Information Age: News, analysis & insight for IT & business leaders

Information security issues have been making regular headlines in the business press over the past two years, but when IT security makes it to the front page of The Sun, the UK's most lurid and sensationalist tabloid, then it is clear that things have reached a crisis point.

The Sun's story, printed in mid-June, alleged that an undercover reporter bought bank account details of hundreds of customers of UK banks from an underworld contact in India. The data was allegedly supplied by computer and call centre workers in Mumbai.

Since the story appeared, several of the banks involved, along with officials of the Banking Code Standards Board, have questioned some of the claims, saying that it would not have been possible to collect such data. But regardless, for the Indian offshore industry and for the banks involved, the damage has already been done. Public trust in online security, offshore and onshore, has taken a further hit, and some analysts are already predicting a downturn in offshore growth.

For those who follow security issues, this case is unusual not just because of the tabloid sting, but because it does not involve a US company.

In recent months, major US companies reporting serious information security problems include CardSystems Solutions, which serves many major credit card companies, Bank of America, Choicepoint, Citigroup, Morgan Stanley, Time Warner, IBM, Ameritrade, Lexis Nexis and MCI.

Sometimes the problem has been lost tapes or a stolen laptop; in a few cases it has been a sophisticated fraud, involving spyware. Overall, private details concerning millions of customers of US businesses and individuals have been lost or accessed by unauthorised parties.

The reason why all these cases have come to light has nothing to do with a lower standard of security in the US, but because a Californian law, the Security Breach Information Act, requires organisations doing business in California to report online security incidents that might affect shareholders or customers (paper and offline tapes are apparently not covered). In recent months national US organisations have realised that failure to report any incidents could leave them open to lawsuits in any state.

The result: a surge in reports, and, increasingly, a realisation in business that it is not necessarily a disgrace to be a victim of a computer crime. It is also clear that businesses are learning fast from their own mistakes. CardSystems, for example, has now decided not to store transaction information once it has been used; others may follow Morgan Stanley's example and overhaul their email monitoring and retention systems.

For a while, the flow of bad news will damage public confidence. But over time, the effect is likely to be better security in the US, and a better understanding of the types of problems that can occur. The Breach Law, as it is called, was much derided when it was first put forward, but has turned out to be an entirely positive development.