NORTH CAROLINA LEGISLATION TO SECURE CONSUMER DATA AGAINST IDENTITY THEFT INTRODUCEDnewsobserver.com | BusinessCoding lives
Legislation is in the works to make consumer data more secure

By VICKI LEE PARKER, Staff Writer

For years, consumers have handed their credit cards over to store clerks with a sense that their personal information would be well protected.
But as 1.4 million of shoppers at DSW Shoe Warehouse found out in March when their credit card information was stolen from the retailer, people are likely being too trusting.

"If people knew how bad the information security practices are at some trusted institutions and businesses, they would be horrified," said Jon Oltsik, senior analyst of information security at Enterprise Strategy Group, an industry analyst Milford, Mass.

There have been at least four recent cases, Oltsik said, where data that was stolen from major companies, including Bank of America, Time Warner and Citigroup, was not encrypted. Encryption makes the information unreadable using complicated numeric calculations. Only people with the key to the code are able to translate the information.

In all those cases, the data was stolen while in transit to a back-up center, Oltsik said. "In a recent research study, we found that only 7 percent of enterprises always encrypt back-up data," he said. That number is even lower for information that sits on a computer. "My gut is that it about 5 percent to 6 percent," Oltsik said.

Forcing companies to encrypt personal data is one way lawmakers are trying to get those percentages up. This month, Reps. Joe Barton, R-Texas, and John Dingell, D-Mich., co-sponsored legislation that would require businesses involved in interstate commerce to improve their methods of securing sensitive personal information.

The bill is one of several that members of Congress are putting forward to address identify theft. Most call for tougher penalties for companies that don't protect consumers' personal information.

Sens. Arlen Specter, R-Pa., and Patrick Leahy, D-Vermont, this month co-sponsored a security bill that calls for restricting the use of Social Security numbers and asks for criminal penalties for executives whose businesses violate the law.

"It's important for legislators to punish lapses in security," said Mark Durrett, director of product marketing for Covelight, a Cary company that sells a computer product that helps businesses flag unusual activities.

Without penalities, Durrett said there is little incentive for companies to improve protection of customers' information.

"Now it's assumed that if a company has a breach in security, the market is going to punish them through the loss of customers," said Durrett. "But when your customers are the banks, as is the case with credit card companies, that's not likely to happen."

The proposed bills also moves beyond financial institutions and holds more companies, such as retailers, consumer reporting agencies and data brokers accountable for making consumer information secure. The Gramm-Leach-Bliley Act now requires banks and financial institutions to protect data.

Widening the scope of the legislation is expected to lead to more resistance from the business community.

"Businesses are going to tell the government, 'We are not financially capable to implement this. If you want me to do it, you need to provide us with funding,' " said John Pironti, security consultant at Unisys, an information technology consulting company.

It will be particularly hard on mom-and-pop stores that may have to spend thousands of dollars to install the equipment needed to encrypt or equally protect personal data, Pironti said.

Still, Pironti said that the cost may not be as high as some companies think. In the 1970s and '80s, the equipment needed to calculate the complicated numeric code used to encrypt data was costly, he said. But that has changed with improved technology.

"The overhead and cost is dropping considerably," Pironti said. "A lot of new software and hardware products are offering ... [encryption capabilities] as a core option instead of an add-on."

Despite its benefits, encryption is limited to protecting information from outsiders, said Durrett. It does little to prevent malicious attacks by people who have legitimate access to sensitive data, such as the tellers at several banks in Hackensack, N.J. who illegally downloaded information from 676,000 accounts earlier this year.

"All the encryption in the world won't stop them," Durrett said.