Data Breaches

The Identity Theft Resource Center recorded 662 breaches on its 2010 ITRC Breach List. It is apparent, with few exceptions, that there is no transparency when it comes to reporting breaches.  Other than breaches reported by the media and a few progressive state websites, there is little or no information available on many data breach events.  It is clear that without a mandatory national reporting requirement, that many data breaches will continue to be unreported, or under-reported.

Mandatory reporting has had a positive impact on the reported number of medical data breaches.  First published this year, the Department of Health and Human Services (HHS) Breach List has identified 214 breaches to-date.  Unfortunately, the HHS database provides insufficient information for the public to know what types of records were placed at risk.  The HHS breach report does not detail whether names, x-rays or Social Security Numbers (SSN) were included in the exposed data.  The public has no way of knowing just how minor or serious the data exposure was for any given incident. Media has helped by reporting more details for some breach events.

In addition, state mandated reporting of all breaches - by several state Attorneys Generals - increased public reporting, but only applies if an individual in that state might be affected.  In 2010, New Hampshire listed 96 breaches and Maryland reported 160.  Wisconsin and Vermont have small lists of reported breach events.

Approximately 200 breaches, 29% of the 662 total reported by the ITRC, were credited to information provided by these "mandatory reporting" states.  This is a clear argument for mandatory reporting to achieve transparency for the public.

Highlights of the ITRC Breach List analysis include:

  • Paper breaches account for nearly 20% (1/5th) of known breaches and typically go unnoticed until a consumer reports the problem to local media.  There is generally no mandatory reporting requirement for paper breaches.

  • Malicious attacks still account for more breaches than human error, with hacking at 17.1% and insider theft at 15.4%.

  • 38.5% (255) of listed breaches did not identify the manner in which the information was exposed.  This indicates a clear lack of transparency and full reporting to the public.

  • 51% of publicly reported breaches indicated the number of records exposed, totaling 16.1 million records.  Note: records can mean credit cards, bank accounts or other information.  It is not representative of the number of people involved.

  • However, nearly half of all breaches (49%) did not list number of potentially exposed records. This ingrained inaccuracy in reporting is another argument for mandatory reporting.

  • 412 breaches (62%) reported exposure of Social Security Numbers, representing 76% of known records.

  • 170 breaches (26%) involved credit or debit cards, representing about 29% of known records.

The nation needs a centralized, publicly available, data breach reporting site.  It should be comprehensive enough to allow readers to find out what happened, what information was compromised, and why the breach happened.  This would also allow law enforcement to better address this type of crime.

Breaches happen. 
Consumers, government and the business community need to stop acting like ostriches with their heads in the sand.  Second, the concept of "risk of harm" is not acceptable for determining notification.  This is true especially if the company involved is allowed to define "risk of harm."  Only a federal IT forensic specialist should have that authority.  Breached information has been used months after the original exposure.

Are breached entities going to like the future?   ITRC hopes they will embrace the change as productive and valuable.  Mandatory reporting is on the horizon.  It will be demanded either by consumer lobbying or legislation.

For the reports and statistics visit

With news of corporate data breaches hitting an all time high, it's clear that the bad guys are very good at what they do! Criminals continue to find ingenious ways to skim, phish, vish, smish, sniff, steal or hack their way into large and small databases.

Business files contain a treasure trove of personal information for identity thieves; names, addresses, mothers' maiden names, insurance information, social security numbers, credit card and bank account information.

Employers are being held liable for data loss that occurs under their watch. Companies must be prepared to defend the procedures they've adopted to protect the personal data stored in their files.

Taking the necessary precautions to protect your data and your employees before a theft occurs will go a long way towards minimizing the likelihood of identity theft and limit your liability when data breach occurs.

It's key to educate employees on what they should be on the look out for, what they need to report and what steps they should take to secure data and avoid fraud.

Employees, who have access to sensitive information, should be given the tools they need to guard it. If you arm your employees with the appropriate resources and sufficient guidance and information, they can be your most valuable allies in preventing fraud-related losses.

