12/7/2005
A “Perfect Storm”: Concerns Over Online Fraud Leading to More Government Action
Chancellor W. New, Founder & CSO

Have you ever seen that movie, "The Perfect Storm," starring George Clooney? Based on a true story, it highlights the fateful journey of a fishing boat crew that tried to ride out a major storm in the Atlantic Ocean, eventually succumbing to waves the size of skyscrapers. As portrayed in the movie, sadly, the tragedy may have been avoided had the crew heeded warnings about the storm or turned the ship in the right direction as the "perfect storm" was being unleashed.

Well, I can't help but think of the this movie when I look at the past year of wide-scale breach notifications, increases in online fraud and account hijacking and the seemingly endless stream of online threats, including ongoing challenges such as phishing and pharming. Why? Because I sincerely believe that there is a "perfect storm" brewing that will result in additional regulation of private industry in order to address the data breaches and attacks that expose personally identifiable information.

As of today, 22 U.S. states have passed breach notification bills (including the State of California, which passed the first in the nation). The U.S. Congress is considering a dozen proposals in the House and Senate around breach notification; dozens of states have passed spyware legislation and Congress is moving forward with its own legislation as well; states are starting to pass anti-phishing legislation; and a major committee in the U.S. House of Representatives is considering a broader privacy bill for introduction in 2006. Various government regulatory agencies are also taking action. For example, the Federal Trade Commission is going after companies that have failed to prevent data security and privacy breaches under current law by ruling these failures as an unfair practice. The financial services sector, already heavily regulated, now has to comply with specific guidance from the Federal Financial Institutions Examination Council (FFIEC). The FFIEC is made up of five regulatory agencies that oversee the banking industry, and they have recommended security measures to reliably authenticate customers who are remotely accessing their Internet-based financial accounts (as covered in a previous blog entry).

What does this all mean? Well, it gets back to my initial analogy about a "perfect storm" emerging. There is so much activity in this space that it is hard to track all of it. Just when you think you have it all figured out, a new state bill emerges or another Committee in the U.S. Congress decides that it also has jurisdiction over this issue. Then, a regulatory agency issues new guidance to prevent account hijacking; then, the same agency decides to issue more guidance to combat spyware, or initiates a specific legal action because an organization that was responsible for protecting customer data did little or nothing to prevent the breach in the first place. And I am a person who tracks these regulatory developments as part of his living! I pity the CEO or CFO who has to keep track of all this stuff while continuing to steer his or her company through Sarbanes Oxley compliance (whoops, another law that we have to worry about in this space...).

What senior executives at companies have to be cognizant of at this point, as well, is that this "storm" won't be going away any time soon. They can't ride it out with the hope that they will emerge from the wave of regulation unscathed and untouched. That's wishful thinking -- and the bottom line is that, with all of the legislation that is being considered in this space, there will no doubt be unintended consequences (whoops, I again inadvertently reference Sarbanes-Oxley).

So, if you are a CEO in America, I would encourage you not to choose the same path as the George Clooney character in the film. Don't think that you can ignore the warnings and signs that change is coming quickly because you think that you can "ride out the storm."


-Chancellor W. New, Founder & CSO
NCS