Newsmaker: When privacy glitches are good for business

(continued from previous page)

When someone sends me phishing mail saying, your E*Trade account needs validation, they'll direct me to a fake site. If I type in my SecurID number, couldn't that bot log in to the real E*Trade site simultaneously using that number?
Coviello: Possibly, if they're able to do it in that sophisticated a way. It doesn't necessarily solve (the problem of) identifying a particular Web site.

It seems some privacy activists have wanted a general-purpose regulate-all-data-practices law for decades and they're using recent data breaches to justify it. Do you think that's happening?
Coviello: This is clearly a case of the horse being out of the barn and it being pretty hard to get it back in. You didn't hear consumers complain when they were getting easy access to credit and got multiple credit cards and could do lots of things.

I get a kick out of these privacy groups saying there was malice aforethought with these companies. There wasn't. Does that mean we shouldn't go back and fix issues of confidentiality and protection of information? Of course we should. But we're not going to eliminate internal combustion machines because they create air pollution. I see the same thing here.

Let's say the U.S. Congress is going to pass a law when they return next year. What should it say?
Coviello: We think they should...pre-empt the states, which we think makes sense so companies don't have to wade through 32 different state laws. There's clearly a role regarding breach notification. We think there should be more specificity around the timing for breach notification, and some kind of safe harbor if you used encryption technology that protects you. There are a few bills that do that.

Should a federal law zap state laws by pre-empting them, or is it better to have no federal law and a variety of approaches by the states?
Coviello: What happened in the California bill (mandating disclosure of security breaches) was that California ended up legislating for the world. There are very few businesses that don't do business in California.

It's very difficult to expect companies to sort through a myriad of state bills and see which ones they haven't complied with. What, you don't do business in a smaller state because you can't bother to figure out what the rules would be? It's such a broad issue that it should be federally done.

What percentage of RSA's revenue comes from SecurID?
Coviello: From our authentication business, which is broader than SecurID, it's about 70 percent. The encryption business is about 10 percent.

Have you noticed an uptick in SecurID revenue--since the ChoicePoint and other breaches--that you can attribute to increased attention to this topic?
Coviello: I think what we've seen is a build in sales pipeline. It hasn't translated yet into as much revenue as we'd like to see. It's not just ChoicePoint and the other breaches. It's about ID theft globally.

We're building a deferred and subscription order base that will generate revenue in subsequent years. We made that clear on our last quarterly conference call. And stay tuned (for more).

For your February RSA security conference, you've lined up Bill Gates of Microsoft, Scott McNealy of Sun Microsystems, and John Chambers of Cisco. Any other highlights you'd like to mention?
Coviello: I'll be there. (Laughs.) Gary Bloom from Symantec Veritas will be there. The fact that last year we had Chambers join the group and this year we have McNealy join the group shows how much security has gone mainstream. Maybe the following year we'll have (Oracle CEO) Larry Ellison.

Let's say 2005 was the year of ID fraud and security breaches. What will 2006 be?
Coviello: I think you'll see an acceleration in sophisticated attacks. But you'll also see the Return of the Jedi: companies adopting stronger authentication and better and better antispyware and antimalware (techniques). It may get a little worse before it gets better, but we're about to make a comeback.

More Newsmakers