 |
 |
|
|||||
| ||||||||||||||
| ||||||||||||||
Mark MacCarthy, Senior Vice President, Public Policy
Visa USA, Inc.
Information security is an element of fair information practices, along with notice, choice and access. The Federal Trade Commission (FTC
) in 2000 defined this aspect of fair information practices as the requirement that companies take reasonable steps to protect the security of the information they collect from consumers.
[1] More recently, FTC Commissioner Swindle urged US companies and consumers to work together to create a culture of security.
[2] He suggested that companies look to the recently updated security guidelines prepared by the Organization for Economic Cooperation and Development (OECD
) to help them follow good security practices.[3] In the Spring of this year, the chair of the President's Critical Infrastructure Protection Board, Richard Clarke, emphasized the importance of information security in light of the events of September 11[4], and proposed a national strategy to secure cyberspace.[5] Consumer groups also have encouraged individual users of the Internet to take steps to protect the security of their home computers.[6]
This paper provides a brief discussion about the importance of good security practices, the business motivations and existing regulations that promote strong computer security, and the ongoing efforts of government, the private sector and consumer advocates to encourage the adoption and implementation of security best practices by individuals and businesses.
Information security relates to the need to keep information from falling into the wrong hands. Failure to follow good security practices may lead to unauthorized uses of information, to fraud and to identity theft. In contrast, businesses collect and share information about people for a variety of appropriate reasons: improving service, decreasing costs, reducing fraud, and targeting offers of goods and services. This normal flow of information in a business context is not an example of lax security practices and does not lead to the unauthorized use and fraud associated with bad security. The policy issues relating to information security differ markedly from the policy issues relating to information sharing.
Nevertheless, issues related to information security are sometimes confused with issues related to information sharing. While many opinion polls describing the fears some consumers have regarding online commerce do not distinguish the two, the public clearly understands the difference between someone stealing information about them to engage in fraud and identity theft and the sharing of information among companies for legitimate business purposes. Consumers clearly want to be notified about information sharing and given some choice about what information businesses collect about them and how it is used.[7] But overwhelming majorities say they are much more concerned about fraudsters and others gaining unauthorized access to information about them and using it for illegal purposes.[8]
Companies seeking to do business with the public understand this fact of consumer psychology and have a strong business incentive to secure the information they obtain from their customers. But in addition to business incentives for information security, some sectors of the economy are already subject to regulatory requirements with respect to their security practices. The Financial Services Modernization Act of 1999 often referred to as Gramm-Leach-Bliley (GLB
)[9], for example, requires that financial institutions ensure the security, confidentiality and integrity of personal information collected from their customers.[10] The Federal banking agencies have implemented the requirements of this statute for the traditional financial institutions under their jurisdiction.[11] The FTC promulgated similar security regulations for the remaining financial institutions under its jurisdiction.[12] This statutory security requirement and the regulations that implement it mandate that financial institutions take reasonable steps to protect the security, confidentiality and integrity of customer information, but they are largely procedural, flexible, and avoid unnecessary substantive requirements for information security systems.
Some argue that externalities to information security Ð consequences that are external to the individual or company Ð might indicate the need for some government role.[13] One person's lax security practices, for example, might allow his computer system to be used for a denial of service attack against another computer. But addressing this externality may not necessarily require government rules. It may be that raising awareness about the importance and benefits of good security practices would be sufficient to promote enhanced security practices. If so, then a combination of private sector and public sector informational, outreach and educational efforts would adequately address the problem.
A number of such efforts are already underway. The FTC has issued guidance to businesses on how to comply with its security regulations, noting that information security is not only required by law, but also makes good business sense.[14] The FTC has also launched an educational campaign, featuring an Internet safety mascot called Dewie the Turtle, providing consumers and businesses with information and best practices to follow on information security.[15] Industry itself has been active in promoting information security. Pursuant to President Clinton's presidential decision directive[16] in May 1998, the Critical Infrastructure Assurance Office (CIAO
) was established in the Department of Commerce. Together with the President's Critical Infrastructure Protection Board, this agency coordinates government outreach to private sector entities. The private sector has established independent information sharing and analysis centers (ISACs
) to work with the government and to respond more effectively to information security threats and vulnerabilities. Some ISACs are organized with the assistance of specific industry trade associations. For example, the Information Technology Association of America, which was designated as the sector coordinator for the IT industry by the Commerce Department, helped to organize the separately-incorporated information technology ISAC,[17] and acts as an advisor to their board of directors. In addition, specific Federal agencies are assigned the lead in coordinating private sector information security activities.[18] These private sector groups share information on best practices and encourage all in their industries to follow them.