The truth is, when it comes to identity theft or data breaches, the last thing any business wants to see is their name in the headlines!

The most effective data security plans deal with four key elements:
  • Physical security;
  • Electronic security;
  • Employee training;
  • Security practices of contractors and service providers.

Tips for Physical Security

Many data compromises happen the old-fashioned way--through lost or stolen paper documents. Often, the best defense is a locked door or an alert employee. Store paper documents or files, as well as CDs, floppy disks, zip drives, tapes, and backups containing personally identifiable information in a locked room or in a locked file cabinet. Limit access to employees with a legitimate business need. Control who has a key, and the number of keys

  • Inventory all computers, laptops, flash drives, disks, home computers, and other equipment to find out where your company stores sensitive data. Also inventory the information you have by type and location. Your file cabinets and computer systems are a start, but remember: your business receives personal information in a number of ways--through websites, from contractors, from call centers, and the like. What about information saved on laptops, employees' home computers, flash drives, and cell phones? No inventory is complete until you check everywhere sensitive data might be stored.
  • Track personal information through your business by talking with your sales department, information technology staff, human resources office, accounting personnel, and outside service providers.

Tips for Electronic Security

Computer security isn't just the realm of your IT staff. Make it your business to understand the vulnerabilities of your computer system, and follow the advice of experts in the field. (email me for referrals)

  • Identify the computers or servers where sensitive personal information is stored.
  • Identify all connections to the computers where you store sensitive information. These may include the Internet, electronic cash registers, computers at your branch offices, computers used by service providers to support your network, and wireless devices like inventory scanners or cell phones.
  • Assess the vulnerability of each connection to commonly known or reasonably foreseeable attacks. Depending on your circumstances, appropriate assessments may range from having a knowledgeable employee run off-the-shelf security software to having an independent professional conduct a full-scale security audit.
  • Don't store sensitive consumer data on any computer with an Internet connection unless it's essential for conducting your business.
  • Encrypt sensitive information that you send to third parties over public networks (like the Internet), and consider encrypting sensitive information that is stored on your computer network or on disks or portable storage devices used by your employees. Consider also encrypting email transmissions within your business if they contain personally identifying information.
  • Regularly run up-to-date anti-virus and anti-spyware programs on individual computers and on servers on your network.
  • Check expert websites (such as and your software vendors' websites regularly for alerts about new vulnerabilities, and implement policies for installing vendor-approved patches to correct problems.
  • Scan computers on your network to identify and profile the operating system and open network services. If you find services that you don't need, disable them to prevent hacks or other potential security problems. For example, if email service or an Internet connection is not necessary on a certain computer, consider closing the ports to those services on that computer to prevent unauthorized access to that machine.
  • When you receive or transmit credit card information or other sensitive financial data, use Secure Sockets Layer (SSL) or another secure connection that protects the information in transit.
  • Pay particular attention to the security of your web applications--the software used to give information to visitors to your website and to retrieve information from them. Web applications may be particularly vulnerable to a variety of hack attacks. In one variation called an "injection attack," a hacker inserts malicious commands into what looks like a legitimate request for information. Once in your system, hackers transfer sensitive information from your network to their computers. Relatively simple defenses against these attacks are available from a variety of sources.

Tips for Training Employees:

  • Check references or do background checks before hiring employees who will have access to sensitive data.
  • Ask every new employee to sign an agreement to follow your company's confidentiality and security standards for handling sensitive data. Make sure they understand that abiding by your company's data security plan is an essential part of their duties. Regularly remind employees of your company's policy--and any legal requirement--to keep customer information secure and confidential.
  • Know which employees have access to consumers' sensitive personally identifying information. Pay particular attention to data like Social Security numbers and account numbers. Limit access to personal information to employees with a "need to know."
  • Have a procedure in place for making sure that workers who leave your employ or transfer to another part of the company no longer have access to sensitive information. Terminate their passwords, and collect keys and identification cards as part of the check-out routine.
  • Create a "culture of security" by implementing a regular schedule of employee training. Update employees as you find out about new risks and vulnerabilities. Make sure training includes employees at satellite offices, temporary help, and seasonal workers. If employees don't attend, consider blocking their access to the network.
  • Train employees to recognize security threats. Tell them how to report suspicious activity and publicly reward employees who alert you to vulnerabilities.
  • Tell employees about your company policies regarding keeping information secure and confidential. Post reminders in areas where sensitive information is used or stored, as well as where employees congregate. Make sure your policies cover employees who telecommute or access sensitive data from home or an offsite location.
  • Warn employees about phone phishing. Train them to be suspicious of unknown callers claiming to need account numbers to process an order or asking for customer or employee contact information. Make it office policy to double-check by contacting the company using a phone number you know is genuine.
  • Require employees to notify you immediately if there is a potential security breach, such as a lost or stolen laptop. Consider GPS software for laptops.
  • Impose disciplinary measures for security policy violations.

