The Law of Protecting Data

In my former life, I was the architect of a high volume credit card account processing system allowing hundreds of businesses to conduct highly secure and reliable e-commerce with major financial institutions. Our clients were some of the largest banks and credit card issuers in the world. It was a hard sell to very conservative banks in the mid-1990's, to be sure. Data security and privacy concerns had to be overcome. Today, legislation in the banking and medical industries mandate security requirements surrounding data. But what laws mandate best of breed data security policies and practices for the typical online retailer? Some states have laws requiring disclosure of data losses. But, for the most part, legislators have stayed away from creating standards for data security. The reasoning is that Government can only go so far when it comes to dictating how companies operate internally. I like the concept of a "hands-off" approach to governmental intervention. I prefer to let the industry set and, most importantly, enforce data protection standards. And that is happening. Take a look at the PCI Data Security Standard from the payment card industry that everyone is required, by contract, to follow. Nothing about it seems particularly onerous. It includes logical steps a company should be taking already to protect systems and data, requires appropriate documentation, and it also mandates ongoing auditing. It looks a lot like the business requirements we worked with ten years ago.

And with the hands off approach so far of the federal government, everyone would be wise to implement the data protections standards and program voluntarily. Self regulation is critical to avoid the burden of another federal law that increases the cost of doing business. Once again, these regulations are part of the contract with all credit card issuers today, and the penalties for non-compliance are huge, and they apply to everyone accepting credit cards to varying extents.