US (BLOGGER) NATIONAL CRIME PREVENTION COUNCIL DISCUSSES DATA THEFT Prevention Works: All That Data…

January 03, 2008

All That Data…

First, happy new year to all of you. I hope your year is off to as safe and happy a start as ours is at NCPC.

It may make me seem like a geek, but I have a secret love for this time of year because of all the data that become available. Right about now, all kinds of retrospective information appears about various crimes and prevention efforts, informing us of trends and the effectiveness of our efforts. And relevant to my love of data is a recent article from Wired about data loss in 2007; if you guessed it was banner year for data theft, you’d be right. To me, the problem is a common one: too little prevention too late.

According to the article, somewhere between 49 and 79 million records were lost last year, depending on how you count. That’s a lot of lives interrupted and identities stolen. According to the article, companies lost the data to the sources we have talked about in the past: hackers and lost hardware. In the largest reported case of identity theft last year, TJX’s loss, hackers found a weakness in the retailer’s wireless network and extracted data directly from TJX’s central database. Other cases were more mundane: as explained by Linda Foley of the Identity Theft Resource Center, “A lot of breaches are due to inadequate information handling, such as laptop computers with Social Security numbers on them that are lost …. This is human error, and something that's completely avoidable, as opposed to a hacker breaking into your computer system.” Indeed, Foley claims that “More of them are experiencing data breaches, and they're responding to them in a reactive way, rather than proactively looking at the company's security and seeing where the holes might be.”

Prevention is critical in data loss, and it will only be more so. Businesses are not going to stop putting information online; having information about customers available over the Internet is simply too valuable. However, unless prevention is a part of the system from the ground up, data loss will only get worse. Security needs to be a part of software projects just as much as features — if you’re designing new business software, have a security plan from the beginning. Employees are going to need to understand secure data handling as well as they understand their core job functions — if you carry equipment carrying anyone’s personal information, find out how to secure the system in case you lose it. Consumers are going to have to be involved, asking questions and challenging the process at every step. And everyone should remember this rule: If someone asks you for identifying information, ask them why they need it and what they are going to do with it.