By Sushila Nair, Product Manager, Managed Security Solutions Group, BT Global Services

In 2005, California’s Assembly Bill 1950 (AB 1950) became active, requiring a business that owns personal information about a California resident to “implement and maintain reasonable security procedures and practices to protect personal information from unauthorized access, destruction, use, modification or disclosure.”  Since then, this law has been used as a basis for private and class action lawsuits and, it would seem, a model for other states’ legislation.

Similar legislation has been passed in other states, including Massachusetts, Minnesota, Nevada and, most recently, Washington state.  HB 1149, which takes effect on July 1, 2010, provides issuing banks a legal mechanism to collect the costs to reissue payment cards after a payment card security breach.  While there is no explicit requirement for organizations to take reasonable care to avoid a breach, companies that fail to do so may be liable to pay for re-issuance costs after a breach.

Of all these laws, the Massachusetts law is regarded as being the most comprehensive and, not surprisingly, implementation has been delayed many times; currently, the deadline for compliance to Mass. 201 CMR 17 has been extended to May 1.  The law clearly calls for the need to discover and protect sensitive data in a manner that is absent from other laws that are being passed; but it no doubt will become a template for similar legislation elsewhere.

A federal law mandating security controls is missing, but it’s worth noting that in the case of a large scale security breach, the FTC has taken action by claiming that organizations have engaged in “unfair practices” in violation of Section 5(a) of the Federal Trade Commission Act, 15 U.S.C § 45(a).  The FTC said it was unfair for the company, TJX, to collect private credit card information from consumers and fail to use adequate security procedures to protect it.  TJX must obtain audits by independent third-party security professionals every other year for 20 years as a result of the FTC’s action.  The definition of “adequate security” is, however, not clearly defined by the FTC, but it is fair to assume that PCI DSS forms a framework which can be used to measure an organization against.

With different states mandating various forms of security controls on storing sensitive information, organizations will obviously be required to comply with multiple sets of “reasonable security” requirements for each state where they have customers, a factor that will be confusing and expensive.  The focus will center on one set of security controls and, love it or hate it, PCI DSS undoubtedly is being focused on as providing this framework.

What becomes an interesting part of this debate is whether or not this is the right direction for the United States to be taking for credit card security.  Elsewhere in the world, the focus has been on increasing the security of credit cards by introducing smart cards and requiring secondary authentication for online banking.  Half the world’s credit card transactions occur in the U.S., and while smart cards do not reduce card fraud, it’s a step in the right direction to introduce security into payment systems that were never really designed with security in mind.

As we struggle to get companies to introduce more effective controls around the storage and transmission of personal data, the question becomes — should we also be focusing on strengthening the processes that use that data to prevent it from being used without additional authentication.  It is likely that banking regulators will revise their guidelines and start to issue stricter guidance, which in turn will prompt banks to offer better authentication mechanisms to protect consumers.  But that needs to follow through to online merchants and the login behind credit card transactions — because let’s face it, the entire process seems to be quite broken.