Son of Sarbanes?

I got home one night a few months ago and turned on the evening news. There was Senator Arlen Specter grilling some very somber looking executives from Lexis Nexis, ChoicePoint, and Acxiom about the apparent theft of personal data including data that could expose any one of us to identity theft and unrecoverable financial loss.

He asked some very pointed questions about when, where and how personal data wound up in the hands of who knows who. What he got back from these executives was a collective “palms up.”

“My conclusion is we need federal legislation,” said Sen. Specter.

Hmmm. Where and when have we heard this before?

Actually, think back to when names like Ebbers, Koslowski, and Lay were making headline news. Hearings were held within the halls of Congress. The New Economy was turned upside down to expose executive excess not seen since the days of the muckrakers. Then as now, the answer from the federal government was legislation—this time courtesy of Messer’s Sarbanes and Oxley.

The U.S. Congress may yet again visit the IT industry, this time with legislation aimed at protecting us all from identity theft.

At last count, there were upwards of twenty different pieces of federal legislation floating around Capitol Hill. While it doesn’t appear that anyone of them will reach the floor of either house of Congress in the very near future, I am certain that at least one of them will. Why?

ID theft will continue to be front page news. Visibility of the issue has retreated for now, but all it will take to bring it back to headline status is another event. I’m convinced this will happen because all of the survey data I see lately on the subject of data encryption tells me that the server and networking people are the only ones that are getting the message.

Storage administrators still see encryption as a huge imposition. Data at rest is still as exposed as it was prior to mass public awareness.

Another disaster is waiting to happen.

Consider this. Next time you visit your dentist, check to see how digitally advanced he or she is. Dentists can be very advanced with their use of technology. They probably have all your dental records, insurance info, probably even my payment record and credit card information digitized. They may even have appointment tracking software that can link to your electronic office calendar.

All that’s cool enough, but there’s more. Some dentists can and do backup all the office data twice. The first backup goes to USB drives there in the office. The second backup goes to Apple iPod. That’s right, an iPod. Luckily, I am assured, all of this backup data is in fact encrypted. Nevertheless, there is still some exposure here.

My dental records identify me. My dentist could be carrying me with him (digitally speaking) when he goes home at night. I submit that iPods are easier to lose than a box of backup tapes. Encrypted or not, the data can still fall into the wrong hands.

IT professionals need to realize that systems can and will “leak” data. The larger the system, the greater the potential for leakage. Attaching wireless and other portable data carrying devices to a system multiples the potential for leakage exponentially.

We must also realize that the sophistication level of those who can find, create, and exploit the leaks grows daily.

I can imagine a scenario in which an expert witness is sitting in from of a panel of Senators, walking them through the leakage problem I’ve just described, but in far more graphic detail. I can further imagine these Senators, who are also aware of Congress’ current approval ratings, feeling a need to do something positive—something they can take home to their constituents for consumption in the run-up to the elections in 2006.

ID theft touches every one with a credit card, and therefore, practically every registered voter. Each Senate panelist may be motivated to echo Senator Specter: “We must do something.”

Sarbanes-Oxley created a legal obligation to save certain types of electronic records. As such, it set a legal precedent. As similar precedent will likely be set again next year, although this one (call it “Son of Sarbanes” if you wish) will be aimed at making it harder for those who somehow acquire personal data to actually use that data.

John Webster is senior analyst and founder of Data Mobility Group. He has held the positions of director of Computing Research with Yankee Group’s Management Strategies Planning Service, and Senior Analyst with International Data Corp. He is also the co-author of a book entitled “Inescapable Data – Harnessing the Power of Convergence” (Prentice Hall, 2005).