Now, we are all consumers and we all want to rest assured that our personally identifiable information is harbored safely with those businesses we've entrusted it. We need to feel secure that a data security breach won't happen and make us vulnerable to identity theft; that no unknown hackers can penetrate the cyber codes and safeguards that we rely on to protect us from unscrupulous criminals. We all want to be sure that our sensitive information is protected.

We are all also business people and probably realize that an essential part of doing business in the 21st century is the collection and maintenance of sensitive information from our customers, prospects, vendors, associates and employees. This is what makes the modern conveniences of online shopping and online banking a reality. It is also what has revolutionized the real estate industry with new technology tools for transaction and data management. The businesses which have the most well managed data are often the most successful. Hand-in-hand with information acquisition is information protection. Consumers are demanding it and the government is hearing them and responding. Think ChoicePoint, Bank of America...the list grows daily.

The legislative trend across the United States is to enact some kind of Security Breach legislation on the State level. More than two-thirds of the States have taken some action. Is your State listed? If not, it will be soon. EDITOR'S NOTE: This article was printed in July of 2005. More States have now passed security breach legislation.

• Passed: Arkansas, California, Connecticut, Delaware, Florida, Georgia, Illinois, Indiana, Louisiana, Maine, Minnesota, Montana, Nevada, New Jersey, New York, North Carolina, North Dakota, Rhode Island, Tennessee, Texas, Washington

• Introduced: Alaska, Arizona, Maryland, Massachusetts, Michigan, Missouri, Ohio, Oregon, Pennsylvania, South Carolina, Virginia, West Virginia and Wisconsin

Eight bills on this topic are pending at the Federal level. Most will preempt these state laws. The Senate Judiciary Committee is expected to vote this week to make it a crime if you do not notify consumers of a data breach.

These new state laws and the new federal law, when passed, open a whole new realm of business responsibility and potential liability. Many of these new laws impose mandatory notification requirements on companies to report breaches, and violations of these laws may result in fines being imposed on the violator and victims may seek restitution for their damages. That could be very expensive...and then there is the public relations disaster.

It is important to have your Information Protection Policy in place. Here are some key elements your policy needs to define:

• What is to be protected
• Who can have access to sensitive information
• How sensitive information is to be stored and transmitted (encrypted, archive files, unencoded)
• Which systems store sensitive information
• What levels of sensitive information can be printed on physically insecure printers
• How it is to be removed from systems and storage devices
• How to protect resources and enforce policies
• Procedures for specific response to incidents
• Procedures to provide quick reference in times of crisis
• Procedures to eliminate a single point of failure (someone leaves suddenly or is unavailable)

It is now critical for your continued business success to be proactive in protecting personally identifiable information. If you treat your data as if it is your own personal information that you are protecting, you will become the change you want to see in this world- keeping identities and information safe for their rightful owners.

Darity Wesley is CEO and Legal Counsel for Privacy Solutions, Inc. a San Diego based consulting firm. Her team of Privacy Gurus® work with you to create policies and procedures to establish the expectation of privacy for your members, clients, customers, prospects, affiliates, associates, employees and vendors. You can reach her at (619)670-9462 or Darity@privacygurus.com