Password Management

  • Control access to sensitive information by requiring that employees use "strong" passwords. Tech security experts say the longer the password, the better. Because simple passwords--like common dictionary words--can be guessed easily, insist that employees choose passwords with a mix of letters, numbers, and characters. Require an employee's user name and password to be different, and require frequent changes in passwords.
  • Explain to employees why it's against company policy to share their passwords or post them near their workstations.
  • Use password-activated screen savers to lock employee computers after a period of inactivity.
  • Lock out users who don't enter the correct password within a designated number of log-on attempts.
  • Warn employees about possible calls from identity thieves attempting to deceive them into giving out their passwords by impersonating members of your IT staff. Let employees know that calls like this are always fraudulent, and that no one should be asking them to reveal their passwords.
  • When installing new software, immediately change vendor-supplied default passwords to a more secure strong password.
  • Caution employees against transmitting sensitive personally identifying data--Social Security numbers, passwords, account information--via email. Unencrypted email is not a secure way to transmit any information.

Tips for Laptop Security

  • Restrict the use of laptops to those employees who need them to perform their jobs.
  • Assess whether sensitive information really needs to be stored on a laptop. If not, delete it with a "wiping" program that overwrites data on the laptop. Deleting files using standard keyboard commands isn't sufficient because data may remain on the laptop's hard drive. Wiping programs are available at most office supply stores.
  • Require employees to store laptops in a secure place. Even when laptops are in use, consider using cords and locks to secure laptops to employees' desks.
  • Consider allowing laptop users only to access sensitive information, but not to store the information on their laptops. Under this approach, the information is stored on a secure central computer and the laptops function as terminals that display information from the central computer, but do not store it. The information could be further protected by requiring the use of a token, "smart card," thumb print, or other biometric--as well as a password--to access the central computer.
  • If a laptop contains sensitive data, encrypt it and configure it so users can't download any software or change the security settings without approval from your IT specialists. Consider adding an "auto-destroy" function so that data on a computer that is reported stolen will be destroyed when the thief uses it to try to get on the Internet.
  • Train employees to be mindful of security when they're on the road. They should never leave a laptop visible in a car, at a hotel luggage stand, or packed in checked luggage unless directed to by airport security. If someone must leave a laptop in a car, it should be locked in a trunk. Everyone who goes through airport security should keep an eye on their laptop as it goes on the belt

Tips for Firewalls

  • Use a firewall to protect your computer from hacker attacks while it is connected to the Internet. A firewall is software or hardware designed to block hackers from accessing your computer. A properly configured firewall makes it tougher for hackers to locate your computer and get into your programs and files.
  • Determine whether you should install a "border" firewall where your network connects to the Internet. A border firewall separates your network from the Internet and may prevent an attacker from gaining access to a computer on the network where you store sensitive information. Set "access controls"--settings that determine who gets through the firewall and what they will be allowed to see--to allow only trusted employees with a legitimate business need to access the network. Since the protection a firewall provides is only as effective as its access controls, review them periodically.
  • If some computers on your network store sensitive information while others do not, consider using additional firewalls to protect the computers with sensitive information.

