Several pieces of privacy legislation - that could effect business performance - are currently in the pipeline in Washington:

1. The Notification of Risk to Personal Data Act (modeled after the California law) which was introduced by Senator Diane Feinstein in late June, but has no cosponsors. The bill would require companies to notify customers when they believe customers’ unencrypted personal information has been compromised.
2. The Consumer Privacy Protection Act of 2003; which was introduced by Representative Cliff Stearns in April and has 22 cosponsors. The bill would require companies to provide privacy notices to customers when information is being collected. The notice would provide an explanation why the information was being collected and allow customers to opt out.
3. The Online Personal Privacy Act; which was introduced by Senator Ernest Hollings in April 2002. The bill would require companies to obtain specific consent from a user before collecting any personally identifiable information.

Source: Congress Takes Small Steps On Privacy Legislation - http://www.infoworld.com/article/03/07/18/HNsmallsteps_1.html

According to Representative Adam Putnam (R-Florida), who chairs the House Government Reform Committee’s Subcommittee on Technology, Information Policy, Intergovernmental Relations, and the Census, there remains a need for more legislation dealing with imposing information security mandates on business to insure that the private sector does all it can to protect the nation’s critical infrastructure. [Source: Cybersecurity Laws Expected ]

Dell Computer recently announced that it will give its customers the options of purchasing the option of a purchasing a more secure or “hardened” configuration.

The systems will help organizations meet a security benchmark established by the Center for Internet Security (CIS), whose mission is to help organizations around the world effectively manage risks related to information security. The Dell announcement is a solid step toward secure computing because as is well know most vulnerabilities occur while deploying new systems.

[Source: http://www.dell.com/us/en/gen/corporate/press/pressoffice_news_2003-07-09-rr-000.htm]

Computerworld reports that the FTC “accused Guess of leaving its Web site open to “commonly known” attacks” resulting in the “release of an undisclosed number of credit card numbers stored in the Guess database.”

“Under the settlement, announced yesterday, the company is prohibited from misrepresenting the security of customers’ personal information. Guess must also maintain a comprehensive security program at its Web sites and submit an independent security auditor’s report to the FTC every two years during the entire 20-year length of the settlement. ” This is the third such action against companies (others were Eli Lily and Microsoft) by the FTC in the past year to push companies into taking the need for security more seriously, and to more carefully consider the information they provide to customers about their security efforts.