It’s a disappointing day for the security information professionals. When a man elected by the people sides with business concerns, we all lose. According to http://idtheftcenter.org/workplace_facts.html claims “One study said that identity theft cost U.S. businesses and consumers $56.6 billion in 2005” and “According to the U.S.  Department of Justice Statistics, identity theft is now passing up drug trafficking as the number one crime in the nation”.

On October 5^th, 2008 I read a report from SANS that detailed how California Governor Arnold Schwarzenegger vetoed the Consumer Data Protection Act again on October the 2^nd. His comments regarding his reasoning included "by requiring notification even where no information was obtained improperly, this bill would likely result in significant costs to businesses and to the state."

Identity theft is life changing. Imagine for a moment, opening your credit card bills one month and seeing that all the interest rates raised to 24%, and the payments doubling. If you are trying to finance a home, forget about it because your ratio will change significantly, and your credit rating will be in the toilet. After you pull a credit report, you realize someone has opened a credit card account in your name, charged $20K, and to boot, they are late on the payment! Correction, YOU are late on the payment! That is why all of your credit card companies have revised their terms with you. Even if you get the card company convinced it wasn’t you and the charges are removed from your credit file, you are responsible for the increased payments on all the other cards, and getting the terms revised, well, ask anyone who is in that position, you can pretty much forget it.

Three months later, you’re considering bankruptcy, you’re savings account depleted, and you are considering cashing out your 401K to pay off the credit cards. You have no budget because you can’t meet the payments as they are. Now all it takes is a car repair, an increase in gas price, well, you get the picture. The most the “company” responsible is going to offer you is a free credit report.

According to http://ag.ca.gov/idtheft/ there were 45,175 victims reported from California in 2005. This will increase. As a security specialist I have a few observations. Businesses as a rule are lazy, doing only what they have to. (This is not a reflection of any company I have worked for who hired me to improve their security.) If only the businesses treated the personal information like how they HAVE to treat VISA credit card information (That still doesn’t mean they will, case in point TJX), we would be much better off. The credit card industry has come together and produced a simple list of requirements; (https://www.pcisecuritystandards.org/security_standards/pci_dss.shtml), the first of which is “Build and Maintain a Secure Network”. Wait, you mean this is a requirement? Wouldn’t you think that is a given? Don’t fool yourself. If you have ever found a company that took credit cards but doesn’t take VISA credit, think again about doing business with them because most likely they can’t (or won’t ) meet these simple standards.

Unless business HAS to meet certain standards (AND IS AUDITED BY A THIRD PARTY), your data is in jeopardy. You would be very surprised what I have seen as a security professional.

So back to Arnold. He is in a position to make change to affect people’s lives, not only in California, but possibly worldwide. Many states follow California, and let’s face it, many countries follow the US. I have always seen Arnold as the underdog, man against the bad world. My favorite movie of all time is Total Recall, where he saves the planet Mars. If I could speak to him, I would only say I wished you could see the blatant disregard of personal data I have seen, not with the companies I was/am with, but the companies they do business with, and shared information from other security professionals.

Laws don’t fix everything, but they do cause change. It would be a shame to think that every company would have to make the headlines before they made the changes required to secure personal information. Without laws, this is what will happen. Meanwhile, your information is not only in your state, but in every home office of every company you do business with. A little multiplication, and the 45K people for just one state for one year, now think of the odds of your information being exposed. If you do business on the Internet, use a credit card in a restaurant or retailer, your odds are not good. Someone will use that card, your information, or otherwise get at the data because of the fact there are weak controls, or for the smaller companies, no controls in place since they won’t fall under any of the other control standards such as SOX, HIPPA, or PCI. That's where a law comes in to play. It gives security professionals like myself the grease to make internal changes.

Arnold, you have shown us that the sword is mightier than the pen.