Carole Longendyke, partner and director of data forensics with P.G. Lewis and Associates, shared these statistics in a talk at last month's TechnoSecurity Conference in South Carolina. Speaking about how the internet's rapid growth and its use by criminals to make money has amplified the need for knowledgeable computer forensics investigators, she asked: "How prepared is society? How prepared is business? How prepared is our legal system?"
Using the past several months as a gauge, I'd say we are far from ready. According to the Privacy Rights Clearinghouse, about 50 million people have had their personal information exposed as a result of 44 data breaches this year. And most of these were made public because of California's Database Security Breach Notification Act (also popularly referred to as Senate Bill 1386).
Unlike the law, though, digital exposure of consumers' private details is not new. As one expert at TechnoSecurity said, data breaches occurred long before SB1386 was passed – it's just that most businesses didn't report them to the public or affected individuals because no law existed that made it illegal not to.
Bunches of state bills on identity theft are pending. Federal lawmakers have none.
Last year, Senator Dianne Feinstein (D-CA) introduced privacy legislation that got nowhere. Now she is calling for congressional hearings on a proposed piece of privacy legislation, but the current bill reportedly has no co-sponsors.
Some experts argue more federal regulation is not needed. Recent data breaches' effects on consumer confidence, businesses' reputations, and corporate bottom lines can't be argued. So, the logic goes, firms will be forced to make the protection of consumer data a priority.
But corporations just aren't – despite their responsibility to protect corporate servers and backup tapes storing customers' private data. Market forces might prompt some into action, but as history has proven, others will move only after they get hit.
Federal lawmakers need to step in. Yes, it's another law to which businesses will have to conform. But given the fact that such a federal mandate will supersede the likely-to-pass legion of state laws, firms will have only one privacy law to deal with. And if luck is on corporate America's side, Congress will enlist a little foresight to ensure that an ID theft/privacy protection law will complement existing anti-spam, anti-phishing, anti-spyware and vertical industry rules, rather than duplicate requirements.
Maybe then there won't be a counterfeit Illena somewhere surfing eBay to find that '69 Corvette Stingray she's always wanted.
Illena Armstrong is the U.S. editor