In October of 1929 the United States suffered a devastating economic crash brought about by an unregulated, manic stock market. Almost $30 billion disappeared from the U.S. economy practically overnight. The dramatic decrease in stock prices and the economic crisis that followed highlighted the laissez-faire policies from which American businesses were benefiting. With no legislation and no regulatory agencies to hold the stock exchanges, banks and other financial institutions in check, the unbridled optimism of the financial industry ultimately led to one of the bleakest periods in modern history.
This type of behavior repeats itself throughout U.S. history. The Food and Drug Administration was brought about by Upton Sinclair's scathing expos� of the meat packing industry published in the early 1900s. This brief history lesson is offered to illustrate a pattern in U.S. policy-making of waiting until after disaster strikes to take action. This theory, taught in public policy courses, is called punctuated equilibrium. The basic notion of this theory is that policy is driven by crisis. Over the course of the last seventy years, both industry and Congress have learned from their mistakes, though the recent corporate accounting scandals prove that there is progress still to be made. Both industry and Congress, though, are making efforts to curb the increase in one of the fastest growing, expensive trends in criminal activity: credit card fraud and identity theft.
The term "information security" is not yet a household phrase, but it is becoming more and more familiar to consumers in all industries. Both B2B and B2C companies are finding that good information security practices are providing a competitive edge in the marketplace. In the search for strategic partners, companies are more willing to partner with others that can maintain the integrity of their information systems. According to Piet Opperman of CSCB, companies can make themselves a more attractive business partner through maintaining secure systems. Similarly, B2C companies are beginning to get more mileage out of the notion of secure storage of personally identifiable information. Two well-known companies in the travel industry recently took major publicity hits when consumer and passenger data was found to have been shared with a third-party marketing firm in one instance, and a government research project in the other instance.
Credit card associations have also begun mandating a baseline of security standards that must be met by anyone handling, storing, or processing cardholder data. According to the Federal Trade Commission, credit card related fraud resulted in consumer losses of over $400 million in 2003. Though the consumer does have the challenge of restoring their credit reports and history, the consumer is not financially responsible for the fraudulent purchases that are made. It is the card association member banks that bear the financial burden of the fraud. In response to this growing phenomenon, and the use of the internet as medium for commerce, the card associations have taken the proactive step of creating security standards. Visa's Cardholder Information Security Program (CISP), launched in 2000, lays out the security standards with which member banks, merchants and third party
service providers must comply when handling cardholder data. The requirements vary based on business model and size. Service providers and large merchants (those that process more than 6 million Visa transactions annually) must demonstrate their compliance with these standards by September 30, 2004. Similarly, MasterCard's Site Data Protection (SDP), launched in 2002, enumerates security practices for its merchants, service providers and Acquirers. American Express has published a set of Data Security Requirements, though they are not yet mandatory. Discover cannot be far behind. While the card associations can only do so much to enforce the programs, they have begun to hold their member banks liable for the security of their respective merchant portfolios. This pressure has led member banks to enforce compliance with the card association programs among their merchants and VARs.
The loss of competitive edge and pressure from card associations are not the only reasons to secure consumer data. Governments, both state and federal, are recognizing the detrimental effect of information theft and fraud on the economy. California initiated the trend with California SB 1386, a law requiring companies to notify consumers of suspected incidents of security. The bill outlines a schedule of fines, but what resonates even more with businesses is the notion that a company in violation of the bill can be enjoined until they are compliant. Several states, including Arkansas, California, Colorado, Louisiana, Maine, New Jersey, New Mexico and Utah, have passed bills regulating the type of data that can appear on printed receipts. In addition to the list of laws that deal with information
security that have already passed in Congress, such as the Gramm-Leach-Bliley Act, Sarbanes-Oxley, the Patriot Act, Health Insurance Portability and Accountability Act, there are a number of new bills that have been proposed on Capitol Hill to protect consumer information. Some of the proposed legislation includes:
- The Identity Theft and Financial Privacy Protection Act of 2003
Among the provisions requiring issuing banks and credit reporting agencies to take certain actions pertaining to credit requests and address changes, there is a clause requiring the truncation of credit and debit card numbers on all electronically printed receipts.
- The Consumer Identity and Information Security Act of 2003
This bill pertains to the protection of any personally identifiable information including social security numbers as well as payment device numbers. According to this bill, should it pass, the Federal Trade Commission will establish guidelines that businesses must follow in the event that a breach of the business' customer information databases has occurred.
- The Identity Theft Notification and Restoration of Credit Act of 2003
The provisions of this bill would require financial service providers to notify customers of any potential unauthorized use of their personal information. For the purposes of this bill, personally identifiable information is defined as the first name or initial and the last name, combined with any of the following unencrypted information: a social security number, a driver's license number (or other official form of identification), a credit card or debit card number, or any password or security code that would provide access to financial information.
The laws that have passed, and those that have been proposed, spell out very clearly what the organization's liability might be for violating the laws. Guess Incorporated recently settled FTC charges regarding the company's misrepresentation of the security of consumer information. The company stood accused of exposing personal data to commonly known attacks, such as SQL injection, while at the same time reassuring users of its website that personal information would remain protected. As a result of the settlement, Guess is required to create, implement and maintain an information security program. The government is clearly taking an interest in the prevention of information theft and their chosen method of prevention is to make companies liable for the loss of information.
It may appear to some that the card association requirements and the proposed laws overlap. That may be true, but what often goes unnoticed is that they are synergistic in many respects. For example, adherence to card association requirements will likely put a company in a good position when being assessed against the newly minted legislative acts. In fact, some of the proposed legislation stipulates that enrollment in a certified industry self-regulatory program may be taken as proof of compliance with the laws. Much of the new legislation centers on the loss of unencrypted data, for example, while Visa's CISP requires cardholder data to be encrypted. Other areas of synergy between proposed legislation and card association requirements include a regularly conducted risk assessment and the implementation of a comprehensive information security policy.
In many respects, the Internet and the use of networked environments has made business and commerce more convenient. With that convenience, though, comes the introduction of new dangers. The misuse of consumer data results in the loss of billions of dollars to the U.S. economy. As identity theft becomes more and more prominent, consumers are also becoming more savvy about how they use their information and choosing companies that they feel are operating in a safe environment. Rather than accept the drain on the economy that is represented by the growth in identity theft and credit card fraud, the government and the private sector are moving to create laws and standards for the protection of vital information.
Consumers are beginning to regard successful security assessments as a criterion for choosing a company to provide them with the products or services that they need. The government is also beginning to hold companies responsible for the lack of controls that result in security-related incidents, such as hacking and other compromises. Corporations can no longer afford to regard information security as a "luxury." They must take measures to protect vital data in order to ensure their own continuity.