In This Issue

• Executive Director’s Message
• Data Breach Notification Legislation: A Short Review
• CSIA Town Hall at RSA 2006:  The Role of Government in Internet Security
• Educators, Industry
  Meet to Develop K-12
  Cyber Awareness Campaign
• DOJ to Conduct National Computer Security Survey
• Global Perspectives
• CSIA Member Spotlight
• About Secure Computing Corporation
  
• Will the Tide Finally Turn for Network Security?
  
• Congressional Spotlight
• Congressional Internet Caucus and Advisory Committee
  
• The Congressional Internet Caucus Goals and Activities
• Legislative Update
• CSIA in the News
• Upcoming Events
• Member List
• Contact Us
• Archives
• CSIA Home Page

CSIA Member Spotlight

About Secure Computing Corporation

Name:  Secure Computing Corporation

President & CEO: John McNulty, president, chairman and CEO

Headquarters: San Jose, CA

Number of Employees: 650

Total Revenue: Full year 2005 revenues were $109.2 million

About Secure Computing:  Secure Computing (NASDAQ:SCUR) has been securing the connections between people and information for over 20 years. Specializing in delivering the world's strongest security appliances/firewalls, strong authentication, and content management and filtering solutions, Secure Computing is uniquely qualified to be the global security solutions provider to organizations of all sizes. Our more than 17,000 global customers in over 100 countries, supported by a worldwide network of partners, include the majority of the Dow Jones Global 50 Titans and the most prominent organizations in banking, financial services, healthcare, telecommunications, manufacturing, public utilities, education, and national and local governments. The company is headquartered in San Jose, Calif., and has offices worldwide. For more information, see http://www.securecomputing.com

 

Will the Tide Finally Turn for Network Security?

By Paul A. Henry, Vice President, Strategic Accounts, Secure Computing

MCP+I, MCSE, CCSA, CCSE, CFSA, CFSO, CISSP, CISM, CISA, ISSAP, CIFI

Historically, competitive pressures have kept a tight rein on security spending; often driving IT security buyers to select popular solutions in lieu of more secure alternatives. Furthermore, there has also been a trend to only purchase "just enough" security because spending more on security than a competitor could reduce margins and give a competitor a possible advantage.

Much of the legislation that will have a significant impact on security buyers is driven and adopted at the state level. After California adopted SB 1386 in 2003, several other states began considering similar legislation. Since 2003, the high profile database exposures of personal information have perhaps accelerated the legislative actions of many states. Several new state laws mandate that companies provide notification of a security breech to help combat identity theft. Some state laws that were enacted in 2005 go as far as addressing how personal data can be collected and used.

State	Law	Effective
Arkansas	SB 1167	6/1/2005
California	SB 1386	7/1/2003
Connecticut	SB 650	1/1/2006
Delaware	HB 116	6/28/2005
Florida	HB 481	7/1/2005
Georgia	SB 230	5/5/2005
Illinois	HB 1633	1/1/2006
Indiana	SB 503	7/1/2006
Louisiana	SB 205	1/1/2006
Maine	LD 1671	1/31/2006
Minnesota	HF 2121	1/1/2006
Montana	HB 732	3/1/2006
Nevada	SB 347	10/1/2005
New Jersey	A4001	1/1/2006
New York	SB 5827	12/7/2005
North Carolina	SB 1048	2/17/2006
North Dakota	SB 2251	6/1/2005
Ohio	HB 104	2/17/2006
Pennsylvania	SB 712	7/1/2006
Rhode Island	HB 6191	7/10/2005
Tennessee	HB 2220	7/1/2005
Texas	SB 122	9/1/2005
Washington	SB 6403	7/24/2005

Will the adoption of new laws and regulations bring about instant change in network security? Simply put, no. While some of the more responsible organizations will quickly adapt their security policy to meet the requirements of new laws and regulations, many will unfortunately continue with business as usual. That is of course until the penalties for breeches of the regulations begin to be felt throughout the industry. Regulations by-and-of-themselves cannot change the mindset of an entire industry, but the pain of the costs for the penalties associated with those regulations will in fact change the way organizations view network security.

Reviewing a chronology of data breaches from the Privacy Rights Clearing House since the ChoicePoint breach in April of 2005, has yielded an additional 52 million people with their personal information compromised. More often then not, the breach was the result of a failure for the organization to adequately secure the information. Clearly, 2005 was a horrible year for security breaches involving personal information. Unfortunately, 2006 is not fairing much better with over 10 significant data breeches already occurring in January.

The organizations that failed to secure their networks and the data they were entrusted with are beginning to see their day in court: On January 26, 2005 the FTC announced they had reached a settlement with ChoicePoint for their data security breach in April of 2005. The total civil penalties and customer redress was stated as $15 million dollars. The financial penalties are only part of the settlement; ChoicePoint has also been ordered to implement new procedures to ensure that it provides consumer reports only to legitimate businesses for lawful purposes, to establish and maintain a comprehensive information security program and to obtain audits by an independent third-party security professional every other year until 2026.

ChoicePoint is only the beginning of a long list of 50 or more organizations that may soon be the subject of litigation and civil penalty for their respective data security breaches. As word of repeated multi-million dollar penalties for improperly securing data spreads, it will ultimately be the fear of financial penalties felt in the boardroom that will finally cause the tide to turn in network security.