Network Computing is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

The Politics of Infosec

These aren't isolated cases. In a recent survey by Deloitte & Touche, Harris Interactive and Privacy & American Business, 20 percent of respondents said they've been the victim of identify fraud or theft. That response, from a representative sample of the U.S. population, suggests a total of 44 million victims nationally. The FTC puts the number at 10 million, but even so, it estimates annual damages at $5 billion for individuals and $48 billion for businesses.

More Regulations?

Any problem that inflicts such damage is bound to invite political intervention, and momentum is building for U.S. legislation akin to the data-protection laws in Canada, Europe and Japan. Under a bill introduced last month by Sens. Patrick Leahy (D-Vt.) and Arlen Specter (R-Pa.), companies that store information on more than 10,000 people would have to create formal programs to train employees in security practices, perform vulnerability tests and ensure that third-party service providers have adequate security. Consumers would get regular access to their data files so they could make corrections. Under a similar plan backed by Sens. Charles Schumer (D-N.Y.) and Bill Nelson (D-Fla.), an office of identity theft would be created within the FTC, funded at $60 million a year for five years.

While $60 million may sound like a bargain to solve a $50 billion problem, consider the funding and red tape already behind the Health Insurance Portability and Accounting Act, Graham-Leach Bliley Act, Fair Credit Reporting Act, Driver's Privacy and Protection Act and the myriad other federal and state acts of good will that ostensibly protect privacy and ensure information security. The FTC Act, which prohibits "unfair or deceptive acts or practices in or affecting commerce," served as the legal grounds for the infosec actions against BJ's Wholesale and four other companies. Do we need yet another layer of regulations?

A better next step would be to extend nationwide a California law requiring companies to notify customers whenever personal information is believed to be compromised. Faced with the public embarrassment of such national disclosures, companies will get their infosec acts together, while immediate notification of security breaches will let those affected head off fraud.

  • 1