When one thinks of data security, it is generally in conjunction with some onerous regulation; Sarbannes-Oxely, Gramm-Leach-Bliley or an industry specific regulatory program. These bills were passed with several goals in mind. SOX was passed to ensure accurate financial reporting and to avoid another Enron scandal. GLB was enacted to protect consumers’ financial information. These are all admirable goals, but most businesses eye these regulations with some hesitation. The legislation that causes perhaps the most trepidation is the PATRIOT Act. The act was created to “deter and punish terrorist acts in the United States and around the world.” In order to do this, legislators identified several crimes that could be directly linked to issues of national security.
    As part of the act, the legislators addressed the growing concern represented by money-laundering. Title 3 of the bill is entitled “International Money Laundering Abatement and Anti-Terrorism Financing Act of 2001”. According to the congressional findings discussed in the legislation, “money laundering, and the defects in financial transparency on which money launderers rely, are critical to the financing of global terrorism and the provision of funds for terrorist attacks...” Congress recognized the critical role of money laundering in the funding of terrorist activities. In response, the government body took what it considered appropriate measures to stymie those that would engage in the illegal activity. Congress continues to study the methods of financing used by terrorist organizations.
    In a recently released report entitiled “Identitiy Theft and Terrorism” by the Democratic Staff of the Homeland Security Commission of the U.S. House of Representatives, fraudulent use of credit cards was cited as a common source of funds for terrorist organizations. The report, written in the aftermath of the ChoicePoint data loss, concentrates on the relationship between identity theft and national security. Specifically, the concern is that, “ChoicePoint and similar entities are not securing their databases in ways that prevent terrorists from stealing personal records...These security gaps must be fixed so that terrorists cannot steal American identities and hide among us here.” It should be noted that the report also extensively discusses the data loss by CardSystems Solutions, Inc.
    Citing an November 4, 2001 Chicago Tribune article written by Todd Lighty, the report states that terrorist cells have been capitalizing on schemes to steal millions of credit cards. Similarly, a book written by convicted terrorist Imam Sumudra includes a chapter on the ins and outs of committing credit card fraud. The report goes on to discuss several instances in which credit card fraud was used to fund terrorism. These include:
    The FBI reports that several Al Qaeda cells have used stolen credit cards to make purchases supporting their activities.
    The 9/11 hijackers used stolen or fraudulent credit cards to carry out their terrorist plot.
    Using previously discussed theories of public policy, one can easily make the conclusions that such regulations as are recommended in the report are not beyond the realm of possibilitity. For example, using the theory of lesson-drawing, it can be easily surmised that Congress will soon make a law (or laws) mandating data security standards for those that maintain databases that contain personal data. The theory of lesson-drawing states that governments will look across time and distance to see how similar situtations have been handled. In this case, Congress might look back to the recent past of the PATRIOT Act and draw parallels between the threat posed by money-laundering and that posed by identity theft and credit card fraud.
   Additionally, one might see the phenomenon of policy learning in this instance. Policy learning can be defined as the process through which policy makers gather new information and incorporate that knowledge into a new policy. In this way, the actual outcome is measured against the desired outcome and changes are effected to minimize the divergence between the two. In this way, policies can be refined to ensure that they are effective and efficient. In this instance, it would not be unusual to see the legislature build on existing data security standards that exist in the GLBA and SOX regulations. Additionally, the need to notify individuals that may have been effected by a security breach is more than likely to be included in any new legislation regarding data security.
    In the payments industry, there is a tendency to focus solely on the security of the credit card data. This is understandable considering the pressures imposed by compliance with the Payment Card Industry (PCI) Data Security Standards. Emphasis is entirely on protection of account information. These new regulations, when they arrive, will likely have a much more broad focus. They will likely encompass all personally identifiable information. As stated in an earlier article, personally identifiable information can be defined as any information that can be used to identify, contact, or locate an individual. This might include, but is certainly not limited to, phone numbers, addresses, birthdates, social security numbers, usernames, passwords, and similar uniquely identifying information.
    Again, hearkening back to an earlier article, it is imperative to understand the difference between compliance and security. Simply complying with a law or industry regulation may not address the specific risks inherent to the business environment in which you operate. As stated in my article from July 2004, ”Compliance, even stripped of its regulatory context, can be defined as “meeting or adhering to an existing standard, goal or objective”. The foundation of compliance is a particular standard or objective” This is a relatively static target. Meanwhile, security can be defined as ”a measure or measures taken to guard against a threat or vulnerability”. This is definitely a moving target, as new threats and vulnerabilities emerge on a daily basis.
    Rather than being an ominous cloud on the horizon, the prospect of new regulation should act as a call to action. Good security practices now will make compliance with new regulations later that much easier. For example, among the suggestions posed by the committee report is the legislation of notification to customers in the event of a security breach that results in the loss of consumer data. Such a law already exists in California, and in light of incidents such as ChoicePoint and CSSI, it is gathering momentum on Capitol Hill. By adopting a notification policy now, a company can ensure compliance with California’s law (and the law of 19 other states) and enable compliance with similar laws that may be passed on a federal level.
    Notification policies are just one example of the way in which forward thinking on security issues can put a company well ahead of the regulatory eight ball. Additionally, such forward thinking protects our national interests by increasing the work factor involved in securing information for the purposes of funding terrorist plots. In fact, Congress feels so strongly about this, that on July 14, 2005, The Identity Theft Protection Act was introduced in Congress. According to the bill, any company that stores personal information will be required to implement techonological and physical safeguards on the information. Such protective measures will be dictated by the Federal Trade Commission. Further, the bill would require notification to customers of any data breach that results in the loss of information, whether encrypted or not. Fines could be imposed up to $11 million. While the bill has just been introduced, and similar bills have met with resistence from technology vendors, the fact that similar bills are repeatedly introduced should be a sign that Congress will continue down this path until a bill is finally passed. By addressing concerns such as those pointed in the Homeland Security Report now, companies can put themselves well ahead of the regulatory eight ball.