d numbers, and account numbers (bank, checking, saving, etc.), are being forced to assume responsibility of the consumer data they maintain and are being penalized with fines if they do not.

Over the last few years, American businesses have begun to get use to the idea of mandatory compliancy programs, the health care industry has Health Insurance Portability and Accountability Act (HIPAA), publicly traded corporations are required to be compliant with Sarbanes-Oxley Act, the Gramm - Leach - Bliley Act (GLBA) affects how financial institutions like banks, and retail organizations must comply with mandatory credit card company's programs requiring secure data networks.

With the rash of new laws being drafted and passed by both state and natio

While most of us have heard statistics about the financial losses surrounding identity theft, most people aren’t surprised to learn that data theft is growing at more than 650% over the past three years, according to the Computer Security Institute and the FBI. What some individuals might be surprised with thought is the growing responds by lawmakers that are carrying some very real consequences.

When the California Senate Law 1386 was passed and became effective 1 July, 2004, it was virtually unnoticed by the press or companies doing business in the state, remaining an obscure law in October of 2004 when Georgia-based ChoicePoint, Inc. internally identified that their data network had been compromised.

Almost four months went by from the time ChoicePoint, Inc. recognized that their network had been compromised and the announcement of the breach. During that time, ChoicePoint Inc. executives had decided it was best to attempt to isolate the degree of damage before approaching their customers with the news that their personal identities had been stolen.

ChoicePoint, Inc eventually estimated the number of people, whose personal data had been compromised, at 145,000. The incident might have gone by completely undiscovered if ChoicePoint, Inc. had not contacted the local police at the initial detection of the security violation.

By neglecting to rapidly informing it’s customers of the potential misuse of their consumer identities due to a breach in their network security, ChoicePoint, Inc. violated the California Senate Bill 1386. When it was finally announced in February of 2005 that their data network was compromised, no one knew of the legal firestorm it would produce with legislators all over the country.

Law Makers Reply to Data Loss

Out of the 145,000 individuals believed to have lost their personal identification, only 35,000 California citizens were initially notified because the California law only required notification of California residence. As news spread, outraged politicians threw out the country pressured ChoicePoint, Inc. to disclose the extent of the network breach to all affected individuals and then began drafting bills that would fill the gaps for their constituents.

While individual laws vary from state to state, approximately 15 states at the time of this writing, including New York, Illinois, Connecticut and Florida, have passed bills that require businesses to notify customers of a network breach that could result in the loss of personal identity. While state legislators are passing notification laws, U.S. Senators Patrick Leahy and Arlen Spector have introduced the “Personal Data Privacy and Security Act” to address compromised data networks with some proposed bills going as far as to require a national registry.

With the passage of these laws, businesses that maintain consumer information, which has been defined by most states as social security number, drivers license numbers, state id numbers, credit and debit card numbers, and account numbers (bank, checking, saving, etc.), are being forced to assume responsibility of the consumer data they maintain and are being penalized with fines if they do not.

Over the last few years, American businesses have begun to get use to the idea of mandatory compliancy programs, the health care industry has Health Insurance Portability and Accountability Act (HIPAA), publicly traded corporations are required to be compliant with Sarbanes-Oxley Act, the Gramm - Leach - Bliley Act (GLBA) affects how financial institutions like banks, and retail organizations must comply with mandatory credit card company's programs requiring secure data networks.

With the rash of new laws being drafted and passed by both state and nation

ime ChoicePoint, Inc. recognized that their network had been compromised and the announcement of the breach. During that time, ChoicePoint Inc. executives had decided it was best to attempt to isolate the degree of damage before approaching their customers with the news that their personal identities had been stolen.

ChoicePoint, Inc eventually estimated the number of people, whose personal data had been compromised, at 145,000. The incident might have gone by completely undiscovered if ChoicePoint, Inc. had not contacted the local police at the initial detection of the security violation.

By neglecting to rapidly informing it’s customers of the potential misuse of their consumer identities due to a breach in their network security, ChoicePoint, Inc. violated the California Senate Bill 1386. When it was finally announced in February of 2005 that their data network was compromised, no one knew of the legal firestorm it would produce with legislators all over the country.

Law Makers Reply to Data Loss

Out of the 145,000 individuals believed to have lost their personal identification, only 35,000 California citizens were initially notified because the California law only required notification of California residence. As news spread, outraged politicians threw out the country pressured ChoicePoint, Inc. to disclose the extent of the network breach to all affected individuals and then began drafting bills that would fill the gaps for their constituents.

While individual laws vary from state to state, approximately 15 states at the time of this writing, including New York, Illinois, Connecticut and Florida, have passed bills that require businesses to notify customers of a network breach that could result in the loss of personal identity. While state legislators are passing notification laws, U.S. Senators Patrick Leahy and Arlen Spector have introduced the “Personal Data Privacy and Security Act” to address compromised data networks with some proposed bills going as far as to require a national registry.

With the passage of these laws, businesses that maintain consumer information, which has been defined by most states as social security number, drivers license numbers, state id numbers, credit and debit card numbers, and account numbers (bank, checking, saving, etc.), are being forced to assume responsibility of the consumer data they maintain and are being penalized with fines if they do not.

Over the last few years, American businesses have begun to get use to the idea of mandatory compliancy programs, the health care industry has Health Insurance Portability and Accountability Act (HIPAA), publicly traded corporations are required to be compliant with Sarbanes-Oxley Act, the Gramm - Leach - Bliley Act (GLBA) affects how financial institutions like banks, and retail organizations must comply with mandatory credit card company's programs requiring secure data networks.

