Data Breaches: Stop the Insanity!

10 05 2010

In a recent article by the Identity Theft Resource Center (ITRC), entitled, “Data Breaches: The Insanity Continues,” the ITRC discusses the highlights of 2009 data breaches:

  • Paper breaches account for nearly 26 percent of known breaches (an increase of 46 percent over 2008)
  • Business sector climbed from 21 percent to 41 percent between 2006 to 2009, the worst sector performance by far
  • Malicious attacks have surpassed human error for the first time in three years
  • Out of 498 breaches, only six reported that they had either encryption or other strong security features protecting the exposed data

What will the stats be for 2010? Take Preventative Measures.

The article goes on, stating, “Insanity might well be defined as repeating the same action again and again, and expecting a different outcome.” So, the ITRC compiled a list related to how businesses are addressing data breaches and security:

  • Insanity 1 – Electronic Breaches: After all the articles about hacking and the ever-growing cost of a breach, why isn’t encryption being used to protect personal identifying information? Proprietary information almost always seems to be well protected. Why not our customer/consumer personal identifying information (PII)?
  • Insanity 2 – Paper breaches: Why aren’t more state legislators passing laws about rendering paper documents unreadable prior to disposal if they contain PII? Do we dare ask that those laws be actually enforceable? Perhaps we are waiting for paper breaches to reach 35% of the total.
  • Insanity 3 – Breaches happen: Deal with it! You will get notification letters. Breach notification does not equal identity theft. Let’s stop the “blame game” and instead require breached entities to report breach incidents via a single public website. This would allow analysts (and law enforcement) to look for trends and link crimes to a single ring or hacker faster.
  • Insanity 4 – A Breach is a Breach: Let’s not kid ourselves. “Risk of harm” is not a useful standard for determining if the public and consumers should be notified about a breach, especially if the company involved gets to define “risk of harm.” If it is your #$@%2 SSN that is out on the Internet, do YOU think there is “risk of harm?” Some companies might say “no.”
  • Insanity 5 – Data on the Move: You will notice that statistically this is a bright spot, with a decreasing incidence in the past 3 years. But, really! This is 100% avoidable, either through use of encryption, or other safety measures. Laptops, portable storage devices and briefcases full of files, outside of the workplace, are still “breaches waiting to happen.” With tiered permissions, truncation, redaction and other recording tools, PII can be left where it belongs – behind encrypted walls at the workplace.

So how are you protecting your data internally and externally?

Advertisements




How are you sending and recieving confidential Information?

12 12 2009

Fax, couriers and FTP appear to be common ways to send sensitive information. This 2009 benchmark study shows that you have plenty of opportunities to improve service levels, reduce costs and improve your company’s impact on the environment. Time to stop faxing and delaying business due to long cycle times for expedited mail or courier services. For the cost of 1 overnight package you can improve your business agility and security with just a few clicks.