Tips for Document Disposal

  • Implement information disposal practices that are reasonable and appropriate to prevent unauthorized access to--or use of--personally identifying information. Reasonable measures for your operation are based on the sensitivity of the information, the costs and benefits of different disposal methods, and changes in technology.
  • Effectively dispose of paper records by shredding, burning, or pulverizing them before discarding. Make shredders available throughout the workplace, including next to the photocopier.
  • When disposing of old computers and portable storage devices, use wipe utility programs. They're inexpensive and can provide better results by overwriting the entire hard drive so that the files are no longer recoverable. Deleting files using the keyboard or mouse commands usually isn't sufficient because the files may continue to exist on the computer's hard drive and could be retrieved easily.
  • Make sure employees who work from home follow the same procedures for disposing of sensitive documents and old computers and portable storage devices.
  • If you use consumer credit reports for a business purpose, you may be subject to the FTC's Disposal Rule. For more information, see Disposing of Consumer Report Information? New Rule Tells How at (click on Credit Reporting, Business Guidance).

Tips for Wireless and Remote Access

  • Determine if you use wireless devices like inventory scanners or cell phones to connect to your computer network or to transmit sensitive information. If you do, consider limiting who can use a wireless connection to access your computer network. You can make it harder for an intruder to access the network by limiting the wireless devices that can connect to your network.
  • Consider encryption to make it more difficult for an intruder to read the content. Encrypting transmissions from wireless devices to your computer network may prevent an intruder from gaining access through a process called "spoofing"--impersonating one of your computers to get access to your network.
  • Consider using encryption if you allow remote access to your computer network by employees or by service providers, such as companies that troubleshoot and update software you use to process credit card purchases.

Tips for Vendors, Contractors and Service Providers

  • Before you outsource any of your business functions--payroll, web hosting, customer call center operations, data processing, or the like--investigate the company's data security practices and compare their standards to yours.
  • If possible, visit their facilities.
  • Address security issues for the type of data your service providers handle in your contract with them.
  • Insist that your service providers notify you of any security incidents they experience, even if the incidents may not have led to an actual compromise of your data.

Detecting Breaches (See Also Red Flags Rule)

  • To detect network breaches when they occur, consider using an intrusion detection system. To be effective, it must be updated frequently to address new types of hacking.
  • Maintain central log files of security-related information to monitor activity on your network so that you can spot and respond to attacks. If there is an attack on your network, the log will provide information that can identify the computers that have been compromised.
  • Monitor incoming traffic for signs that someone is trying to hack in. Keep an eye out for activity from new users, multiple log-in attempts from unknown users or computers, and higher-than-average traffic at unusual times of the day.
  • Monitor outgoing traffic for signs of a data breach. Watch for unexpectedly large amounts of data being transmitted from your system to an unknown user. If large amounts of information are being transmitted from your network, investigate to make sure the transmission is authorized.
  • If a computer is compromised, disconnect it immediately from the Internet.
  • Investigate security incidents immediately and take steps to close off existing vulnerabilities or threats to personal information.
  • Consider whom to notify in the event of an incident, both inside and outside your organization. You may need to notify consumers, law enforcement, customers, credit bureaus, and other businesses that may be affected by the breach. In addition, many states and the federal bank regulatory agencies have laws or guidelines addressing data breaches. Consult your attorney.

Effective business data security starts with assessing what information you have and identifying who has access to it. Understanding how personal information moves into, through, and out of your business and who has--or could have--access to it is essential to assessing security vulnerabilities. You can determine the best ways to secure the information only after you've traced how it flows.

Know what personal information you have in your files and on your computers and just who has access to that information. If you don't have a legitimate business need for sensitive personally identifying information, don't keep it. In fact, don't even collect it. If you have a legitimate business need for the information, keep it only as long as it's necessary.

Hackers attack and infect corporate and government computers...

Read more blog entries about Data Breaches

Enhanced by Zemanta
A memoir exposing the steep price consumers pay when facing mortgage servicing errors, inaccurate credit reporting, illegal debt collection practices, identity theft and weak consumer protection laws. THE BOOK » DENISE'S STORY »

No TrackBacks

TrackBack URL:

Leave a comment