California Senate Bill 1386, enacted in 2003, was a little known piece of legislation until this year, when it set off a global debate on information security and issued a wake-up call to companies about protecting data and systems. The bill required businesses to inform California residents if their unencrypted personal information – such as name, social security number or credit card details – had been compromised.

In February, ChoicePoint, a Georgia-based information broker, sent out letters to 35,000 California residents warning them of a crime committed against the company that may have led to their name, address and social security number being seen. Criminals posing as businesses searching for data on potential employees and customers had opened accounts with ChoicePoint and been given access to the personal details of tens of thousands of people.

ChoicePoint identified 50 fraudulent accounts as long ago as last October, but only informed the Californians affected four months later, and only then because they were required to do so by law. It said it had had no plans to tell anyone outside California, but, after a public outcry, it came clean and informed 145,000 Americans in total. Of these, at least 750 have been the victim of identity theft as a result of the security breach and class action lawsuits have been filed against the company.

The ChoicePoint incident triggered moves at state and national level to follow California’s legal lead. “The outcome has been a rush of legislation,” says Michael Rasmussen, an analyst at Forrester Research.

“Thirty-six states have different disclosure laws going through their legislatures – they all tweak California’s law – and it’s become a patchwork quilt that makes it impossible for a company to manage if it works across more than one state.” This applies to overseas companies as well, with many doing business with Americans online or collecting their details.

Legislation at the federal level could clarify company requirements, but there are eight different bills on the subject currently progressing through Congress. Combined with other legislation, such as the Sarbanes-Oxley Act, a rash of disclosures about compromised data has been forced this year. In April, the publisher Reed Elsevier revealed that the details of 310,000 people in the databases of a subsidiary, Seisint, might have been accessed in a similar fraud scheme to ChoicePoint’s. The company made the disclosure in a Securities and Exchange Commission filing, in apparent anticipation of the Sarbanes-Oxley requirement to provide rapid and current information on material changes to its business.

The ChoicePoint incident remains the reference point for how companies should or should not deal with information security breaches. Information security experts such as Mr Rasmussen believe the company’s management has been disingenuous in maintaining that it had not suffered a network security breach or “hack” but had been the target of plain fraud or a “social engineering” scam.

This narrow definition of a data breach flies in the face of current thinking on how companies should tackle IT security and governance within a framework of an all-encompassing information security policy. “It has been more about IT security in the past,” says Mr Rasmussen, “focusing on firewalls and dealing with hackers. But over time, the demand for an information risk management approach has really grown.”

An Economist Intelligence Unit survey released last month revealed that 45 per cent of companies have already appointed a chief risk officer (CRO) or equivalent and 24 per cent plan to appoint one in the next two years. Executives surveyed said the main benefit was the ability to expand risk management to address more risks. The main priority for CROs was to ensure the organisation was in full compliance with regulations.

Financial services companies, which dominated the survey and face the most regulation, said integrating risk data from multiple systems and processes was their biggest challenge, while non-financials cited managing risk across globally dispersed operations.

“It is a topic that’s being taken far more seriously than in years gone by,” says Anthony Smyth, a partner in Ernst Young’s information systems, assurance and advisory service. “The classic concept around security is the confidentiality, integrity and availability of information.”

While the focus in the past has been on confidentiality and availability, Mr Smyth believes integrity has often been forgotten. “It’s really about separating people out and only giving them access to the information they need,” he explains. “Under Sarbanes-Oxley, the chief executive and chief financial officer have to sign off that they have adequate control of the integrity of their financial statements. This might have been considered a simple housekeeping matter in the past, but things are being cleaned up en masse now, with legislation compelling security.”

One area being given fresh attention is the growing threat from outbound e-mail. While firewalls and spam filters can repel unwanted viruses and messages, the software does not deal with potentially damaging e-mails being sent out by company employees that can breach compliance requirements, confidentiality and data integrity.

Gary Steele, chief executive of Proofpoint, a company providing software that monitors the contents of both inbound and outbound mail, says about a third of companies have investigated leaks of confidential information and the same proportion have looked into violations of compliance. “It simply doesn’t work having staff looking at e-mails – 40 per cent of organisations employ people to read outgoing e-mail,” he explains. “We have had lots of discussions with employee rights’ advocates and it’s our belief that the best approach is to use sophisticated technology that will enforce policies on the e-mail stream and to only use humans to review those e-mails highlighted by the technology.”

Despite privacy concerns, IT surveillance of e-mail is within a company’s rights in the US, but a business does not have the automatic right to listen to an employee’s phone calls due to wire-tapping laws.

Using too many humans to prevent security breaches can also backfire, according to David Porter, head of security and risk at Detica, a specialist IT services company. “You can overdo security and create more risk if you respond to the heavy burden of regulation with heavy procedures,” he says. “For example, you can employ a team of 100 people to check and double check things, but that can create ‘bystander apathy’ – a diffusion of responsibility where everyone thinks someone else is doing the checks. Introducing security procedures can also make people take riskier action – the same way wearing seat belts can make people drive faster.”

Enterprise risk management has become the buzz phrase, says Mr Porter, with operational risk coming to the fore over credit risk, market risk and strategic risk. According to Forrester, while having the appropriate IT responses to security challenges in place is necessary, how companies manage their risk is more important. “Steps that businesses need to take include raising the visibility of information security with risk officers reporting to the chief information officer,” says Mr Rasmussen. “There has to be a policy framework and operational controls. Training and awareness is important – anyone that touches sensitive information has to understand their responsibilities.”

Monitoring that controls are in place, ensuring proper background screening of individuals so that criminals are not allowed access to data and working with law enforcement officials to deal effectively with any breaches are also required responses.

ChoicePoint can tick that last box, but it failed crucial parts of the checklist. Other companies may be ruing the excess of regulation it has instigated, but may ultimately benefit from the early warning it sent them on the state of their privacy and information security policies.