CALIFORNIA COMPANIES NOT ADEQUATELY RESPONDING TO DATA SECURITY NEEDSTop Tech News - Tech Trends - Responding to Data-Security NeedsResponding to Data-Security Needs

October 20, 2005 9:17AM

Despite the increased awareness, the recent frequency of security breaches seems to indicate that many companies have not adequately responded to the issue of data security within their organizations. New regulations and statutes are sure to get some attention, but the pressure to mitigate data security risks certainly increases as more fines are handed down and lawsuits are adjudicated.

When hackers broke into the network of CardSystems Solutions, a credit card payment processor, last June, it was not just another example of failed data security. By gaining access to more than 40 million MasterCard, Visa, American Express and Discover credit card accounts, these criminals were responsible for what may be the largest data security breach to date. And for CardSystems, the fallout has been severe.
In the wake of the incident, California consumers and retailers filed a class-action lawsuit against the processor, as well as MasterCard and Visa, for violating state law by failing to properly secure their network and by failing to quickly notify consumers of the breach after it occurred.

Two of CardSystems' largest clients, Visa and American Express, then dropped the processor entirely. So as a result of their failure to adequately protect customer data, CardSystems has said that it now faces "imminent extinction."

Unfortunately, these occurrences have become all too common. Since a February security breach exposed 145,000 records at ChoicePoint, a data collection company, there have been nearly 70 other such breaches reported.

And these incidents have not solely been the work of expert hackers gaining access through highly sophisticated means. Computers and laptops with access to sensitive information have been stolen. Devious insiders have compromised records for their own financial gain.


And more than one bank has lost backup tapes containing customer information. While none of these breaches have approached the scope of the CardSystems break-in, this has still meant that another 10 million people have been put at risk for fraud and identity theft.

More Data, More Awareness

So why the sudden rash of data security breaches ? Has information become such a commodity that people are going to greater lengths than ever before to acquire it? Are companies becoming more careless with their data? Or has the problem always existed and simply never made headlines before?

The best answer may in fact be "all of the above." But there is even more to it than that. Today's society deals with an unprecedented amount of information. "There has been more electronic information, and therefore more digital assets, aggregated during the last two years than in the entire history of mankind before that," says Kevin Kalinich, co-national managing director of Aon's technology and professional risks group. Given the sheer amount of information exchanged, it has become increasingly difficult to not only protect it but even to identify what needs protecting.

But despite an organization's best efforts at protection, there have been and will continue to be breaches, even as I.T. security improves. The difference now is that companies are required to report on more of their financial information than ever before. SarbanesOxley, Gramm-Leach-Bliley and HIPAA regulations, each in different ways, mandate that companies and executives be accountable for the integrity of their customers' data as well as the company's bottom line.



On top of this, state laws that began in California and have now spread to nearly 20 other states require companies to notify customers when their personal information has been compromised. As a result, there is now a higher awareness about data security and data security breaches.

"Essentially what regulations do is create precedent," says David Nolan, senior vice president at Forsythe Technology, an Illinois-based I.T. services provider. "They say that if something happens, you will be dealt with in this fashion and so the consequences are clearly understood. At a minimum, you are going to be tied up in knots in the legal system and at a maximum, you may go behind bars. Those are the kinds of things that if you roll back the clock five years, people just didn't think that they would have that kind of exposure."

Trouble for the Bottom Line

Despite the increased awareness, the recent frequency of breaches seems to indicate that many companies have not adequately responded to the issue of data security within their organizations. New regulations and statutes are sure to get some attention, but the pressure to mitigate data security risks certainly increases as more fines are handed down and lawsuits are adjudicated.

Although few cases have made it to this stage yet, those that have should serve as some indication as to where judgments concerning data security and use are headed.



For example, in June, the Kaiser Foundation Health Plan, a division of health insurer Kaiser Permanente, was fined $200,000 by the California Department of Managed Health Care for disclosing patient health information. BJ's Wholesale Club and Eli Lilly and Company both settled with the Federal Trade Commission (FTC) for undisclosed amounts over their failure to adequately protect customer information.

E-mail retention policies have also led to hefty losses, underscoring the fact that data in all of its forms needs to be treated seriously. The recent $1.45 billion judgment against Morgan Stanley hinged on the company's inability to produce certain e-mail documents as did a $29.2 million penalty levied against Swiss bank UBS in a recent discrimination case.

It is becoming increasingly obvious then that inadequate data policies and data security measures can have very costly consequences. Courts and government agencies are not likely to find any room for leniency in these cases. Identity theft is a growing consumer concern affecting an estimated 10 million people each year, according to the FTC (an agency especially unlikely to have any sympathy for lax data security after its chairman, Deborah Platt Majoras, had her credit card information stolen in a recent breach at shoe retailer DSW), and regulators are facing greater pressure to address the problem.

With federal bills regarding stricter identity theft penalties and security breach notification laws currently pending, companies cannot afford to sit back and do nothing merely because current legislation does not apply to their specific industry or area of business. It is only a matter of time before the laws will catch up to them.

"These areas are simply a starting point," says Nolan. "The breaches keep happening because everyone is trying to respond to regulators as opposed to running their business with a level of accountability and integrity that is driven by having a decided culture and purpose around information."

Creating a New Data Standard

Experts believe that a systemic change of attitude within business with regard to data security is in order. And considering the financial stakes involved, these issues cannot be the sole responsibility of the I.T. department -- the risk involves too many areas of the business.

