Friday, October 26, 2007

The Govenator flexes for privacy!

Well, you can’t accuse Arnold Schwarzenegger of doing nothing about protecting citizens and stopping data breaches.

While the California governor has come under fire for vetoing a bill that would have required businesses to better protect customer information, he did sign another bill, mandating that California government agencies must truncate taxpayers’ Social Security numbers, so that no more than four numbers are displayed publicly. He also signed a third bill, ordering that consumers’ “personal health records” comply with the state’s existing medical privacy laws and require that consumers be notified when their medical or health insurance information has been lost, exposed, or stolen.

Say what you will about his failure to sign all three bills, the truth is that Governor Schwarzenegger took a step in the right direction. While California law will not be as stringent as Minnesota’s when it comes to mandating that businesses protect customer data, or suffer the consequences, it is more protective than before.

Which begs a simple question: why should we need such laws before we act?

No, I haven’t been drinking too much Kool-Aid; this is a relatively elementary matter. It’s something all businesses should consider. For instance, if you’re keeping personal information about your employees or customers, shouldn’t you be keeping their Social Security or credit card numbers under lock and key? Shouldn’t those numbers be encrypted? Shouldn’t you have plans and procedures in place to carefully regulate who has access to that information and how and when they can do so?

And before you tell me, “it’s going to cost too much money to do that,” consider how much it’s costing TJX to settle the data breach cases filed against it. Maybe it’s just me, but I don’t think there are that many companies that can afford to spend $200 million, when they could have spent just a small percentage of that making their systems more secure…which is something they should do in the first place.

Realistically, you should be looking at the steps your company is taking to control the data that’s under your responsibility: ask yourself, “What policies do we have to ensure that people who shouldn’t see this data don’t see it? What have we done to restrict access to the information? And how do we prevent unauthorized access if somehow the information makes it off our network, either through email, USB drives, or even if we’re hacked?”

‘Cause if you don’t do it, please rest assured that there are lawyers somewhere who will be more than happy to ask a jury those very same questions. And in this era, you may not like the answers they deliver.

Yeah, the Governator did the right thing in signing the bills. Companies need to do the right thing by their customers as well, and not wait to act until they’re forced to do so.

No comments: