There are many in the government and our communities that are finally beginning to understand the serious implications of children using the Internet. There have been several attempts to manage the content that children see and they have failed for reasons of free speech and the inability to control the internationally operated Internet. The reality of Dateline’s “To Catch a Predator,” has caused a renewed effort to control the people that our children are exposed to as they surf the Information Super Highway.

While much attention is focused on the protection of private personal information, there has been little public discussion of the real potential for attacks on our critical infrastructure.  We occasionally see a committee meeting or short lived news program, but there is little sustained public debate and consideration of this vital issue. 

  Today I want to address the responses that I receive from many company executives when I speak about an organization’s IT Security and Public Safety.  Many companies and municipalities of all sizes and markets are operating under the false assumption that ignorance is a defense, and denial is a strategy. A classic response to discussions about security and fiduciary responsibility is that they don't buy into scare tactics. I genuinely can see why an individual would respond negatively to something you perceive as a scare tactic. On the other hand, if you're not scared, you should be. There really are people out there who want to steal your information and that of your clients.  They do want your corporate secrets and they do want to steal your customer’s credit worthy identities.

  I recently overheard a CEO of a mid-sized company say, “We sell toys, who would hack my network!?”  This company accepts credit cards and I assume has employee data on their system.  So, YES, someone might actually want to steal their information! But that is not even the point. The latest types of attacks are not necessarily targeted at a company, they scan for weaknesses. The types of attacks that are occurring today are highly automated and search for known vulnerabilities in many thousands or even millions of systems all at once. They don’t care what you sell, or whether there is any information that they really want. They want into your system so they can find out if there’s something worth stealing. They might even take the opportunity to then use your system to launch a similar attack on others.

 
  In many cases the discussion about ones’ responsibility for protecting client and employee data is scary because of limited knowledge about the issue and fear of the cost associated with the reality of it all.  There are some company executives who are starting to get it, but there are many more that do not.  The most significant notable gap in knowledge is on the level of the small to mid-sized companies. Mainly because, until now, they just weren’t required to know and did not have much to lose if they didn’t make an effort.

 
  Over the past few years, substantial changes have been made in the law that have dramatically increased the level of liability and accountability for protecting private and sensitive information. The days of being able to say that “the law doesn't apply” to you are gone. Frankly, the law has only just begun to tighten the noose around the corporate necks of those who fail to take at least reasonably defensive actions. There are so many new laws and regulations being proposed that it is nearly a full time job just to keep up.


  In the early days, we faced mainly industry specific laws and regulations that described the minimum necessary standards of practices and safeguards to be implemented in limiting access and disclosure of people's private information.   From HIPAA rules for the medical industry, to Graham Leach Bliley for banking and insurance, the legislation and regulations were very targeted and allowed for the loose interpretation of whether or not these applied to one company or another. Some firms that had proudly considered themselves a part of the financial community, began to find other ways to describe themselves, as if a name change or mission statement would make them exempt.

 
  In the past two years, several states have passed new and far more restrictive laws about how to treat private information and, even more importantly, what will be expected if you fail. They have removed any ambiguity about what industry you must be a part of to be held accountable under compliance by including them all in their matrix. Some new laws require the public notification of law enforcement and any person(s) whose private information has been or is even thought to have been released. This is designed to embarrass firms into compliance and to allow for the person whose data was possibly released to take steps that might protect them from loss.

  Even where there is no stated monetary penalty, I have seen first-hand how expensive this can be in direct costs and damage to public reputation. You may have to spend many tens of thousands of dollars to tell the public how you have failed to protect their information. You may well be sued by hungry trial lawyers who will use any excuse they can find to squeeze money from you. You may lose contracts with other vendors, partners or companies that do value the security of their systems and won’t allow themselves to be taken down by your failure to secure your system. In fact, I know of several examples of companies that either went out of business or were little more than a shell of their prior condition after a breach.  They lost critical vendor relationships and hundreds of customers who could no longer trust that they would secure their personal data.

  Because state and federal regulations may be in conflict and your state may have very different regulations than another, I would have to write a book (or many more columns) to cover them all.  So, get real and learn what regulations are out there. Learn how it can impact you and your business and, then do something about it.  If you wish to know more about the specifics of your state and ways that this can impact you, your business or your family, I will be writing on many more specific issues in a series of columns here on NCS.com

  In the very near future, you will also find very valuable information from many other professionals and writers here on NCS.com and the pages of affiliated partners and common links. There is a rapidly growing number of links and sources of news that will also help. Stay tuned and feel free to write to us any time.