Information Security Awareness, Training and Motivation — Native Intelligence, Inc.

Recommend this article:   Add to your del.icio.us    Digg This   Slashdot   GotNews   StumbledUpon   Reddit

Data Breaches: The Truth About Consequences

True or False: The list below is from a 2006 SANS report of the top ten security mistakes that executives make.
  1. Failing to adequately assess the vulnerability of the company network
  2. Allowing network administrator IDs and passwords to be stored clear, readable text
  3. Not using controls to detect unauthorized access to personal information
This list is not from a SANS report. These are charges that the Federal Trade Commission (FTC) brought against Guidance Software. The breach caused exposure of thousands of customers' financial data.
 
A data beach is the loss or disclosure of data that includes personal information. In 2006, breaches cost companies $4.7 million, or $182 per record, according to the Poneman Institute.
Who Can Take Action Against Companies that Have Had Breaches?
Federal regulators impose fines and penalties, including jail time. Consumers flood the courts with class action lawsuits over breaches. Business partners may sue to recover the costs of responding to a breach. Investors may sue over stock losses.
 
Under the Privacy Act, individuals can sue the US Government for not protecting their personal data. Several federal data protection laws are pending in Congress. Currently, there is no national law similar to the Privacy Act, to hold commercial firms responsible for failing to protect personal data. That's why, as of January 2007, 35 states and the District of Columbia have passed their own data breach notification laws.
 
Federal regulators include the Federal Trade Commission (FTC), the Securities and Exchange Commission (SEC), and the Department of Health and Human Services (DHHS). The laws below protect personal financial and medical data (but not other types of personal data).
 
US Law Regulator
Gramm-Leach-Bliley Act (GLBA) SEC, FTC
Sarbanes-Oxley Act (SOA) SEC, FTC
Fair and Accurate Credit Transactions Act (FACTA),
an extension of the Fair Credit Reporting Act (FCRA)
FTC
Federal Trade Commission Act (FTCA) FTC
Health Insurance Portability and Accountability Act (HIPAA) DHH
 
The DHHS regulates firms that handle medical data. The SEC regulates large investment firms. The FTC regulates other financial companies, such as firms that transfer money, prepare tax returns, and provide real estate settlement services. The FTC also regulates firms that use deceptive business practices, such as promising to protect customers' sensitive data and then not doing so, giving the FTC broad authority over any company conducting business in the United States.
 
For example, in 2003, Guess? Jeans settled FTC charges for deceptive acts. The company's Web site said that customer data was stored in an encrypted format. Yet, a hacker accessed roughly 200,000 credit card numbers in a clearly readable format. The FTC found the company's statements about encryption false and misleading.
What Can Happen to a Company that Has Had a Breach?
The nature and severity of breach determine the consequences.
 
A security failure at discount shoe retailer DSW allowed hackers to access the credit card, debit card, and checking account information of more than 1.4 million customers. The FTC required DSW to implement a security program and undergo security audits every other year for 20 years.
 
In February 2005, data broker ChoicePoint revealed a breach of more than 163,000 consumer records. At least 800 cases of identity theft followed. The FTC charged ChoicePoint with making deceptive statements about its privacy policies. The July 2006 settlement included $10 million in civil penalties and $5 million in consumer redress. ChoicePoint must also undergo third party audits every two years until 2026.
 
In February 2006, the FTC and credit card processor CardSystems settled charges for a breach involving 40 million accounts. CardSystems may be liable for millions of dollars under bank procedures and as a result of private lawsuits.
 
In late 2006, retailer TJX Companies found a data breach that started in 2003. This may be the largest case of stolen consumer data to date. TJX faces lawsuits from consumers and financial institutions and states' attorney generals.
Definitely Not Cheaper by the Dozen
Consequences of data breaches include:
  1. Direct costs for notifications, customer service support, credit monitoring, customer incentives, restitution, card replacement, etc.
  2. Damage to the firm's reputation and brand
  3. Loss of up to 20% of affected customers
  4. Opportunity cost of lost business from current and future customers
  5. Loss of stock value - 9 to 15% as reported in "Information Security, Data Breaches, and Protecting Cardholder Information," September 14, 2006
  6. Prohibition on misleading statements
  7. A required security program
  8. Audits for as many as 20 years
  9. Fines
  10. Lawsuits
  11. Loss of jobs
  12. Jail time
To Reduce the Damage from Breaches
Assume that a breach is a matter of when, not if, and prepare for it. Encrypt stored data and data on the move. Don't promise a level of personal data security that you can't deliver. Perform background checks on employees. Have employees and business partners sign non-disclosure agreements that prohibit them from misusing data. Remind staff and partners of their legal duty to protect customer data, and that theft of this data is a crime.
 
The bottom line is that the most important action you can take is to make employees and business partners aware of what data needs protection and how to protect it.

Article by K Rudolph, CISSP © 2007 Native Intelligence, Inc.  All rights reserved.
May 2007