continued from page 3

A security breach at a credit card payment-processing company in 2005 exposed more than 40 million accounts to fraud. Information on about 200,000 accounts was estimated to have been copied from the company’s network.(26) That incident followed a breach earlier in the year when a consumer-data collection company was infiltrated by an identity-theft ring, which gained access to consumer data such as credit reports and Social Security numbers. An estimated 100,000 people nationwide were affected.(27)

The breach at the credit card payment-processor spurred two U.S. senators to introduce a federal bill that would force companies to notify consumers when the security of their personal information is jeopardized. Such a bill would, however, merely be the latest in a string of increasingly stringent laws aimed at protecting consumers’ private information.

The Regulatory Revolution
As consumer fears about identity theft have intensified, state and federal legislators have reacted with laws to require businesses to take greater steps to protect privacy. The first of these laws started out as parts of larger bills regulating the health-care and financial sectors of the economy. Later bills have taken a broader approach, requiring greater data security on the part of all publicly traded companies and mandating that companies notify customers when a breach in security exposes personal information to potential misuse. While the intention was to increase the safeguards for personal information, a side effect has been to force industry to spend billions of dollars to upgrade technology and security procedures.

The first regulation at the federal level affecting consumer privacy was the 1996 Health Insurance Portability and Accountability Act (HIPAA), which was aimed primarily at making sure that workers could keep their health insurance and obtain coverage for pre-existing conditions should they change jobs. Spearheaded by Sen. Edward Kennedy (D-Mass.) and Sen. Nancy Kassebaum (R-Kansas), the bill included provisions mandating that health-care providers and insurers keep patients’ personal data and medical history private.

At the White House signing ceremony in 1996, President Clinton said the bill would “provide steps to protect the privacy of people in the system...”(28) As in so much of politics and regulation, the devil remained in the details, and the privacy regulations were not promulgated and put into effect until 2003.

Failure to comply with the regulations can bring fines of up to $25,000 annually for multiple violations of each standard, while obtaining information under false pretenses carries fines of up to $100,000 and up to $250,000 if the intent is to sell the information.(29)

The next federal bill to mandate increased privacy strictures for business was the Financial Modernization Act of 1999, which repealed the Depression-era Glass-Steagall Act and allowed banks to affiliate with insurers and securities firms with fewer restrictions. Better known as the Gramm-Leach-Bliley Act (named after its Republican sponsors Sen. Phil Gramm of Texas, Rep. Jim Leach of Iowa, and Rep. Thomas Bliley of Virginia), the law also mandates that financial institutions take greater measures to protect the personal financial information of their customers.

The bill requires financial institutions to protect personal financial information from unauthorized access and to provide customers with an outline of the institution’s privacy practices, including the kind of information the company collects and the conditions under which that information is shared with others.(30) Violations can bring civil penalties of up to $100,000 for financial institutions as well as fines of up to $10,000 for officers and directors. Criminal penalties can be as severe as up to five years in prison.

Just as HIPAA and Gramm-Leach-Bliley increased the regulatory burden on the health-care and financial industries, the Sarbanes-Oxley Act of 2002 made data security a priority for every publicly traded business.

Sarbanes-Oxley and Notification Laws
Among the federal laws affecting data privacy, the Sarbanes-Oxley Act, which came to fruition in reaction to big accounting scandals, has been particularly difficult for business. Sponsored by Maryland Democrat Sen. Paul Sarbanes and Ohio Republican Rep. Michael Oxley, the law mandates stricter accounting controls at publicly traded companies.

Among the law’s many provisions — and 40 pages deep in the bill — are the few paragraphs of Section 404 that have left businesses scrambling. Section 404 requires business management to establish and maintain adequate internal controls for financial reporting and to provide an annual assessment of those controls.(31) Because financial data are now hosted on computer networks, compliance with the law means that companies must pay particular attention to protecting the integrity of their networks. By making top executives responsible for data security, Sarbanes-Oxley has elevated the issue to the highest ranks of management.

In addition to federal laws, businesses have had to keep up with privacy initiatives at the state level. Chief among those is the 2003 California law, SB 1386, which requires companies to notify consumers when their personal information has been exposed to possible misuse. Other states have since followed California’s lead in requiring some notification, and two U.S. senators introduced a federal bill in 2005.

continued on next page>>
1|2|3|4|5|6|7|8