Online Privacy Legislation And Information Security Training Initiatives Can Minimize Identity Theft

A majority of todays world population uses the internet, but it also poses a risk for their personal information being stolen. Two U.S. senators at a press conference in Washington, D.C., introduced a bill that would protect internet users.

But the measure applies only to companies and some nonprofit groups, not to the federal, state, and local police agencies that have adopted high-tech surveillance technologies including cell phone tracking, GPS bugs, and requests to Internet companies for users' personal information--in many cases without obtaining a search warrant from a judge. "What's a bill of rights if it doesn't provide rights against the government?" asks Jim Harper, director of information policy studies at the free-market Cato Institute.

However, consumer groups praised the Commercial Privacy Bill of Rights as a step in the right direction for online privacy legislation, but it has divided companies that would be affected by it. "We are concerned with the provisions in their proposal that would impose strict new requirements on first-party sites to allow their users to access, correct and delete data collected by that site," said Mike Zaneis, senior vice president and general counsel of the IAB. "These types of first-party restrictions were explicitly rejected by the FTC and are unnecessary to protect consumer privacy, but would severely hurt publishers."

"The challenge now facing all of us is how to address issues related to security and privacy while enabling businesses to continue developing innovative products and services," wrote Microsoft representatives in the statement. "Legislation is an important component of a multi-pronged approach to privacy that also includes industry initiatives, technology tools and consumer education."

The Justice Department said it opposed proposals--backed by AT&T, Google, Microsoft, eBay, the American Civil Liberties Union, and Americans for Tax Reform--to protect Americans' privacy by requiring a search warrant to access online files and track Americans' locations. Then, on Friday, the Justice Department renewed its opposition to being required to use a search warrant to access the Twitter accounts of Wikileaks volunteers.

In 2006 the Department of Veterans Affairs suffered a massive security breach when an unencrypted laptop with data on millions of veterans was stolen. A government report last year listed IRS security and privacy vulnerabilities. The government of Texas yesterday revealed that it disclosed the personal information of 3.5 million citizens, including Social Security numbers. Even the Census Bureau has, in the past, shared information with law enforcement from its supposedly confidential files.

In 2007, the Bush White House asked agencies (PDF) to develop breach notification rules. But there are no civil or criminal penalties if violated, and agencies are allowed to make their own decisions as to whether a breach has generated sufficient "harm" to warrant notification--a self-policing measure that gives them a strong incentive to downplay any potential ill effects.

In general, the legislation would give consumers new rights concerning their online data. It also requires companies to take steps to protect the information and obtain permission to share it. Companies that collect consumer data would have to clearly explain their practices. Those would include requiring consumers to provide clear consent. Companies also would have to allow consumers either to access and correct their information or request that the information not be used or distributed. Joel Reidenberg, academic director of the Center on Law and Information Policy at Fordham University, said the legislation is a "major advance" in the push for greater online privacy protections and has a real chance of becoming law.

Although the bill would provide protection for consumers when transmitting data on the internet, organizations also need to implement robust internet security initiatives, including hiring highly trained information security experts to avoid security breaches. Information security professionals can increase their information security knowledge and skills by embarking on highly technical and advanced training programs. EC-Council has launched the Center of Advanced Security Training (CAST), to address the deficiency of highly technically skilled information security professionals.

CAST will provide advanced technical security training covering topics such as Advanced Penetration Testing, Digital Mobile Forensics training, Application Security, Advanced Network Defense, and Cryptography. These highly technical and advanced information security training will be offered at all EC-Council hosted conferences and events, and through specially selected EC-Council Authorized Training Centers.