Data security officials ponder response to 'year of breaches'

The recent spike in security breaches has made data security a new social concern across industries and within the government, privacy experts said Friday.

"It's been the year of breaches," Dan Caprio, the chief privacy officer at the Commerce Department, said at a Business for Social Responsibility conference. The number of identities that have been compromised this year is "north of 50 million," he said.

Businesses are embracing data security as a fundamental issue by pushing it to the highest levels of management. Companies like Citigroup, Hewlett-Packard and IBM have warmed to the idea of having chief privacy officers, or CPOs. The federal government has, too, with the Commerce and Homeland Security departments making such appointments.

HP views privacy as the ethical management of its customers, employees, partners and other stakeholders, company CPO Barbara Lawler said. It takes a "global citizen" approach because her office must consider conflicting local, state, federal and international privacy standards, in addition to studying the business practices of HP's units.

The privacy chief "is not always the most popular person walking in the door," she said.

In addition to more than 21 state laws on notifying consumers about security breaches in the United States, multinational businesses also must comply with international laws. "I worry about Europe, Japan, Canada, Argentina," among others, where privacy standards are more stringent than in the United States, Lawler said.

And as new technologies like radio-frequency identification tags emerge, she added, the privacy officer in a firm "needs to work with emerging businesses ... to meet privacy objectives."

But with more than 50 security breaches logged in the past two years, work remains, Caprio said. While some companies have strengthened security practices, the progress "is not enough and is not fast enough," he said.

The Better Business Bureau's online arm has established standards for how to conduct business online. In order to receive a BBBOnline privacy seal, a company must meet some 20 minimum standards, said Gary Laden, director of the program.

Of the companies that apply for the seal, only one out of two are approved, he noted. "We take it very seriously." BBBOnline conducts surprise audits and annual reviews to make sure businesses with its seal maintain the standards.

While business and government alike agree that privacy standards must be met, the debate surrounding federal pre-emption of competing state laws is one area of disagreement, Caprio said. He called for a federal standard on consumer notification about breaches.

Satisfying the different state laws "becomes a really difficult, complicated implementation problem," Lawler said. North Dakota has the longest list of data elements, she noted.

Businesses would rather deal with the federal government, said Evan Hendricks, editor of Privacy Times, but "we cannot get the [federal] gorilla out there to do the right thing."