Consumer data protection faces legal, tech hurdles

BOSTON -- Lawmakers and technology providers concede that they must create stronger mechanisms to improve protection of electronic consumer records, but claim that members of private industry must aid in the effort if those plans are to succeed.

At the ongoing Authentication and Online Trust Alliance (AOTA) Summit 2007, being held here April 18-19, experts from both communities cited shortcomings in their abilities to prevent online attacks aimed at stealing consumer data.

Although laws and technology products have undergone significant makeovers in recent years to boost security for end-users, the situation remains a serious problem for everyone from consumers to the government, according to presenters at the conference.

Massachusetts Attorney General Martha Coakley echoed sentiments expressed previously by other federal officials, including Department of Homeland Security cyber-crime czar Greg Garcia, in calling for a stronger partnership between private industry and the public sector to help improve the current problem of widespread consumer data exposure.

"As someone charged with protecting the interests of consumers, I urge everyone to look at the need for internal policing, for businesses to look at your obligation for security in the first instance to ensure integrity," Coakley said. "There's a need for a partnership that requires communication between the private and public sector to make sure that we can understand the problem and what we should be doing to protect consumers. Lawmakers can't do that alone."

Coakley said that her office is still struggling to understand all the dynamics of the consumer data theft issue, in particular all the elements of information technology's impact on issues of privacy and security. The official pledged that she is working hard to get up to speed quickly.

The Mass. AG is currently leading a criminal investigation into the highly publicized data incident experienced by discount retailer TJX Companies, which has its headquarters in the state. Since first being detailed publicly in Jan. 2007, TJX has admitted that hackers broke into its IT systems over a period of several years and made off with over 45.6 million consumer records, the largest such data breach ever reported.

Although after-the-fact analysis of the data theft proves helpful to lawmakers and police in understanding the problems facing both businesses and consumers, private industry should also study the TJX situation and move quickly to improve security to thwart criminal attacks, Coakley said.

"Ultimately it's in the interest of people in industry to ensure that this doesn't go so far that state AGs and federal lawmakers decide to prosecute," Coakley said. "This dialogue has to start today about keeping confidential data safe and making sure that when there is a breach, consumers are notified as soon as possible."

There has been significant debate among lawmakers and members of private industry over the creation of federal legislation that establishes stricter security requirements for companies collecting sensitive consumer data -- with a number of high-profile bills currently under consideration on Capitol Hill.

The AG said, however, that federal officials have moved too slowly, and should not pass any law that robs individual states of the power to implement their own regulations.