How Are U.S. Businesses and Lawmakers Responding to Data Breaches?

There were 305 publicized data breaches affecting nearly 77 million individuals in the United States in the first nine months of 2007, according to the Identity Theft Resource Center, a nonprofit that works to prevent identity theft. Of these incidents, 6.2 percent were reported by banking, credit and financial services institutions.

Law firm Scott + Scott, which recently conducted a separate survey on data breaches with privacy and information management research firm The Ponemon Institute, reports that almost half the data breaches it recorded were attributed to lost or stolen equipment, such as laptops, PDAs and memory sticks. The second largest threat, according to the Colchester, Conn.-based firm, arose from negligent employees, temporary employees and/or contractors. The survey, "The Business Impact of Data Breach," examined the responses of more than 700 U.S.-based C-level executives, managers and IT security officers in midsize to large businesses spanning all industries.

But despite the frequency of such security failures, 42 percent of respondents to the Scott + Scott survey whose companies have suffered data breaches claimed their organization's IT security spending will remain the same in the coming year. Even after suffering a data breach, 46 percent of businesses failed to implement encryption solutions, and 82 percent did not seek legal counsel prior to responding to the incident -- even though they had no prior response plan in place.

Rob Scott, managing partner at Scott + Scott, says he was particularly alarmed by the fact that the vast majority of businesses failed to get legal counsel before responding to incidents, noting that almost all the businesses (97 percent) that suffered a data breach were required under state statues to notify customers that their information was lost or stolen. "The legal landscape governing data privacy is complex with separate state regulations and numerous federal regulations that may be applicable to a particular incident," he adds, explaining that data breach notification laws currently exist in 39 U.S. states.

In the meantime, lawmakers continue to debate U.S. privacy laws, and in particular the widespread use of Social Security numbers as a unique identifier. Stored in companies' databases, these numbers are a prime target for identity thieves.

"We are likely to see regulation changes in the near term and long term with regards to privacy laws. Many are questioning the theoretical underpinning to the U.S. approach -- Europe has much stricter laws," Scott contends.

"The question is: How do you define private information? In the U.S., it is your first name, last name, your financial account number in combination with your access code. We define it very specifically," Scott continues. "In Europe, the definition is much broader. The [European] requirement to establish a bona fide business purpose for the use of your personal information is much stricter. Long term in the U.S., we'll continue to talk about what is the appropriate underpinning in terms of defining personal information and the circumstances under which you can collect Social Security numbers, as well as storage and destruction policies."

RELATED STORIES Financial Firms' Continue to Struggle to Plug Security Loopholes
New technologies, such as pattern analysis, as well as awareness and training can help financial services firms keep attacks at bay.

Melanie Rodier has worked as a print and broadcast journalist for over 10 years, covering business and finance, general news, and film trade news. Prior to joining Wall Street & Technology in April 2007, Melanie lived in Paris, where she worked for the International Herald ... View Full Bio