Customers' data must be protected

February 02, 2007|By David Etue

Computer hackers got the best of T. J. Maxx, Marshalls and other chain stores owned by TJX Cos. when they stole the personal data of hundreds of thousands of customers. The theft, disclosed by the company last month, led to fraudulent purchases across the country and as far away as Hong Kong and Sweden. It was the latest publicized high-stakes heist of credit card information, Social Security numbers and other data. But it surely won't be the last.

Identity theft is a real and growing problem. Securing data privacy and policing identity theft should be on the "to do" list of the new Democratic-controlled Congress because it's an issue that affects constituents in nearly every state and often with serious and costly consequences for victims' credit ratings.

The past few years have seen a sharp increase in the leakage of personal data from institutions. According to a list maintained by the Privacy Rights Clearinghouse, a San Diego-based advocacy group, more than 190 such incidents have been reported since February 2005. Beyond these immediate costs, data leakage threatens the integrity and growth of e-commerce.

A number of data privacy bills have been introduced in Congress. Maryland legislators have passed laws dealing with narrow aspects of identity theft, but they have yet to implement a data privacy law like those in effect in 35 other states.

In the federal arena, any legislation should be guided by these principles:

Clear, uniform and comprehensive application. Of the 35 states with some form of data privacy law, California's is the leading one. Given that it covers any company with operations in California, it has been called a de facto national data privacy law, but that's a misnomer. The law's provisions differ from those of other state laws. The result: Large organizations must tailor their processes and procedures to California's law and those of other states.

Compliance with multiple and often conflicting legal frameworks increases costs and, more important, minimizes the clarity necessary to inspire trust among consumers. This trust is the basis of the continued growth of innovative, digitally based business models and practices. Federal legislation should be clear, uniform and comprehensive. It should authoritatively define "personal data" and "identity." It should establish national benchmarks that set a floor of protection rather than a ceiling. Finally, privacy legislation should apply to private and public enterprises, including federal, state and local governments.

Use of current best practices. Legislation need not be constructed from whole cloth. As noted above, numerous states have addressed data privacy. Government bodies have been joined in this effort by private businesses, trade associations and advocacy groups.

Together, our nation's public and private organizations have developed best practices that should be used to develop a national standard. They include an expansive understanding of private data, disclosure of a breach even if security procedures are in place, disclosure of a breach when data are reasonably believed to have been compromised, delayed disclosure to meet the legitimate needs of law enforcement, and an annual risk assessment by organizations that meet a certain threshold, such as the quantity of identities held. California's law and the Payment Card Industry Data Security Standard are two strong benchmarks for federal legislation.

Vigorous enforcement and substantial penalties. Experience with spam and other abusive and criminal activity has demonstrated that enforcement is critical to any digital protection legislation. Appropriate government agencies must be fully empowered and possess necessary resources to enforce the law. In addition, penalties must be designed to encourage compliance that genuinely lessens the risk of private data loss. This translates into significant funding, substantial penalties for intentional violations, lesser penalties for unintentional violations, and penalties based on the number of identities disclosed. Organizations that work to protect information should be rewarded.

Maryland lawmakers should join other states in protecting consumers by requiring Maryland-based organizations to take certain steps to protect their customers' data.

More important, Congress should step up with thoughtful and comprehensive legislation to guarantee that digitized data are used for proper purposes. Doing so in the "second hundred hours" would send a strong signal to corporations and voters that the new Congress is serious about tending to the nation's business.

David Etue is senior security strategist for a Bethesda company that specializes in preventing data leakage. His e-mail is

Baltimore Sun Articles
Please note the green-lined linked article text has been applied commercially without any involvement from our newsroom editors, reporters or any other editorial staff.