Can legislation stop Identity Theft? This question is debatable but one thing is certain, Information Security breaches continue to occur. Consumers affected by these breaches become outraged about the perceived indifference of organizations that do not put adequate security controls in place, and these outraged citizens continue to pressure legislators for stricter legislation, tighter enforcement, and larger civil penalties for Information Security violations.
Financial, Health Care, and Government organizations are already required to comply with Federal legislation such as GLBA, HIPAA, and a laundry list of other data privacy and security standards. These industries attempt to become compliant and yet are concerned about the cost of implementing these precautions. Violations, however, still continue to occur, fueling the public call for increased legislation.

In the News

I once worked with an Information Technology Manager at the State of Minnesota who confessed that a couple of her major professional goals are: “To never be the featured story on the 6:00 pm news, or the subject of a legislative security audit.” You don’t need to look very far to find plenty of recent examples of Information Security violations. These unfortunate situations did make the news.

• March 4, 2006, “8 Accused of Identity Theft”, (Beacon Journal and wire service sources), “Cincinnati—Eight people are accused of running an identity theft ring that got Social Security numbers and other personal data from a Hamilton County Web Site and used the information to ring up about a half-million dollars in spending. The personal information came from the records on the Hamilton County’s clerk of court Web site.”
• February 28, 2006, “Four lose jobs after data breach at Oregon Health care facility” (Computerworld): “the theft of backup computer tapes and disks containing personal information and medical records on about 365,000 hospice and home health care patients from a car parked in Portland, Oregon.”
• March 1, 2006, (www.EcommerceTimes.com) “ChoicePoint, a broker of consumer data, acknowledged that information on 163,000 consumers was exposed when its database was infiltrated. It agreed to pay a $10 million fine imposed by the FTC and to set up a $5 million account to help those who fell victim to identity theft as a result.”
• March 3, 2006, “Laptop Stolen from Cancer Center Puts Patient’s Info at Risk”, (Houston Chronicle). “The private health information and Social Security Numbers of nearly 4,000 patients of the University of Texas MD Anderson Cancer Center are at risk after a laptop containing their insurance claims was stolen.”
• March 25, 2005, “Stolen laptop contained sensitive financial data”, (The State). A Fidelity Investments laptop computer containing the names, Social Security numbers, compensation and other information for 196,000 current and former Hewlett-Packard employees was stolen a week ago, HP has confirmed.
• February 6, 2006 “Confidential patient data sent to wrong company – for 15 months” (Computerworld) “A small distributor of herbal remedies has for the past 15 months been mistakenly receiving faxes containing confidential information belonging to hundreds of patients with Prudential Financial Inc.’s  insurance group. The data exposed in the breach – and faxed to the company by doctors and clinics across the U.S. included the patients’ Social Security numbers, bank details, and health information.”
• November 9, 2005 (Computerworld) “TransUnion LLC, one of the three major credit reporting companies in the U.S. confirmed that a desktop computer containing the Social Security numbers and other sensitive information for more than 3,600 consumers was stolen from one of its facilities.”
• October 21, 2005, “Hospital loses patient data”, (Star Bulletin): Wilcox Memorial tells 130,000 people it lost a computer drive containing personal information.
• April 3, 2006, (Institutional Investor) Citgroup has halted transactions on bank debit cards used in the U.K., Canada and Russia, following similar actions by Bank of America, Wells Fargo, and Washington Mutual. The latest fraud is part of larger-scale wave of identify theft, which started when a security breach at payment processor CardSystem Solutions exposed the personal information of an estimated 40 million cardholders.

Consumer Notification Laws

A number of states, including Minnesota, have recently passed consumer notification laws, when private information is breached.
Recently, on the Federal level, a subcommittee of the House Energy and Commerce Committee approved a bill that would require “all” companies to notify consumers when their information is stolen. If approved, this law would override and broaden the individual state laws that are in place to deal with this issue.
The rash of recent disclosures has raised consumer concerns about identity theft and prompted the state and federal lawmakers to propose these new regulations..

Consumer Sentiment

“It is time to hold these companies responsible!” This comment seems to be growing in frequency as the headlines and news reports increase. Consumers will move away from institutions where the perception of security is suspect, and will continue to pressure their state and federal legislators for action.

Conclusion

Significant near term impact on institutional liability related to information security protection should be expected. Also, as actual occurrences of Identity Theft rise, higher public visibility and possible “customer flight” will be driven by the increasing notification requirements. It is reasonable to expect that additional security compliance legislation, regulation and monetary penalties will come from both the state and federal levels.
Security Industry Standard “best practice” controls will continue to evolve, and are becoming the legal compliance standard. The cost of implementing these security controls will increasingly be a basic cost of doing business.

How Assurity River Group Can Help with Information Security Best Practices

Assurity River Group offers specific services to help you assess and improve your information security program:

1. Our comprehensive Risk Assessment will provide you with detailed, practical findings.
2. Assurity River Group’s Information Security Program Charter and policy architecture define a policy structure that starts with board approved policies and extends down to specific policies that protect all information assets.
3. Our consultants can help you with mitigation projects that resolve numerous vulnerabilities with one effort, while improving your overall security stance on an ongoing basis.

Assurity River Group’s consultants are available to assist you, regardless of where your institution is in the development of a complete and effective information security program.

Contact Jeff Olejnik (jolejnik@assurityriver.com) at 651.259.6888 for more information.