The entire company should develop a standard of care when it comes to handling information, says Nolan. This standard should consider all areas of the business that could affect information security . Not only does this include managing the security of the content, hardware, applications and networks, but monitoring and educating the users as well.

Firewalls and other technical solutions are necessary, of course, but most experts agree that the most important (and least expensive) tool for managing information technology risk is social engineering. That means instilling behaviors within employees and network users that reduce the risk of data compromise. Information security awareness training is essential for every employee from the entry-level worker up to the CEO.

"Companies can install all of these fancy firewall devices but that is not going to stop the really good hackers -- the real pros -- because they never break into a network," says Vance Bowen, president of the Computer Service Center in Oklahoma City. "Instead, they socially engineer or compromise someone and find out a user name and password and come into the system as an authenticated user. That is what the social engineering component of information security will stop."

According to Bowen, an important component of awareness training involves understanding the methods of attack. This includes the now obvious tip to instruct employees not to download unknown attachments that could contain viruses, worms, spyware or keystroke loggers that could give unauthorized individuals access to the company's network. This applies to the user of any computer that has access to the organizational network, including the home computer of a telecommuting employee.

Another less obvious, but equally effective, scheme involves hackers posing as I.T. personnel and simply asking for an employee's user name and password -- a ploy that is surprisingly effective.

Selected Data Security Breaches

A more devious scenario can occur if a hacker discovers that an employee has problems outside of work, such as drug use. Hackers have been known to blackmail that person by threatening to reveal the information to management unless they are given a user name and password. The employee can then use a technique called "shoulder surfing" to obtain the information. They watch over the shoulder of someone entering his or her information into computer and pass it along to the hacker.

"If one employee accidentally or on purpose gives out a user name and password to a hacker, they are in," says Bowen. "And once they get in, there are readily available tools that allow them to get from the lowliest permission level all the way up to administrator with no problem at all. All you need is one user name and password and you can elevate your permissions."

Considering Network Insurance

Although information technology security measures, proper data storage and social engineering are the best solutions to preventing a costly data breach, it is impossible to eliminate the risk entirely. No matter how exhaustive the security plan is, a hacker will always be able to devise a strategy to evade it and enter a company's network.

Up until a few years ago, phishing attacks (phony e-mails designed to entice users to give up personal information) were unheard of. Now they are relatively common and pharming (creating phony Web sites designed to extract personal information) has become one of the latest strategies employed by identity thieves.

For many businesses, it may also be prudent to invest in network insurance . Understandably some I.T. security consultants scoff at this insurance, citing the greater effectiveness and lower cost of prevention efforts. Of course, the idea that it is better to prevent a devastating loss from occurring in the first place, rather than try to recover from it after the fact applies here as well. But it is precisely the unexpected nature of data breaches that creates the need to insure against the loss.

"Regardless of how much money you put into I.T. security or how much you put into social engineering and training, there's still going to be an exposure, there's still going to be a gap where there is a chance of data security breaches," says Kalinich. "Insurance is not the front line. It is not the most important aspect of I.T. security. It is the gap-filler on the end. But the reason that insurance is so important is that it can affect your financial statement. The financial impact of a $25 million hit on most companies is going to be significant. So for them to pay a couple hundred thousand dollars to have that kind of insurance makes sense. Why put all of your money into general liability and nothing into network risk, particularly when the losses can be so high? If you want to stabilize your financial statement, this is the gap-filler that can let you sleep at night."

The problem, Kalinich says, is that the actuarial data on data security breaches is practically nonexistent when compared to other property and casualty areas. "We have 80 years of actuarial data for fire insurance but we don't even have 20 years of actuarial data for network risk insurance," he says. "However, it's still a valid threat."

The other problem is that by the time enough actuarial data could be compiled to satisfy the doubters, much of that data would be as obsolete as the technology that it reported on. So for the companies that do not see the need for this type of insurance it is almost impossible to use traditional actuarial means to convince them of its usefulness. But Kalinich counters with a logical argument. "What are the chances of your building burning down?" he says. "Relatively slim? But you have fire insurance."

Many companies are catching on, however. When Aon started its technology and professional risks group four years ago, 4 percent of Fortune 1000 companies bought network insurance. That number has doubled each year and now is up to 18 percent. And for Internet companies such as Amazon , Yahoo or AOL it is over 95 percent while e-retailers like Best Buy or Target are at 48 percent.


A Need for Greater Responsibility

Regardless of the solutions employed to reduce the risk of data security breaches, a balance of prevention strategies and mitigation efforts is likely the best possible protection. In fact, given how dependent modern business is on electronic data transmissions, it may no longer be an option to develop a data protection strategy.

As the courts and regulators place more emphasis on data security, businesses risk millions of dollars, and in severe cases like that of CardSystems, for instance, possibly the fate of their entire enterprise, by not addressing the issue. "We have to get smart and realize that when we create information, we create liability and when we create liability, we create responsibility," says Nolan. Consider it just another cost of doing business in the 21st century.

Despite the increased awareness, the recent frequency of breaches seems to indicate that many companies have not adequately responded to the issue of data security within their organizations.

Although information technology security measures, proper data storage and social engineering are the best solutions to preventing a costly data breach, it is impossible to eliminate the risk entirely.


© 2005 Risk Management.
© 2005 Top Tech News.