Bent out of shape about all the data breaches exposing personal information? Tell us about it.
Reply to comment
VIRTUAL CONFERENCE
Data Center Directions Virtual Conference
Attend this free, 100% online event exploring tools and techniques for making your data center deliver for today and tomorrow.
WHITE PAPER
Maximizing Site Visitor Trust Using Extended Validation SSL
Now with Extended Validation (EV) SSL available from VeriSign, you can show your customers that they can trust your site. Learn about EV SSL benefits in the free VeriSign white paper.
Having worked for and with many Fortune 500 companies, including numerous IT and Business outsourcers, I would include the following:
1) If data was not stored in encrypted format, then $1000 fine per individual information stolen and consumers may sue the company for damages if they can trace their identity fraud back to the theft of data from the company.
2) If the data was encrypted, then the company must provide one year of identity theft protection to those affected at no cost to the consumer.
3) If less than 1000 individuals affected; notification in writing is required.
4) If more than 1000 individuals affected; notification in writing and notification in newspapers, on radio, and on TV is also required.
5) Yearly security audit by an outside auditing firm to verify security methods for data storage for all publicly traded companies and any company private company doing work for them. This includes companies based outside the US who are handling US personal information.
6) All personal information data thefts must be reported within 48 hours of detection to law enforcement, consumers must be notified in writing within 10 business days. If media announcement section is triggered, then newspaper, radio, and TV advertisements must be run within 5 business days.
7) Federal law does not supersede state laws which provide greater protection or invoke higher penalties.
The only way to truly fix these IT related problems, is to establish a GAAP like set of IT practices and provide for CPA like certification of those in the IT industry. Call it GAITP for Generally Accepted IT Practices and CPITP for Certified Public IT Principles. This will allow for more consistent IT policies and practices across Corporate America and provide a means for allowing IT Managers and Executives to stand up to the Business Executives without fear of reprisal for doing what they know to be right. The voluntary ISO and BSA frameworks are a good start, but we need to complete the transformation of IT into a profession governed by a professional association.