Law raising stakes for security of data

The question of computer security is likely to become a lot more serious both legally and financially in coming months as lawmakers

and lawyers alike focus on the issue.

A new California law dramatically increases the responsibilities and potential liabilities for companies that fail to protect their data, and it's likely to be the opening shot in a battle over business responsibilities for their networks, says Ira Victor, a Reno-based specialist in data security.

"This is the bad guy lurking around in the alley waiting to club someone over the head," Victor said a few days ago.

Victor will speak to non-technical managers about security issues this week at a seminar sponsored by Northern Nevada Business Weekly, IQ Systems and Advanced Force.

The legal issues around security, he said, arise from the frustration consumers feel when they're victims of identity theft.

Lawmakers and plaintiffs' attorneys alike both are paying attention.

The new California law the Security Breach Information Act requires companies to notify their customers in writing when sensitive information on business computers has been breached.

In some cases, a public relations campaign also is required.

The state law also affects companies that do business in California a Reno-based distributor that sells products in the Golden State, for instance and it allows consumers to file civil actions if companies don't honor the law.

"Attorneys will be all over this," Victor said, noting that potential damages are $10,000 for each person whose privacy is violated when data is compromised.

"Companies can't afford to pay $10,000 per customer," Victor said.

"That will put them out of business." A similar law has been introduced in the U.S.

Senate.

Court cases, meanwhile, are beginning to look at whether companies that fail to provide adequate security be required to pay damages for contributory negligence.

Victor said a noteworthy case is that of British Airways.

Hackers took over a piece of the airways' network and used it for illegal purposes, including the distribution of child pornography.

The question now is whether British Airways' security was so weak that the company bears some responsibility.

At the same time that the law is becoming more specific about the penalties for companies that fail to protect their data, hackers are becoming more skilled at exploiting weaknesses in networks.

"We're going to see a constant barrage of vulnerabilities," Victor said.

And some of those attacks strike precisely where the legal system is beginning to hold companies responsible.

The "So Big" worm that attacked the nation's PCs late this summer, for instance, allows remote access to a entire network exactly the sort of security breach that leaves a company exposed to civil suits.

(The web site SecurityNewsPortal.com provides current updates on hacker attacks and software patches.) While technology will continue to improve firewalls and other defensive measures, Victor said savvy companies will pay equal attention to ensuring that their employees follow procedures that keep hackers at bay.

Much as companies today undertake fire drills and safety training, they need to begin similar procedures to develop what Victor calls "the human firewall."

"The biggest security threat to company networks are well-intentioned, but unwitting employees who open e-mail attachments, visit the wrong websites, bring a disk in from home, or download files.

Employees that share passwords or aren't required to use passwords can be a treasure chest for a cyber criminal," Victor said.