Find White Papers
Home About Contact Help
Free Membership Member Login
Aug 28, 2008
View Popular Research Browse Topics Find Business Solutions RSS Feeds List Your Research
Search the Library                  Advanced Search

Cenzic Software: Identity Theft Laws And Application Security

Cenzic
By : Cenzic
INFORMATION
Published : Nov 30, 2005
Length : 20
Type : White Paper
 
Download Now
Save for Later
  Email This Page
Overview :

The Cenzic Hailstorm® solution helps companies comply with AB 1950, allowing companies to use automated processes to asses risk, check for vulnerabilities, test code and controls during software development for the purpose of preventing unauthorized access, destruction, use, modification, or disclosure of personal information.

Companies that successfully prevent security breaches have no breaches to report under SB 1386 or similar laws. The Hailstorm solution is a key tool to preventing breaches from occurring.
View All Items By This Company
Browse Related Categories :

Application Security

,

Compliance

,

Data Protection

,

Hacker Detection

,

Intrusion Detection

,

Intrusion Prevention

,

Network Management

,

Network Security

,

Password Management

,

Policy Based Management

,

Sarbanes Oxley Compliance

,

Security

,

Security Management

,

Security Policies

,

Software Compliance
 
Rising Public Anxiety About Identity Theft

On April 5, 2002, hackers exploited vulnerabilities in a server holding a database of personnel information on California's 265,000 state employees. The victims included then-Governor Grey Davis and 120 state legislators. The security breach at California' s Stephen P. Teale Data Center in Rancho Cordova compromised names, Social Security numbers, and payroll information. Public outrage soon followed the May 24, 2002 public disclosure of the breach. For almost two months, the State failed to discover the breach in a timely fashion and tell the affected employees.

The fallout from the public clamoring for legislative protection, likely bolstered by the personal impact on state legislators, led to the enactment of a new type of law. California's legislature enacted a security breach notification law known as SB 1386. As described in more detail in the next section, SB 1386 requires businesses to notify California residents of a breach in the security of certain kinds of personal information.

Over time, the Teale Data Center breach has proven to be only the first of many publicly announced high-profile security breaches of personal information. The latest wave of notices started in February 2005 with the announcement from information broker ChoicePoint.

ChoicePoint sold personal information to identity thieves posing as legitimate customers of its information services.

The ChoicePoint breaches, and similar breaches affecting LexisNexis, involved imposters using a "social engineering" attack to obtain legitimate credentials to access databases. Other recent incidents arose from the physical loss of backup tapes holding customer information.1 Other breaches, however, have involved hackers gaining unauthorized access to applications and information.

The increasing frequency of announcements of high-profile security breaches is likely the result of SB 1386 and similar laws requiring companies to notify customers when their private information is compromised. Companies experiencing and announcing these breaches may have a direct reporting requirement under SB 1386. They may also have disclosed breaches, as in the case of ChoicePoint, because they felt or anticipated pressure from state attorneys general to disclose breaches to affected residents of their states, even in the absence of breach notification legislation.

1 Companies announcing the loss of backup tapes in 2005 include Bank of America, Ameritrade, and CitiFinancial.

As with the Teale Data Center announcement in California, the result of these increasingly frequent security breach announcements has been nationwide demand (and legislator sympathy) for new laws to protect the public. Legislatures have enacted breach notification laws in almost 20 states and over ten more state legislatures are considering it. At the federal level, a number of competing breach notification bills have been introduced.

The impact of public outrage may extend far beyond legislative action, though. Companies experiencing breaches face hefty costs involved in responding to the breaches, such as investigation costs, remediation, and legal fees. Less easy to measure, but a real concern for the bottom line, is the loss of reputation from a breach. Some customers may not want to do businesses with companies they perceive as having careless security practices. The loss of revenue from these customers will affect the company' s health. In the case of CardSystems, the loss of Visa and Amex as customers may well drive the company into bankruptcy. Finally, public anger sometimes turns to lawsuits, as shown by the class action complaints filed against ChoicePoint and CardSystems. The cost of lawsuits in legal fees, along with the associated disruption to the business, will be significant for these companies.

The California Legislature Steps In

Throughout recent decades, California has proven to be on the forefront of many trends in the law. The areas of privacy and identity theft are prominent examples. Following the incident at the Teale Data Center, the California legislature enacted SB 1386, and then-Governor Grey Davis signed the bill in September 2002. SB 1386 became effective on July 1, 2003 and was the first significant breach notification law in the country. In 2005, following ChoicePoint and other highly publicized security breaches, SB 1386 became the inspiration for almost 20 other state laws and federal bills.
Search the Library                  Advanced Search
Today's Popular Reports This Weeks Most Popular Reports Most Popular Topics Vendor Directory Home
About Us Contact Us List Your Papers Partner With Us Site Map