Magazine article Information Today

What's Next: Protecting Data

Magazine article Information Today

What's Next: Protecting Data

Article excerpt

The ChoicePoint data breach, lost data tapes from a few different companies, more phishing, and increases in the reports of actual and attempted identity theft in 2005 prompted movement in technologies, corporate policies, and legislation to better protect data, particularly that containing customer information. By the end of 2005, many of those trends were still in process, so Information Today asked some technology and legal experts about their predictions for developments in 2006.

Lynne Barr, partner, Goodwin Procter LLP, Boston: On the legislative horizon, Barr and most of the other experts interviewed predicted the passage of comprehensive federal privacy/data protection/ data breach notification legislation that will supercede the laws already enacted by more than 20 state legislatures. The different state laws are such a patchwork of rules covering what must be done in the event of an actual or suspected data breach that a single rule is needed, Barr said.

Barr also expected companies that keep customer information to start using more dual factor authentication. Banks were "strongly urged" to do this by regulators in that industry in mid-October. Dual factor authentication uses a combination of something one knows (e.g., a password) and something one has (e.g., a physical token).

Al Decker, executive director of enterprise risk management, Electronic Data Systems Corp., Piano, Texas:

Decker said that data protection laws will probably be influenced by the industry laws, such as the Payment Card Industry (PCI) standard, that are starting to emerge.

The PCI standard requires banks, online merchants, and member service providers to protect cardholder information by adhering to a set of security standards. The PCI standard includes MasterCard's Site Data Protection program and Visa's Cardholder Information Security Program.

Decker also expects a continued emphasis on technologies designed to help companies manage content, particularly technologies that help analyze outbound content. The year will also bring greater emphasis on risk management throughout organizations and tools to assess those risks, including the loss of company data and any associated loss of reputation.

Randy Gainer, partner, Davis Wright Tremaine LLP, Seattle: Data breach liability will be further defined as cases currently in the courts move forward. Gainer also expected further certification of security professionals, as well as increased discussion about the legality of and proper uses of data mining by the federal government. Data aggregation and the companies that provide these services will also come under greater scrutiny in 2006, according to Gainer.

Kristin Lovejoy, CTO, Consul Risk Management, Herndon, Va. (U.S. headquarters): The expected federal legislation will better define what is and isn't a breach as well as what does and doesn't require protection.

Similarly, identity management technologies will improve with better use of those identity management technologies that already exist. One way to better protect information is to limit who has access to it, but that philosophy has limitations in practical application. Organizations can't restrict data access too much or it limits employees' ability to do their jobs. Salesmen in certain industries may have legitimate needs for sensitive customer information to close sales. But use of that information outside of that context could result in a security breach. Off-the-shelf software isn't good enough to handle these special data rights management needs. So many of the companies that have purchased such software have failed to implement it.

Data needs to be managed in a simpler, more effective way within an organization, according to Lovejoy. So she expected to see appropriate technologies evolve more in 2006.

Some of today's monitoring technologies are too cumbersome because they fail to provide easy-to-understand reports of who within an organization is doing what with what data. …

Search by... Author
Show... All Results Primary Sources Peer-reviewed

Oops!

An unknown error has occurred. Please click the button below to reload the page. If the problem persists, please try again in a little while.