Corporate Security Accountability – Not Just For Californians Anymore

Here in the United States trends to to start on the coasts and make their way inward.  Looks like data privacy and security is another movement following the same pattern.  Today I saw this article referenced on Slashdot.  For the past three years California Senate Bill 1386 (SB-1386) has mandated that companies who have a security breach resulting in a loss of customers’ personal information inform the customers of this loss so that they can take steps to prevent identity theft.  Now there is a law being developed at the Federal level: the Data Accountability and Trust Act (DATA).

These laws are a response to the huge impact identity theft has had over the past couple of years (FTC estimates are $6B cost to consumers, $58B cost to businesses).  In response to the growing threat from identity theft businesses did not take strong enough measures to detect and prevent.  Now the government has stepped in mandated specific measures and penalties such as ongoing FTC audits.  As a business owner I hate to see new laws and restrictions put in place, but as a consumer it is good to know that someone in Washington is actually taking some time to look out for the little guy.

Laws like this make it even more crucial for organizations to take security into account when designing and developing applications.  The first question to ask is: “What information do we need to collect?”  If you don’t collect someone’s social security number, driver license number, date of birth then it gets a lot harder to lose that information to identity thieves.  This seems simple, but I still see things as irrelevant as building sign-in forms that ask for information such as this.

Also organizations need to look at encrypting data both when it is in motion and at rest.  Most applications are pretty good at encrypting data in transit via HTTPS, but far too many application designers get too excited about the so-called “military-grade” encryption they have protecting data moving to and from the server, and forget that HTTPS doesn’t make an application secure – it makes specific data transmissions reasonably secure.  Data also needs to be protected when it is at rest in databases and other data stores.  Now that RSA patents have expired, export restrictions have been relaxed and every respectable enterprise development platform has built-in encrpytion routines the arguments against incorporating strong encryption for the storage of application data have really evaporated.

Laws such as DATA are a strong mandate for organizations to develop secure software.  As the liability pendulum swings back from consumers to the organizations they deal with hopefully security will start getting the attention it deserves.  Keep watching this space for more dicsussion about what organizations can do to help prevent the loss of customer data.

–Dan
dan _at_ denimgroup.com

About Dan Cornell

A globally recognized application security expert, Dan Cornell holds over 15 years of experience architecting, developing and securing web-based software systems. As the Chief Technology Officer and a Principal at Denim Group, Ltd., he leads the technology team to help Fortune 500 companies and government organizations integrate security throughout the development process. He is also the original creator of ThreadFix, Denim Group's industry leading application vulnerability management platform.
More Posts by Dan Cornell

Leave a Reply

Your email address will not be published. Required fields are marked *