Comments on: Are more federal laws the answer to ID theft? http://itknowledgeexchange.techtarget.com/security-bytes/are-more-federal-laws-the-answer-to-id-theft/ A SearchSecurity.com blog Sun, 29 Nov 2009 04:22:50 +0000 http://wordpress.org/?v=2.6.2 By: Janine Spears http://itknowledgeexchange.techtarget.com/security-bytes/are-more-federal-laws-the-answer-to-id-theft/#comment-301 Janine Spears Tue, 24 Apr 2007 22:12:24 +0000 http://security.blogs.techtarget.com/2007/04/24/are-more-federal-laws-the-answer-to-id-theft/#comment-301 As part of my current dissertation research on the impact of SOX on security, I have interviewed info security managers and have received a multitude of responses. Legislation appears to set a baseline of what is socially acceptable practice. Those companies that were already on the ball generally did not need legislative prompting. In some cases, companies may even be discouraged from performing beyond baseline security requirements. However, laggards may need external pressure (from laws, suppliers, etc.) to prompt them to meet at least a baseline. Then, there is the question of sustainability. Does the legislation make an initial positive impact, and then fade to no effect? On the subject of identify theft, aside from notification laws, there has been very little legislation. Meanwhile, identify theft is a growing issue. In the absence of legislative prompting, has the majority of retailers demonstrated self-motivation to protect customer data? The question posed in this blog really is part of a larger question: what is the effect of legislation on information security? Does it help or hurt? My research in this area examines this question and seeks survey respondents (http://www.surveymonkey.com/s.asp?u=267403639256). As part of my current dissertation research on the impact of SOX on security, I have interviewed info security managers and have received a multitude of responses. Legislation appears to set a baseline of what is socially acceptable practice. Those companies that were already on the ball generally did not need legislative prompting. In some cases, companies may even be discouraged from performing beyond baseline security requirements. However, laggards may need external pressure (from laws, suppliers, etc.) to prompt them to meet at least a baseline. Then, there is the question of sustainability. Does the legislation make an initial positive impact, and then fade to no effect?

On the subject of identify theft, aside from notification laws, there has been very little legislation. Meanwhile, identify theft is a growing issue. In the absence of legislative prompting, has the majority of retailers demonstrated self-motivation to protect customer data?

The question posed in this blog really is part of a larger question: what is the effect of legislation on information security? Does it help or hurt? My research in this area examines this question and seeks survey respondents  <a href="http://www.surveymonkey.com/s.asp?u=267403639256" title="http://www.surveymonkey.com/s.asp?u=267403639256" target="_blank">http://www.surveymonkey.com/s.asp?u=2674…</a>).

]]>