Uncle Sam's newest security challenge to businesses: Recent high-profile data breaches have brought the issue of protecting confidential information to the forefront of the security industry and the American public.

Over the past two years, data leaks have compromised more than 150 million personal-data records, according to the Privacy Rights Clearinghouse.

These breaches come with a high price tag. Forrester Research says that a security breach can cost anywhere between $90 and $305 per record, meaning that the cost of a single, significant breach may run into millions or even billions of dollars. The problem is certainly not going away, and it's no surprise the federal government is considering laws to mandate how sensitive data is handled.

This fall, pending legislation could have a significant impact on how businesses are required to protect confidential information, as well as when and how they are required to notify the public in the event of a breach. Several legislative bills are expected to be introduced in Congress that would specifically address identity theft protections, the storage and encryption of sensitive cardholder data, and wireless data security.

The outcome of this legislation remains uncertain, but it appears there is building support within Congress to take more proactive measures for enforcing higher data security standards.

The business world has already experienced the impact of government attempting to control the inner workings of an organization. Sarbanes-Oxley is well-intentioned, but the cost of compliance has been staggering for many businesses. A recent study by Foley & Lardner found that since 2001, the average cost of SOX compliance for companies with under $1 billion in annual revenue has increased more than $1.7 million to approximately $2.8 million.

It's important that all of a business' stakeholders--employees, partners, and consumers--are promptly notified when confidential information has been breached. This could include personal information, trade secrets, financial data, and more. However, the government will face a monumental challenge if it tries to prescribe: 1) what exactly constitutes confidential information and 2) how to protect said data.

Across different industries and organizations, the definition of sensitive information varies greatly. It may be patient forms at a hospital, patent applications at a research facility, or credit card numbers at a retail store. There are common threads among all industries, such as employee Social Security numbers, but the nuances from one business to the next will make it nearly impossible to make an overarching definition of sensitive information.

(Read Original Article - Via Privacy : Tech news from CNET .)