Second, these laws tend not to be terribly specific regarding situations and requirements. For example, California’s security breach notification law, the first in the nation, does not require notification of a security breach if the private data was encrypted. However, it also does not require encryption.

For that reason, how companies protect private data has become a risk-based business decision, says Sony’s Spaltro. Sony processes about 5 million credit card transactions a month, mostly associated with its PlayStation consoles and the massively multiplayer online games it sells. Although Spaltro declines to talk about Sony’s security practices, he says that while Sony Online Entertainment is fully compliant, every company weighs the cost of protecting personal data with the cost of what it would take to notify customers if a breach occurred. Spaltro offers a hypothetical example of a company that relies on legacy systems to store and manage credit card transactions for its customers. The cost to harden the legacy database against a possible intrusion could come to $10 million, he says. The cost to notify customers in case of a breach might be $1 million. With those figures, says Spaltro, “it’s a valid business decision to accept the risk” of a security breach. “I will not invest $10 million to avoid a possible $1 million loss,” he suggests.

That reasoning is “shortsighted,” argues Ari Schwartz, a privacy expert at the Center for Democracy and Technology. The cost of notification is only a small part of the potential cost to a company. Damage to the corporate brand can be significant. And if the FTC rules that the company was in any way negligent, it could face multimillion-dollar fines. In 2006, the FTC fined information aggregator ChoicePoint $15 million after the company admitted to inadvertently selling more than 163,000 personal financial records to thieves. The FTC ruled ChoicePoint had not taken proper precautions to check the background of customers asking for the information.

Crime and Punishment
How can a CIO know that the security measures he’s taken will be adjudged customary and reasonable by federal or state regulators? Looking at the 15 security breach cases the FTC has ruled on since 2002, a picture emerges as to what regulators deem reasonable (the FTC plans this spring to release a document that will set out more specific guidelines), and by looking at the 14 cases the FTC has settled against companies that have experienced security breaches, one can get a sense of what’s deemed customary. (For a look at some of the more recent cases, see When Companies Violate the Rules.)