Industry has also stepped forward to address this issue. The IS Alliance, a recently formed joint venture between the CERT Coordination Center at Carnegie Mellon and the Electronic Industry Alliance, has recently published a list of best information security practices for senior managers.[19] Visa USA has developed its Cardholder Information Security Program, which mandates that all web merchants who accept Visa cards and all organizations that provide Internet-related services to them, must comply with 12 information security requirements. All these entities must validate their compliance with these requirements through annual independent reviews of their practices by security experts. In addition, the top 100 merchants who account for 70% of Visa volume must demonstrate compliance through more detailed audits of their internal and external security practices by outside firms.[20] Insurance firms are also looking for ways to encourage companies to upgrade their cyber security practices.[21]
The development of best practices and standards of adequate care within the industry is underway. Government officials, business leaders and associations and consumer groups are actively encouraging businesses and citizens to increase their efforts in the area of information security. The private sector is moving in the direction of increasing information security in ways that will achieve the goals of government and citizens in protecting the security, confidentiality and integrity of information.
[1] Prepared Statement of The Federal Trade Commission on "Privacy Online: Fair Information Practices In the Electronic Marketplace" Before the Committee on Commerce, Science, and Transportation United States Senate, May 25, 2000. Security has been part of fair information practices since the Organization for Economic Cooperation and Development's original guidelines on the topic in 1980.
[2] Creating a Culture of Security,
Remarks Before Privacy 2002: Information, Security, and New Global Realities, Sponsored by the Technology Policy Group, September 26, 2002.
[3] Organization for Economic Cooperation and Development Guidelines for the Security of Information Systems and Networks, July 25, 2002.
[4] Richard Clarke, Why is Information Security Important?
Keynote Address to the Federal Trade Commission, May 20, 2002.
[5] President's Critical Infrastructure Protection Board, A National Strategy to Secure Cyberspace, September 18, 2002.
[6] Jeff Fox, Cyberspace Invaders, Consumer Reports, June 2002.
[7] For a good summary of these surveys, see Alan Westin, Prepared Statement before the House Subcommittee on Commerce, Trade and Consumer Protection, May 8, 2001.
[8] Visa Internal Survey.
[9] Pub. L. No. 106-102, 15 U.S.C. § 6801-6809.
[10] Id. at § 501(b).
[11] 66 FR 8152, January 30, 2001 and FR 8616, February 1, 2001.
[12] 67 FR 36484, May 23, 2002.
[13] See, for example, Computer Science and Telecommunications Board Cybersecurity Today and Tomorrow: Pay Now or Pay Later, National Academy Press, Washington, D.C., 2002. http://www.nap.edu/html/cybersecurity/.
[14] Federal Trade Commission, Financial Institutions and Customer Data: Complying with the Safeguards Rule,
September 2002. http://www.ftc.gov/bcp/conline/pubs/buspubs/safeguards.htm.
[15] See the FTC's information security page at http://www.ftc.gov/bcp/conline/edcams/infosecurity/.
[16] PDD-63.
[17] For more information on the IT-ISAC, see their website at https://www.it-isac.org/.
[18] The Treasury Department, for example, is the lead federal agency for the financial services industry.
[19] IS Alliance, A Common Sense Guide for Senior Managers, Top Ten Recommended Information/Security Practices, July 2002.
[20] For more information about the Visa CISP program, see the Cardholder Information Security Program pages at http://usa.visa.com/business/cisp.
[21] AIG, for example, offers a discount on its cyber insurance policies for companies that subscribe to the IS Alliance best practices.
|
The Center For Democracy & Technology 1634 Eye Street NW, Suite 1100 Washington, DC 20006 (v) 202.637.9800 (f) 202.637.0968 Contact CDT Copyright © 2005 by Center for Democracy and Technology. |