No one should be surprised that the Connecticut Attorney General is taking an interest in the Citigroup breach. Nor should we be surprised that the FDIC is thinking about setting some federal guidelines. We've suggested before that it is better for the industry to set its own standard--perhaps using the PCI-DSS experience--as an example. Perhaps this will hold off regulatory action perhaps and lead to better security.

The Connecticut AG's indignation is pretty apparent in his letter to the bank, and it just might prove contagious if banks don't do a better job of protecting customer PII. "As one of the largest lending institutions in the country, Citigroup must assiduously protect the personal information it collects from its customers and employ the highest levels of data security. I expect Citigroup to fully compensate and protect any Connecticut consumers harmed as a result of this breach."

He also noted: "Unfortunately, critical facts about the intrusion remain unclear, including details concerning the number and characteristics of impacted accounts, the cause of the breach, the steps taken to notify and protect the affected individuals, and the nature of any procedures adopted to prevent future data breaches."

The query is in some ways a pointed rebuke of the bank's response to the crisis. Some think it didn't act quickly enough to notify customers. Recall that it waited three weeks, during which it conducted internal analysis. The company only publicly acknowledged the massive breach after it was questioned by the Financial Times.

All this raises some thorny issues and highlights the need for companies to have policies in place that govern the response to breaches, which we hope--likely in vain--will not occur. Companies need step-by-step processes in place that govern its response and remediation. This obviously would include the broad range of activities, including IT actions, customer response activity, executive response activity, board level communication and so on.

The last thing you want is to make this up on the fly. Really forward-looking companies would be wise to practice the response, kind of like a fire drill, but one that people take seriously. It's a form of disaster preparedness in a way.As always, we pray that you'll never have to use it live. But these days, such prayers are going unanswered. -Jim