Nov 14, 2008, By Hilton Collins in Government Technology
Personal information about employees is more than twice as likely to be compromised in government security breaches than is constituent data, according to an online survey released by consulting firm PricewaterhouseCoopers (PwC). The survey also found that most governments don't keep accurate inventories of where their data is stored in their organization.
PwC, in partnership with CIO and CSO magazines, conducted the Global State of Information Security 2008 survey from March 25 to June 26, 2008. It included more than 7,000 CEOs, chief financial officers, CIOs, chief security officers and other high-level respondents from 119 countries via e-mail. Five hundred fifty-three came from the public sector, but PwC would not disclose how many came from U.S. government.
Forty-two percent of the public-sector respondents reported that employee data was more likely to be impacted by security breaches than constituent data. Only 19 percent reported otherwise.
"My sense is that businesses, first and foremost, place priority on protecting their business information, which is the lifeblood of their organization," said Jack Johnson, a partner in the Washington federal practice at PwC. Johnson has previously been the chief security officer for the U.S. Department of Homeland Security, a position he held from 2003 until 2005. He was appointed by then-Homeland Security Secretary Tom Ridge. "It's not because they don't place a level of importance on employee data, but I think their priority is focused on their business information."
In his experience, more security controls are usually placed around business data than around employee data, so it's possible the path to employee data may be the one of least resistance for malicious hackers.
Other data from public-sector respondents indicates:
• 65 percent reported that their organizations didn't have accurate inventories of where personal data was collected, transmitted and stored;
• 76 percent reported that they didn't keep an inventory of third parties who handle constituent data when data sharing occurred, and 47 percent had established security baselines for external parties when handling such data;
• 70 percent believed that their users complied with privacy and information security policies, but 50 percent didn't audit or monitor the compliance, and 46 percent required employees to complete training on privacy practices.
"The organization, first and foremost, needs to perform a risk assessment around this data to determine which data is considered sensitive, or, in some cases, personally identifiable information," Johnson said. Once sensitivity and importance of data is assessed, organizations can proceed more coherently with protection in mind.
The report recommends that organizations take the following security actions:
1. Prioritize data and information assets according to risk level continuously - 27 percent of respondents said they did, 40 percent said periodically and 31 percent not at all.
2. Extend privacy protections to employee data, not just constituent data.
3. Establish a "culture of compliance" to ensure that employees adhere to organizational security protocols.
4. Develop an incident response plan to determine how to handle data breaches when they occur - 53 percent of respondents said their security policies didn't address incident response.
The report also had some good news - governments have improved in their information security efforts from two years ago.
• 65 percent of respondents had an overall information security strategy versus 42 percent in 2006.
• 75 percent employed a chief information security officer or a chief security officer, versus 56 percent in 2006.
• 72 percent leveraged secure remote access (VPN) vs. 61 percent in 2006. In a VPN, or virtual private network, security measures like encryption ensure that only authorized users can access the network
Wednesday, November 19, 2008
Monday, November 17, 2008
Encrypted Data
I want to pass along a link to a story posted by fellow bloggers "Ephemaralaw."
http://ephemerallaw.blogspot.com/2008/11/333000-unencrypted-records-exposed.html
The reason for this is to point out that data stored on servers should be encrypted going forward. This breach is a classic example of exactly why. By May 1st of next year every covered business, non-profit, school district, utility, college, and local government needs to have in place a policy to address data security and identity theft prevention and response. Within that written policy there needs to be language that effectively states "All sensitive information must be encrypted when it is stored in an electronic format." Since federal legislation leaves the door open by not mandating encryption it is incumbent on business to make encryption a standard practice.
It should be noted that new Massachusetts legislation requires all businesses to encrypt data stored on servers. Other states are sure to follow. The blog article points out also that HIPAA sees encryption as an addressable standard. There are rules for addressable standards that require risk management assessments. They then require reports showing why such steps were not taken.
What is regrettable in my opinion is that a lot of businesses seem to look at this as a chore and an expense, but encryption, along with other steps, will prevent data loss, identity theft and thereby offset risk from law suits. Isn't an estimated $48 Billion loss to business and individuals an expense? That is an FTC estimate of direct and indirect cost to American business from identity theft in 2007. In a time of economic crisis is the hemorrhaging of unnecessary expenses acceptable?
Aren't we supposed to be looking for ways to prevent identity theft? If so how are we going to stem the tide of data breaches and subsequent identity theft episodes if the business community ignores the obvious? A business must do everything that the resources of the business will allow. Is encryption such a chore that initiating an encryption program is not worth the effort? Consider the possible outcome from a data breach. The loss of one valued customer or a single law suit could be enough to shut down a small business, and would likely result in many times the cost of basic encryption procedures. Anyone who is following the stories of the Southern California wildfires can see what an out of control fire can do in a very few minutes. Data breach is no different. Besides a public loss in confidence the net effect of data breach is the out of control rampant growth of data theft and misuse. After all, it isn't someone elses' information at stake. It is ours, yours and mine.
John
http://ephemerallaw.blogspot.com/2008/11/333000-unencrypted-records-exposed.html
The reason for this is to point out that data stored on servers should be encrypted going forward. This breach is a classic example of exactly why. By May 1st of next year every covered business, non-profit, school district, utility, college, and local government needs to have in place a policy to address data security and identity theft prevention and response. Within that written policy there needs to be language that effectively states "All sensitive information must be encrypted when it is stored in an electronic format." Since federal legislation leaves the door open by not mandating encryption it is incumbent on business to make encryption a standard practice.
It should be noted that new Massachusetts legislation requires all businesses to encrypt data stored on servers. Other states are sure to follow. The blog article points out also that HIPAA sees encryption as an addressable standard. There are rules for addressable standards that require risk management assessments. They then require reports showing why such steps were not taken.
What is regrettable in my opinion is that a lot of businesses seem to look at this as a chore and an expense, but encryption, along with other steps, will prevent data loss, identity theft and thereby offset risk from law suits. Isn't an estimated $48 Billion loss to business and individuals an expense? That is an FTC estimate of direct and indirect cost to American business from identity theft in 2007. In a time of economic crisis is the hemorrhaging of unnecessary expenses acceptable?
Aren't we supposed to be looking for ways to prevent identity theft? If so how are we going to stem the tide of data breaches and subsequent identity theft episodes if the business community ignores the obvious? A business must do everything that the resources of the business will allow. Is encryption such a chore that initiating an encryption program is not worth the effort? Consider the possible outcome from a data breach. The loss of one valued customer or a single law suit could be enough to shut down a small business, and would likely result in many times the cost of basic encryption procedures. Anyone who is following the stories of the Southern California wildfires can see what an out of control fire can do in a very few minutes. Data breach is no different. Besides a public loss in confidence the net effect of data breach is the out of control rampant growth of data theft and misuse. After all, it isn't someone elses' information at stake. It is ours, yours and mine.
John
Friday, October 24, 2008
Wednesday, October 22, 2008
FTC Announces a Forbearance of the Red Flags Enforcement
Red Flags Rule Compliance Deadline Extended to
May 1, 2009
FTC Grants Six-Month Delay of Enforcement of 'Red Flags' Rule Requiring Creditors and Financial Institutions to Have Identity Theft Prevention Programs
The Federal Trade Commission will suspend enforcement of the new "Red Flags Rule" until May 1, 2009, to give creditors and financial institutions additional time in which to develop and implement written identity theft prevention programs.
NOTE: Today's announcement and the release of an Enforcement Policy Statement do not affect other federal agencies' enforcement of the original November 1, 2008 deadline for institutions subject to their oversight to be in compliance.Read the announcement: http://www.ftc.gov/opa/2008/10/redflags.shtm
This applies to all entities with oversight from the FTC only. All financial institutions with oversight from the federal banking and financial regulatory authorities still must be compliant by November 1st of 2008.
The FTC currently estimates that approximately 11 million entities from private business to municipalities, schools and universities, and non-profits are considered to have covered accounts and need to address the "red Flags" and initiate compliance steps relevant to each organization.
May 1, 2009
FTC Grants Six-Month Delay of Enforcement of 'Red Flags' Rule Requiring Creditors and Financial Institutions to Have Identity Theft Prevention Programs
The Federal Trade Commission will suspend enforcement of the new "Red Flags Rule" until May 1, 2009, to give creditors and financial institutions additional time in which to develop and implement written identity theft prevention programs.
NOTE: Today's announcement and the release of an Enforcement Policy Statement do not affect other federal agencies' enforcement of the original November 1, 2008 deadline for institutions subject to their oversight to be in compliance.Read the announcement: http://www.ftc.gov/opa/2008/10/redflags.shtm
This applies to all entities with oversight from the FTC only. All financial institutions with oversight from the federal banking and financial regulatory authorities still must be compliant by November 1st of 2008.
The FTC currently estimates that approximately 11 million entities from private business to municipalities, schools and universities, and non-profits are considered to have covered accounts and need to address the "red Flags" and initiate compliance steps relevant to each organization.
Tuesday, October 7, 2008
Shell fingers IT contractor in theft of employee data
I want to remind everyone that believes a credit monitoring service will solve their identity theft issues that they are sadly misinformed. The net result of all of the identity theft TV and radio advertising is to completely confuse the public for the sake of a profit. Sound familiar? If someone misappropriates your bank account, and you report the crime within 30 days of your account statement being mailed to you, your bank will work with you and likely absorb any losses as theirs. When someone files false insurance claims in your name your Casualty and Loss database (CLUE) is altered and you may never get insurance or perhaps a job, again. Without professionals to help you with the real identity theft issues you are fighting a very difficult uphill battle filled with legal pitfalls and a complex network of red tape.
Oil company says outside IT worker used info from database to file fake unemployment claims
Robert McMillan Computerworld
October 6, 2008 (IDG News Service) Shell Oil Co. is warning its employees that an IT contractor used the personal data of four Shell workers as part of an unemployment insurance claims scam in Texas.
Shell Oil, the U.S. subsidiary of Royal Dutch Shell PLC, began notifying employees of the data breach on Friday, via a written notice that was posted on the Houston-based company's Web site.
Shell spokeswoman Robin Lebovitz said company officials noticed early last month that someone had used Shell employee data to file fake unemployment compensation claims with the Texas Workforce Commission (TWC). After investigating, Shell determined that an employee of a third-party contractor had misused information stored in a corporate database, Lebovitz said.
The database includes records for a majority of current and former Shell employees in the U.S., according to Lebovitz. The notice about the breach indicated that the misused data included names, dates of birth, Social Security numbers and some financial information.
The suspected scammer filed four false claims, Lebovitz said, adding that Shell has yet to uncover any evidence that other information from the database was compromised as part of the alleged claims scheme.
Shell didn't identify the company that employed the suspect, saying only that it had been hired to work on a data indexing project involving the database. The notice to employees said that after the fraudulent claims were discovered, Shell escorted the suspect from its premises and terminated its contract with the IT company.
The alleged crime continues to be investigated by Shell, the Houston police and the TWC, Lebovitz said
Oil company says outside IT worker used info from database to file fake unemployment claims
Robert McMillan Computerworld
October 6, 2008 (IDG News Service) Shell Oil Co. is warning its employees that an IT contractor used the personal data of four Shell workers as part of an unemployment insurance claims scam in Texas.
Shell Oil, the U.S. subsidiary of Royal Dutch Shell PLC, began notifying employees of the data breach on Friday, via a written notice that was posted on the Houston-based company's Web site.
Shell spokeswoman Robin Lebovitz said company officials noticed early last month that someone had used Shell employee data to file fake unemployment compensation claims with the Texas Workforce Commission (TWC). After investigating, Shell determined that an employee of a third-party contractor had misused information stored in a corporate database, Lebovitz said.
The database includes records for a majority of current and former Shell employees in the U.S., according to Lebovitz. The notice about the breach indicated that the misused data included names, dates of birth, Social Security numbers and some financial information.
The suspected scammer filed four false claims, Lebovitz said, adding that Shell has yet to uncover any evidence that other information from the database was compromised as part of the alleged claims scheme.
Shell didn't identify the company that employed the suspect, saying only that it had been hired to work on a data indexing project involving the database. The notice to employees said that after the fraudulent claims were discovered, Shell escorted the suspect from its premises and terminated its contract with the IT company.
The alleged crime continues to be investigated by Shell, the Houston police and the TWC, Lebovitz said
Monday, October 6, 2008
New Federal Law Targets ID Theft, Cybercrime
By Brian Krebs October 1, 2008 Washington Post
"President Bush last week signed into law a bill that seeks to make it easier for prosecutors to go after cybercrooks, while ensuring that identity theft victims are compensated for their time and trouble when convicted identity thieves are forced to cough up ill-gotten gains.
The Identity Theft Enforcement and Restitution Act of 2008 lowers the bar prosecutors need to clear before bringing hacking and other cybercrime charges against an individual. Under current federal cybercrime laws, prosecutors must show that the illegal activity caused at least $5,000 in damages before they can bring charges for unauthorized access to a computer. The new law eliminates that requirement. "
Provided of course that the thief is caught and brought to justice. With less than 5% of identity thieves being nabbed this law will only help a small minority of the victims. It is a step in the right direction however.
Just as important as this new law is, actually another portion of the article really caught my eye.
