Fear of fraud is fueling a rush of new state laws intended to protect consumers. But in its path, this blazing regulatory fire may torch many financial services providers unable to keep up with all the new requirements.
“There’s 35 different states looking at privacy laws and depending on what information [lenders are] sending out, in some states that may trigger a violation of privacy laws,” worries Alfred Connizzo, chief operations officer, LandAmerica Credit Services, Norcross, Ga.
One leading area of lawmaking involves security breach notification, which centers on making lenders responsible for notifying customers when a breach (loss, compromise, theft, etc.) occurs. “It’s important to have a policy in place [explaining] what you’re going to do if there is a breach,” Connizzo counsels.
That responsibility, however, is becoming more difficult as individual states develop their own definitions of “public” versus “private” information.
“There are 35 different laws pending to define what that is,” according to Connizzo. “For some of them, ‘private’ is defined as the last name and any other piece of identifying information. [But] is that [really] private information?” he asks doubtfully. Connizzo is hoping a preemptive federal law will get rid of these changes being made by the states.
In the meantime, data breaches in the last year have exposed the personal information of more than 80 million Americans, according to the Privacy Rights Clearinghouse, a nonprofit organization that follows identity theft.
Among the most celebrated was the May 3 theft of computer disks holding the names, Social Security Numbers and other information of 26.6 million armed forces veterans.
Motivated by these occurrences, 17 states have passed “credit freeze” laws enabling consumers to prevent banks or credit agencies from issuing new accounts in their names. Businesses are opposed to such legislation because retailers, in particular, want to make it easy to buy and are willing to write off identity theft as a cost of doing business.
Focus on high-risk areas
But it is insider hacking that can be the most insidious threat to corporate security, according to Ian Lim, director of enterprise security, New Century Mortgage, Irvine, Calif., who estimates that it can emanate from “the 10 percent of those who can bypass 90 percent of a company’s protection.” Lim said, “You can’t secure everything so focus on high-risk areas. Identify, verify, analyze, prioritize and remediate.”
He elaborated: “Conduct an annual risk assessment in the third quarter of the year. Prioritize risk with your executive management and build remediation plans into departmental budgets.” Lim offered several Web sites to help companies keep up with the “current threat landscape.” Lim says “breaches may come from organized crime, terrorists, hackers and “hacktivists,” the last comprised of people “trying to make a point” in their cyber-thefts.”
One result of all this fraud is a heavier compliance burden for business. Peter Delano, senior analyst, investment management, TowerGroup, Needham, Mass., said the post-Enron/Worldcom climate is fanning the regulator flames when it comes to laws like those aimed at security breaches. “All this regulation … hurts — it hurts a lot, because just as soon as you think you have [one] figured out there are others; there’s no end, it’s ongoing testing, and reporting and monitoring,” Delano complains.
He reports that half of all financial services companies have had a major increase in efforts to meet compliance regulations from 2002 to 2005, and 15 percent of all operating costs are spent on compliance among large firms.