Thursday, January 7, 2010

An Armed Society

Ever hear of the phrase "An armed society is a polite society"? It does take things a bit far but the principle is right on the money. I've said time and again that if you can successfully remove the value from the data then you can actually reverse the trend in data theft and misuse. It shouldn't be the sole responsibility of the "data keepers" to protect it from lurking thieves. Just as in terrorism or any crime of attack, the good guys have to be right 100% of the time where the attacker only has to be right once. Not exactly great odds.

When you look at the practical percentages of theft surrounding your personal data you can see that the odds are lower of your stuff being stolen and used, than is widely perceived. Currently there are roughly 10 million domestic identity theft victims each year according to FTC and Ponemon Institute estimates. A little over 60% of those cases are the result of data theft from a public or private entity. But that doesn't mean that it is any less devastating. The problem is that when you entrust the data keeper to report the loss to you, or to fix a breach weak link, or frankly do anything for you after the fact, you are dreaming. No breached entity will tell you that the breach will likely result in identity theft. They will run damage control instead, meaning that they will downplay that aspect to protect their public image. The problem with that is that time is now on the side of the thieves to sell or use your personal information. A breached entity can take months or in some cases years to notify you of the loss. Sometimes not at all if the breach doesn't rise to the threshold the states' reporting laws have in place.

In light of that reality why then can't we all empower ourselves to be our own first line of defense when it comes to our personal data? With the power to act in our hands we are able to react to incidents of breach and identity theft much faster and with greater precision than is possible from the university, government agency, employer, or hospital, etc, that lost it in the first place. A professional agency dedicated to notifying us when our information is misused and report that misuse within hours is our best line of personal defense. If that agency can not only report these incidents to you in a timely way but also act as your proxy to correct the errors and false records entries on your behalf when it does occur is the most direct way to protect ourselves.

Tangentially, by having such a representative we are lowering the value of the data to the thieves. Illicit data brokers and identity thieves rely on time being on their side to profit from the misuse of your information. They need days or weeks to actually use the data to make purchases or obtain insurance, file false claims, get employment, etc. Draining bank accounts or running up credit purchases, while pretty awful, are largely handled by the banks and credit card companies themselves. With timely reporting a bank generally will help the victim but only with timely reporting. That means within hours or a day or so at the longest. Beyond a few days a banks' responsibility is much reduced. If you are not aware of the misuse you cannot report it to the bank. An agency that can notify the client within hours of an identity theft episode can shut down the misuse and render that identity information nearly useless almost immediately. The client is isolated from the incident, identified as a victim of identity theft, and the agency then can begin the restoration of the records or credit files affected. They will also look for other misuse within other databases in the event the incident is more widespread than the original incident. This can all take place within hours of the incident. Not a bad timely response to the attack in my opinion.

Wednesday, January 6, 2010

Welcome to the Other Side of New Year's Day

Now that we have successfully transitioned into 2010 with our skin intact I want to once again return to the subject of our PII, those who wish to have their way with it, and the hapless aggregators and keepers with file cabinets and servers chock full of it. To that end I have included links to a couple of things to ponder in these first few days of the year.

Navy's InfoSec Chief Suffers Sixth Breach
The Navy's Chief Information Officer Robert Carey recently received notification of a compromise of his personally identifiable information (PII), reports For Carey, it was the sixth such notification, and came from the Army--where he hasn't worked in 24 years. Carey used the event to describe his philosophy on data protection and enumerate a seven-point summary of his department's efforts to reduce the risk of a breach within the Department of the Navy. "In today's Information Age, PII must be treated with extreme care because unauthorized access to someone's digital identity can and does cause grave consequences," Carey wrote.
Full Story

Three Breaches Compromise 30,000 at Penn State
The Pittsburgh Post-Gazette reports that Penn State has begun the process of notifying nearly 30,000 individuals that their personally identifiable information (PII), including Social Security numbers, may have been compromised as a result of three separate malware infections discovered in late December. The school said it has no evidence that the individual or organization behind the malware gained access to the PII, but has decided to notify as a precautionary measure. "We do not have any indication that it was accessed by unauthorized parties. We prefer to err on the side of caution," said spokesperson Annemarie Mountz. The event was the second known breach at Penn State in 2009.
Full Story

Does it occur to anyone that for as long as we have been entrusting our personal information to others they have been losing it, a lot? One of life's principals is that "Continuing to do the same things while hoping for different results" is a hopeless waste of time. If they continue to lose our personal information why then do we continue giving it to them without any sort of check and balance? Certainly all of the laws passed have not had any nulling effect, nor any of the so-called procedures and software "solutions". This is not a problem that we have to accept as a given that requires a highly technical or overly complex set of controls. This is a very basic condition that if we, as the actual owners of the prize were to take into our own hands, could quite well nip in the bud. Think about it. Do we all put our prized silver in a big building or a bunch of buildings and then hire people to guard it or do we keep our own at home and watch it our selves?

The examples above are not isolated cases unless you consider the US Navy and Penn State to be marginal. This is big time mainstream stuff.

Oh, Happy New Year!