US GOVERNMENT INTRODUCTION OF NEW LAWS PROTECTING PERSONAL AND CORPORATE INFORMATION PUTS PRESSURE ON FIRMS TO ENCRYPT DATA Firms face pressure to encrypt data - The Boston Globe:
Firms face pressure to encrypt data
States setting rules as breaches increase

By Ross Kerber, Globe Staff | January 18, 2007

Data thefts like one reported by TJX Cos. yesterday have put growing pressure on corporate America to protect customer data.

Hundreds of companies, universities, and other organizations have reported losing customers' names, Social Security numbers, or other information that can open the door to fraud.

In response, more than 30 states have passed laws resembling a four-year-old California requirement that companies inform individuals if they lose control of data. Most of these laws waive the requirement if the companies encrypt the data -- or encode it -- to make it harder to access.

Action is also underway in Washington, where Democrats including Representative Barney Frank of Newton, chairman of the House financial services committee, say they will press for similar rules nationally. Rather than embarrassing companies when they lose data, Frank said, the goal should be to reduce harm in the first place.

"Not every breach of data security should require that you notify people," Frank said. Frank also proposes a joint committee be formed to write a national data-safeguards bill. "The goal of legislation shouldn't just be to help people after the data is released, it should be to diminish the releases," he said.

In a statement yesterday, TJX did not give many details on how many customers' data were affected by what it called "an unauthorized intrusion into its computer systems" that process and store customer transactions, including credit- and debit-card information. A spokeswoman declined to discuss whether the data was encrypted.

Protecting privacy has taken on a new urgency with rapid improvements in memory and capacity that allow huge data sets to be stored on laptop computers, Blackberries, and similar devices often taken by thieves.

Because of the new state laws, privacy specialists know of hundreds of cases in which personal data has gone missing, and some suspect many more cases are out there. Since November, Kaiser Permanente healthcare system, the Internal Revenue Service, and Starbucks Coffee Co. have lost personal data, according to the Privacy Rights Clearinghouse, a San Diego consumer organization.

The latest way data can walk off is on cheap memory sticks, devices smaller than a finger that plug into computer's USB port and can hold up to 4 gigabytes of data. The San Diego group already counts several cases since July in which these devices have disappeared, including one lost from a Transportation Security Administration command center at Portland International Airport in Oregon.

To protect themselves, companies are spending heavily to encrypt data to make it safer to pass around. One of the largest encryption-software sellers, PGP Corp. of Palo Alto, Calif., says sales grew more than 50 percent to $43 million in its most recent fiscal year. Chief executive Phillip Dunkelberger said the California law and similar measures in Europe and Japan helped drive the growth.

Gene Kim, manager for Financial Insights, a Framingham consulting firm, said he's seen companies that have encased computers in panels that prevent anyone from connecting a USB device. "The thing that cuts nearest and dearest to a financial firm is their reputation," he said.

California's law is stronger than many businesses would like, since it requires companies to tell consumers of any case in which unencrypted personal data may have been "acquired by an unauthorized person," which some see as too broad a definition. Because nearly all companies operate in that state, it has become a de facto national standard.

Some regulators have gone further. In December, Ameriprise Financial Services Inc. of Minneapolis agreed to pay $25,000 to settle a probe by Massachusetts Secretary of State William F. Galvin over astolen computer with data on 130,000 consumers and 70,000 financial advisers.

Galvin and others say the fine may be the first ever in a case involving stolen data . The payment should serve to put more companies on alert, Galvin said. "It's time to elevate the level of concern here, that it gets beyond 'oops,' " he said.

Galvin called the idea of exempting companies from notification if their data is encrypted reasonable and said it might create an incentive to encrypt. (Ameriprise says it had become company policy to encrypt such data, but that in this case an employee failed to do so and was fired.)

So far Massachusetts does not require consumers be told if their data is lost or stolen, though politicians including Senator Michael Morrissey, a Quincy Democrat, say they plan to refile legislation this year that would resemble California's notification rules.

Ross Kerber can be reached at kerber@globe.com.

© Copyright 2007 Globe Newspaper Company.

More: