By Neil J. Morse
October 12, 2006
Fear of fraud is fueling a rush of new state laws intended to protect
consumers. But in its path, this blazing regulatory fire may torch many
financial services providers unable to keep up with all the new
"There's 35 different states looking at privacy laws and depending on
what information [lenders are] sending out, in some states that may
trigger a violation of privacy laws," worries Alfred Connizzo, chief
operations officer, LandAmerica Credit Services, Norcross, Ga.
One leading area of lawmaking involves security breach notification,
which centers on making lenders responsible for notifying customers when
a breach (loss, compromise, theft, etc.) occurs. "It's important to have
a policy in place [explaining] what you're going to do if there is a
breach," Connizzo counsels.
That responsibility, however, is becoming more difficult as individual
states develop their own definitions of "public" versus "private"
"There are 35 different laws pending to define what that is," according
to Connizzo. "For some of them, 'private' is defined as the last name
and any other piece of identifying information. [But] is that [really]
private information?" he asks doubtfully. Connizzo is hoping a
preemptive federal law will get rid of these changes being made by the
In the meantime, data breaches in the last year have exposed the
personal information of more than 80 million Americans, according to the
Privacy Rights Clearinghouse, a nonprofit organization that follows
Among the most celebrated was the May 3 theft of computer disks holding
the names, Social Security Numbers and other information of 26.6 million
armed forces veterans.
Motivated by these occurrences, 17 states have passed "credit freeze"
laws enabling consumers to prevent banks or credit agencies from issuing
new accounts in their names. Businesses are opposed to such legislation
because retailers, in particular, want to make it easy to buy and are
willing to write off identity theft as a cost of doing business.
Focus on high-risk areas
But it is insider hacking that can be the most insidious threat to
corporate security, according to Ian Lim, director of enterprise
security, New Century Mortgage, Irvine, Calif., who estimates that it
can emanate from "the 10 percent of those who can bypass 90 percent of a
company's protection." Lim said, "You can't secure everything so focus
on high-risk areas. Identify, verify, analyze, prioritize and
He elaborated: "Conduct an annual risk assessment in the third quarter
of the year. Prioritize risk with your executive management and build
remediation plans into departmental budgets." Lim offered several Web
sites to help companies keep up with the "current threat landscape." Lim
says "breaches may come from organized crime, terrorists, hackers and
"hacktivists," the last comprised of people "trying to make a point" in
One result of all this fraud is a heavier compliance burden for
business. Peter Delano, senior analyst, investment management,
TowerGroup, Needham, Mass., said the post-Enron/Worldcom climate is
fanning the regulator flames when it comes to laws like those aimed at
security breaches. "All this regulation ... hurts -- it hurts a lot,
because just as soon as you think you have [one] figured out there are
others; there's no end, it's ongoing testing, and reporting and
monitoring," Delano complains.
He reports that half of all financial services companies have had a
major increase in efforts to meet compliance regulations from 2002 to
2005, and 15 percent of all operating costs are spent on compliance
among large firms.
Copyright 2006 Inman News
Visit the InfoSec News store!