January 31, 2006

Numerous breaches in customer data security in 2005 have fueled calls for federal legislation that could lead to onerous security demands on financial institutions that hold consumer information. Even if legislators show restraint in demanding new controls, it's time for banks to create C-level security positions, experts suggest.

Thus far, congressional committees have proposed at least six bills that call for corporate accountability for data privacy and security programs, but there's controversy over how to define and enforce such a mandate. "The government must assess the risk associated with certain data types so companies aren't notifying consumers every time a breach of even noncritical data occurs," asserts Jerry Cerasale of the Direct Marketing Association (DMA), a New York-based trade association representing more than 5,200 direct, database and interactive marketers.

Cerasale warns that institutions will face enormous costs if forced to build departments and systems for detecting and reporting breaches. More troubling to some is a bill proposed by Senators Arlen Specter (R-Pa.) and Patrick Leahy (D-Vt.) that calls for data brokers to give consumers a chance to "access and correct" their information. "That would open up an entirely different avenue for identity thieves," says Cerasale.

Fred Cohen, a principal analyst at Burton Group (Midvale, Utah), says enterprises should consider creating new positions or morphing existing ones to prepare for such legislation. "The position of a chief information security officer (CISO) exists at many large firms, but it has not been a C-level position," says Cohen. "The CISO will have to be a position right up there with the CEO, CFO and CIO." * --Susana Schwartz, Intelligent Enterprise

Courtesy of Intelligent Enterprise, a CMP Media property.

Security