Sunday, November 12, 2006

Safeguards Rule: The ID Theft Battle...

Unlike Europe and other forward thinking regions of the globe, the United States is still wrestling with a national data security and privacy law. If the new democratic powerbase is successful, the ID Theft and privacy battle ground will now shift from a corporate focus to a more consumer focus.

A new ID theft task force comprised of 17 US Government agencies has been working on a strategy report that is due by February 2007. It will be highlighting "ID Theft Red Flags" or rules that need to be addressed when they occur. The Federal Trade Commission (FTC) will be gearing up enforcement on those companies who provide PII (Personal Identifiable Information) Intel such as they did this past year with ChoicePoint and others.

Organizations are being pressured to retain data longer, up to two years as a more modern FISA (Foreign Intelligence Surveillance Act) is contemplated. This will assist law enforcement and corporate security departments in evidence collection and investigative process to detect and defend our company assets and national security from "Lone Wolf" terrorists and everyday fraudsters, counterfeiters or pirates. If you are currently a consumer using Vonage, Skype or someother VOIP service, you can bet that all of your calls are going to be accessible for some time to come.

As the Federal Civil Rules on Electronic Discovery change December 1st, the records retention policies and data categorization or mapping exercises will be in full swing. If they aren't, be prepared for quick judgements and settlements from your organization if your litigation readiness factor is in the red or even the yellow zone. In terms of your 3rd Party or outsourced relationships, you can bet that a SAS 70 Type II will not be enough to ensure that your partner has been doing enough to protect your customers PII.

So what does all of this mean? SO What!


It means that the 8 Million+ small and medium enterprises in the US will be subjected to the FTC scrutiny on the SafeGuards Rule:

According to Orson Swindle, former commissioner of the U.S. Federal Trade Commission,

We're going to probably see a broadening or extension of the safeguard rule in the Gramm-Leach-Bliley Act to cover a significant number of organizations that handle sensitive information but that aren't financial services institutions. There is a new awareness that personal information is very valuable, and it needs to be protected whether we're talking about a financial institution or a university or a shoe store.


As the committee's in congress are sorted out and the first 100 hours of the new Democratic regime take hold, don't be surprised if your organization is now in the cross hairs of the governments regulatory enforcement teams. The US Attorney in your jurisdiction is ready to begin a new era to get business to invest in soundness and safety, even if you are not traditionally a highly regulated entity. You think ID Theft is just another bother?

Woe to you, friend, if that's your attitude. Data security may be dead in Congress this year, but the Federal Trade Commission is on the case, and that could mean trouble for lax companies.

"The FTC has stepped into the void," said Emilio Ciividanes, a partner in Venable LLP. "And every proposal for comprehensive legislation has the FTC playing an important role."

For one thing, the commission is now putting its finishing touches on its ID Theft Red Flags Rule, requiring that companies spot and address identity theft risks.

What would constitute a red flag? If there are multiple addresses for a credit-card holder, according to Joel Winston, associate director of the Privacy and Identity Protection division of the FTC's Bureau of Consumer Protection, speaking at DMA06 in San Francisco.

And the FTC is aggressively pursuing companies for allowing security breaches to occur or for not having protections in place. And why not? It is getting 15,000-20,000 consumer messages a week through its Identity Theft Website and telephone number.


If you are one of the millions of Small to Medium Enterprises (SME) in the United States without a full-time Chief Information Security Officer (CISO) you may be at significant risk. Especially if your General Counsel has little or a non-existent relationship with the person you have charged with keeping the networks running and the infrastructure maintained. Be forwarned. The next new hire in your organization may be a lawyer with a CISSP or even a person with a MIS and a J.D. degree. In either case, the government is going to come knocking and your reputation is on the line.

No comments: