What impact are all of these breaches having ? Let's talk about the individual first. We know that millions of people have had their information exposed, bank accounts depleted and have had to go through the trauma of getting their credit ratings squared away. Then there's the firm that failed to provide adequate security through negligence or inadequate measures. They suffer a number of losses. Ask ChoicePoint how much it cost them not having it done adequately There's the loss of reputation, brand denigration, the [impact on] stock prices. Then there's the peripheral things that become awful big. The lawsuits and the litigation costs become enormous. It's causing consumers to lose confidence in using the medium of information technology. That may be the biggest loss of all.
How is all of this steering the privacy debate in Congress? There's the emotional hue and cry of all of this affecting members of Congress and members of state legislatures to 'do something.' Unfortunately, we will see some onerous legislation that might allow some political figure to declare victory and walk away. But it will not be a victory, unfortunately. Legislation alone is not going to solve this problem.
So what do companies need to be doing differently? We think of information and protecting it as protecting our stuff. Our corporate secrets, the Cocoa-Cola formula and things like that. But today information security is about protecting all that other stuff. It's the information we use. We gather it, we store it, we manipulate it, we use it, we sell it, we transfer it. All those things are points of vulnerability that the company that owns the information is responsible for. To do this right, businesses have to start thinking more holistically about how they manage, how they function, how they use their processes. You know right now, I hear it frequently talking to CIOs and chief privacy officers and the majority of them lament they are just third tier in their organizations and they are viewed as overhead, nobody pays attention to them and so forth. Well, it's time for management, the CEOs. the senior VPs [to see] that information is the lifeblood of their organizations.
Is a national privacy law a good thing to have, considering the patchwork of state laws that companies have to currently deal with? Well, you know sometimes a good thing to have is the least worst of all the other alternatives. Right now, I think there are 23 state laws concerning security breaches. I think there are another 19 or 20 states well along the path. I think it's just one of those situations that begs for some national standard. When you have this many laws what you really get is a de facto national standard that happens to be the most onerous of all those laws.
Will privacy concerns push the industry to an opt-in standard? I don't know. I've been leery of opt-in notices. [A company's] opt-out policy might tell you that we are XYZ credit card company and that we collect this information and here's how we use it and here's how we share it with affiliates and if you don't want us to do this, tell us. The last I heard about how many people opt-out, it certainly was in the single-digit percentages. It's very low compared to the gazillion people who get these notices. Suppose that was opt-in and the company says if you want us to continue to do this please let us know and the response was say 50 percent we'd still lose 50 percent of the members moving their information around. Think about what that would do to the economy. How disruptive it would be. It just seems that opt-in, while in some cases [it's] definitely appropriate, just making everything opt-in might create more harm that good.