With the rash of new laws being drafted and passed by both state and natio

Point, Inc. violated the California Senate Bill 1386. When it was finally announced in February of 2005 that their data network was compromised, no one knew of the legal firestorm it would produce with legislators all over the country.

Law Makers Reply to Data Loss

Out of the 145,000 individuals believed to have lost their personal identification, only 35,000 California citizens were initially notified because the California law only required notification of California residence. As news spread, outraged politicians threw out the country pressured ChoicePoint, Inc. to disclose the extent of the network breach to all affected individuals and then began drafting bills that would fill the gaps for their constituents.

While individual laws vary from state to state, approximately 15 states at the time of this writing, including New York, Illinois, Connecticut and Florida, have passed bills that require businesses to notify customers of a network breach that could result in the loss of personal identity. While state legislators are passing notification laws, U.S. Senators Patrick Leahy and Arlen Spector have introduced the “Personal Data Privacy and Security Act” to address compromised data networks with some proposed bills going as far as to require a national registry.

With the passage of these laws, businesses that maintain consumer information, which has been defined by most states as social security number, drivers license numbers, state id numbers, credit and debit card numbers, and account numbers (bank, checking, saving, etc.), are being forced to assume responsibility of the consumer data they maintain and are being penalized with fines if they do not.

Over the last few years, American businesses have begun to get use to the idea of mandatory compliancy programs, the health care industry has Health Insurance Portability and Accountability Act (HIPAA), publicly traded corporations are required to be compliant with Sarbanes-Oxley Act, the Gramm - Leach - Bliley Act (GLBA) affects how financial institutions like banks, and retail organizations must comply with mandatory credit card company's programs requiring secure data networks.

With the rash of new laws being drafted and passed by both state and natio

ual laws vary from state to state, approximately 15 states at the time of this writing, including New York, Illinois, Connecticut and Florida, have passed bills that require businesses to notify customers of a network breach that could result in the loss of personal identity. While state legislators are passing notification laws, U.S. Senators Patrick Leahy and Arlen Spector have introduced the “Personal Data Privacy and Security Act” to address compromised data networks with some proposed bills going as far as to require a national registry.

With the passage of these laws, businesses that maintain consumer information, which has been defined by most states as social security number, drivers license numbers, state id numbers, credit and debit card numbers, and account numbers (bank, checking, saving, etc.), are being forced to assume responsibility of the consumer data they maintain and are being penalized with fines if they do not.

Over the last few years, American businesses have begun to get use to the idea of mandatory compliancy programs, the health care industry has Health Insurance Portability and Accountability Act (HIPAA), publicly traded corporations are required to be compliant with Sarbanes-Oxley Act, the Gramm - Leach - Bliley Act (GLBA) affects how financial institutions like banks, and retail organizations must comply with mandatory credit card company's programs requiring secure data networks.

With the rash of new laws being drafted and passed by both state and natio

d numbers, and account numbers (bank, checking, saving, etc.), are being forced to assume responsibility of the consumer data they maintain and are being penalized with fines if they do not.

Over the last few years, American businesses have begun to get use to the idea of mandatory compliancy programs, the health care industry has Health Insurance Portability and Accountability Act (HIPAA), publicly traded corporations are required to be compliant with Sarbanes-Oxley Act, the Gramm - Leach - Bliley Act (GLBA) affects how financial institutions like banks, and retail organizations must comply with mandatory credit card company's programs requiring secure data networks.

With the rash of new laws being drafted and passed by both state and national legislators, businesses will be compelled to implement best practices for their data network security to protect their consumers data. Company’s now have the choice of either securing their networks or face embarrassment, and negative press associated with insecure data networks. Even worst, if companies do not publicly disclose security breach’s to their customers, they run the risk of being held liable for civil damages or can face class action lawsuits.

Window of Opportunity for Companies in States with Pending Laws

Company’s that exist in states with pending laws have a window of opportunity to tighten up their network security before they become open to potential liability and lawsuits. This window of opportunity is an excellent time to educate employees of the laws concerning network security, and implement security controls in their network that will make them compliant with their respective state law.

Listed are five major steps that organizations should take to keep nonpublic information private outlining how organizations can establish and enforce information-security policies that will help them comply with these privacy regulations.

Step 1: Identify and prioritize consumer information

The majority of businesses have never addressed how to protect consumer information. By categorizing the types of information by value and level confidentiality, businesses can prioritize what data to secure first.

Step 2: Study the internal flow of information and perform risk analysis

It's critical for a business to understand how information flows within the company to see how confidential information flows around an organization. Identifying the major business processes that involve confidential information is a straightforward exercise, but determining the risk of leakage requires a more in-depth examination. Organizations need to ask themselves the following questions of each major business process:

Which employees have access to the information?

How is the information created, modified, processed, and distributed by employees?

What is the workflow of consumer information?

Are there gaps between stated policies/procedures and actual workflow?

By analyzing information flows with these questions in mind, companies can quickly identify vulnerabilities in their handling of sensitive information.

Step 3: Determine appropriate access, usage and information-distribution policies

Based on the risk analysis, a business can quickly design policies for various types of consumer information. These policies govern who can access, use or receive which type of content and when, as well as oversee enforcement actions for violations of those policies.

The access to consumer information through out the data network should be secured to reflect the workflow threw the us