Network administrators should regularly monitor the network for new, unknown systems. A user may have plugged in an unauthorized laptop (which could be infected with viruses that could spread to the rest of the network), or a hacker may have attached a system to the network to gather information or launch an attack. And, don’t forget that PCs can be set up wireless access points, attracting war drivers. Of course, company policies should prohibit attaching any device to the network without authorization, but we know it will probably happen. If monitoring becomes too much of a burden for your IT staff, consider installing system monitoring software that will notify you if any suspicious activity occurs.

As with any IT-based legislation, creating laws around technology often leads to a compliance nightmare when ambiguous guidelines meet Moore’s Law head on. This is especially true of the proposed Data Breach Notification Law, which Rep. Tom Davis (RVA) proposed to the House Committee on Government Reform in July.

The proposed legislation calls for the development of disclosure policies and standards for personal data breaches involving federal agencies. While current legislation regarding data breaches is covered in the Federal Information Security Act, the Data Breach Notification law would be developed by the White House Office of Management and Budget, but with no current direction on where such breaches would be reported.

Currently, a federal agency must report a breach of “personal identifiable information” to the U.S. Department of Homeland Security within an hour of a confirmed or suspected data breach. Security experts worry that if this type of notification were rolled out to businesses, minor infractions such as disabled encryption on a laptop or a misplaced USB drive could cause “notification fatigue” or the security equivalent of crying wolf, not to mention costing a lot of money and putting their good names in constant jeopardy.

What it means to you: Data breach notification will be a hot topic in Congress this fall, but don’t expect a national law to be tougher than state laws. California and New York require notification any time there is a data breach, taking the decision on whether or not to notify out of business’s hands. When reviewing your own data breach notification policies, keep in mind that consumers are much more sensitive to the release of personal information than Congress. Once you’re sure your policies meet state guidelines, evaluate them from the consumer’s viewpoint to ensure you balance notification with the extent of the threat.