Data security is a high-profile topic these days. After big-name breaches involving companies like Bank of America, Choice-Point, LexisNexis and MasterCard, a new push has begun for legislation on both the state and federal levels to deal with the issue. Dorsey Morrow, general counsel for the International Information Systems Security Certification Consortium, says businesses large and small should take heed. "The proposed federal laws will apply to anyone who collects confidential or personal information from consumers," says Morrow.
Morrow sees a confluence of events that have brought the issue of data security to the fore, including a lack of adequate security, a lack of industry standards and increased interest from criminals. Besides a slew of different bills winding their way through Congress, many states have bills of their own either enacted or under consideration. Most take after the seminal 2003 California data security law, which requires California customers to be notified if their unencrypted personal information is compromised.
Legislation on the federal level will likely super-sede the various state laws. Nobody can pinpoint exactly when, or what form, a federal law will take. At least half a dozen different proposals are being considered. "It's going to take a while to wind through the various committees and subcommittees and the House and Senate," Morrow says.
Entrepreneurs should keep an eye on Congress as well as on state laws, and look into ways to keep their customers' data secure. Common-sense actions like crafting a security policy, encrypting data and avoiding asking for unnecessary sensitive information such as Social Security numbers can go a long way.