By Robert Vamosi
Senior editor, CNET Reviews
November 11, 2005
Earlier this year, I wrote about several major data breaches at ChoicePoint, then LexisNexis. Headlines screamed how thousands--and in the case of CardSystems, millions--of individuals had their names, social security numbers, and other personal information exposed to god-knows-who. These revelations came only because of a California law, SB 1386, which requires companies to inform California residents if any data breaches occur. The Senate is currently considering a national version of the California law, but a weaker House of Representatives bill is rapidly gaining influence in Congress. If the House bill passes and becomes law first, future data breach revelations will be silenced, and data thieves will be free to run amok.
For the companies, California SB 1386 revelations have proved embarrassing and costly. For CardSystems, for example, American Express and Visa have pulled their relationship with the card company, and MasterCard is said to be considering similar action. In the case of CardSystems, it was probably an outside attacker, using a root kit, but with LexisNexis and ChoicePoint, the breaches occurred because customers or employees manipulated the rules. According to the FTC, data breaches such as the above examples cost businesses about 48 billion dollars last year. And it's the cost to businesses, not individuals, that appears to have motivated Congressman Cliff Stearns (R-Florida) to push through his recent changes to HR 4127, the Data Accountability and Trust Act (DATA).
Here comes HR 4127
According to Stearns's press release, "This bill will help ensure that personal data are accounted for, secured, and actively protected against breaches by empowering consumers and businesses to promote the notion that security sells." On the surface, HR 4127 DATA sounds good, but let's dig a little deeper, since any new federal law would automatically replace California's SB 1386.
snip
There are two dangerous consequences. One, you won't know that your data was compromised unless you've requested your free annual credit report or you find yourself turned down inexplicably for a loan or a job. Two, we will have no metric to understand how serious the problem is. Under the DATA law, companies are required to have an individual responsible for personal privacy and to report breaches to the Federal Trade Commission, but public disclosure isn't required. If a tree falls in a forest and no one's around, does it still make a sound? It does if you're the one having your identity stolen.
more at:
http://reviews.cnet.com/4520-3513_7-6381707-1.html?tag=nl.e757