"Some ID theft victims can spend thousands of dollars and months or years dealing with credit bureaus and debtors from accounts fraudulently opened in their names, but the law doesn't appear to take into account lost opportunities associated with identity theft. According to the Federal Trade Commission, some consumers victimized by identity theft may lose out on job opportunities or be denied loans for education, housing or cars because of negative information on their credit reports. In rare cases, they may even be arrested for crimes they did not commit. "
It is just as important to understand that victims of identity theft are faced with the massive task of fighting nearly overwhelming obstacles in clearing up identity theft episodes. The banking system has certain measures in place to deal with fraud on bank and credit accounts. Once you leave the banking realm however, the bureaucracy of databases and information repositories can prevent a maze of challenges to clearing up false entries and records inaccuracies.
John
"President Bush last week signed into law a bill that seeks to make it easier for prosecutors to go after cybercrooks, while ensuring that identity theft victims are compensated for their time and trouble when convicted identity thieves are forced to cough up ill-gotten gains.
The Identity Theft Enforcement and Restitution Act of 2008 lowers the bar prosecutors need to clear before bringing hacking and other cybercrime charges against an individual. Under current federal cybercrime laws, prosecutors must show that the illegal activity caused at least $5,000 in damages before they can bring charges for unauthorized access to a computer. The new law eliminates that requirement. "
Provided of course that the thief is caught and brought to justice. With less than 5% of identity thieves being nabbed this law will only help a small minority of the victims. It is a step in the right direction however.
Just as important as this new law is, actually another portion of the article really caught my eye.
"Some ID theft victims can spend thousands of dollars and months or years dealing with credit bureaus and debtors from accounts fraudulently opened in their names, but the law doesn't appear to take into account lost opportunities associated with identity theft. According to the Federal Trade Commission, some consumers victimized by identity theft may lose out on job opportunities or be denied loans for education, housing or cars because of negative information on their credit reports. In rare cases, they may even be arrested for crimes they did not commit. "
It is just as important to understand that victims of identity theft are faced with the massive task of fighting nearly overwhelming obstacles in clearing up identity theft episodes. The banking system has certain measures in place to deal with fraud on bank and credit accounts. Once you leave the banking realm however, the bureaucracy of databases and information repositories can prevent a maze of challenges to clearing up false entries and records inaccuracies.
John
Wednesday, October 1, 2008
October 1st 2008
On January 1st 2008 the federal financial institution regulatory agencies and the Federal Trade Commission have sent to the Federal Register for publication final rules on identity theft “red flags” and address discrepancies. The final rules implement sections 114 and 315 of the Fair and Accurate Credit Transactions Act of 2003.
“The final rules require each financial institution and creditor that holds any consumer account, or other account for which there is a reasonably foreseeable risk of identity theft, to develop and implement an Identity Theft Prevention Program”. Institute of Fraud Risk Management report. January, 2008
There has been a good deal of conversation about what is a covered account, financial institution, and consumer account as defined by the federal authorities. The link above leads to the actual “Final Rules”. As it is currently understood and without quoting the legislation a financial institution or creditor is defined as;
- A bank, savings institution, or personal account lender of any type.
- Also a real estate agency, mortgage broker, auto dealership, financial planner, investment broker, or any business that sets up, initiates, or maintains a payment account of any kind with an individual for personal or household purposes.
- Any utility company that establishes an individual payment account with its’ customers.
- Any municipality or county that provides utilities or services and arranges for regular payment from the users of the services provided.
- Any business that extends ongoing credit or arranges for payment accounts for its’ customers or clients. Single payments or intermittent payment arrangements do not qualify as covered accounts.
As the rules went into effect as of January 1st of 2008 all covered entities have until November 1st 2008 to initiate such a breach response and prevention plan.
Compliance is a process, and the intention of these rules is to put procedures in place that will stem the tide of identity theft. Identity theft currently costs American business over $48 billion each year directly or indirectly. It is in the interest of every business entity to address this runaway cost and the risk of litigation and fines. While not all businesses are considered to be covered under the “rules”, all business should adopt the practices and procedures.
With only 30 days to go until compliance, every business and governmental entity in the U.S. whether subject to this legislation or not, should take stock of the risk they are willing to take on this issue. I see a good deal of apathy about this from people who have not yet become victims of identity theft. When a business owner or officer takes an apathetic position they are not just gambling with their own identity issues but those of their employees, customers, vendors, constituents, etc. They are also taking a huge risk for the business. Fines and lawsuits resulting from data breaches without a breach response and identity theft prevention plan can devastate a business both financially and from a public relations perspective. Add to that, federal audits and for retailers the loss of credit card processing accounts, and you have an untenable position that can be entirely avoided with a small investment in time. While we cannot entirely eliminate identity theft we can mitigate the risk with a few simple steps.
Subscribe to:
Posts (Atom)
