent. Introduced in the California State Senate.

Copyright © 2003 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon