Wednesday, November 19, 2008

Employee Data More Vulnerable Than Constituent Data

Nov 14, 2008, By Hilton Collins in Government Technology

Personal information about employees is more than twice as likely to be compromised in government security breaches than is constituent data, according to an online survey released by consulting firm PricewaterhouseCoopers (PwC). The survey also found that most governments don't keep accurate inventories of where their data is stored in their organization.
PwC, in partnership with CIO and CSO magazines, conducted the Global State of Information Security 2008 survey from March 25 to June 26, 2008. It included more than 7,000 CEOs, chief financial officers, CIOs, chief security officers and other high-level respondents from 119 countries via e-mail. Five hundred fifty-three came from the public sector, but PwC would not disclose how many came from U.S. government.
Forty-two percent of the public-sector respondents reported that employee data was more likely to be impacted by security breaches than constituent data. Only 19 percent reported otherwise.
"My sense is that businesses, first and foremost, place priority on protecting their business information, which is the lifeblood of their organization," said Jack Johnson, a partner in the Washington federal practice at PwC. Johnson has previously been the chief security officer for the U.S. Department of Homeland Security, a position he held from 2003 until 2005. He was appointed by then-Homeland Security Secretary Tom Ridge. "It's not because they don't place a level of importance on employee data, but I think their priority is focused on their business information."
In his experience, more security controls are usually placed around business data than around employee data, so it's possible the path to employee data may be the one of least resistance for malicious hackers.

Other data from public-sector respondents indicates:
• 65 percent reported that their organizations didn't have accurate inventories of where personal data was collected, transmitted and stored;
• 76 percent reported that they didn't keep an inventory of third parties who handle constituent data when data sharing occurred, and 47 percent had established security baselines for external parties when handling such data;
• 70 percent believed that their users complied with privacy and information security policies, but 50 percent didn't audit or monitor the compliance, and 46 percent required employees to complete training on privacy practices.
"The organization, first and foremost, needs to perform a risk assessment around this data to determine which data is considered sensitive, or, in some cases, personally identifiable information," Johnson said. Once sensitivity and importance of data is assessed, organizations can proceed more coherently with protection in mind.
The report recommends that organizations take the following security actions:
1. Prioritize data and information assets according to risk level continuously - 27 percent of respondents said they did, 40 percent said periodically and 31 percent not at all.
2. Extend privacy protections to employee data, not just constituent data.
3. Establish a "culture of compliance" to ensure that employees adhere to organizational security protocols.
4. Develop an incident response plan to determine how to handle data breaches when they occur - 53 percent of respondents said their security policies didn't address incident response.
The report also had some good news - governments have improved in their information security efforts from two years ago.
• 65 percent of respondents had an overall information security strategy versus 42 percent in 2006.
• 75 percent employed a chief information security officer or a chief security officer, versus 56 percent in 2006.
• 72 percent leveraged secure remote access (VPN) vs. 61 percent in 2006. In a VPN, or virtual private network, security measures like encryption ensure that only authorized users can access the network

Monday, November 17, 2008

Encrypted Data

I want to pass along a link to a story posted by fellow bloggers "Ephemaralaw."
http://ephemerallaw.blogspot.com/2008/11/333000-unencrypted-records-exposed.html

The reason for this is to point out that data stored on servers should be encrypted going forward. This breach is a classic example of exactly why. By May 1st of next year every covered business, non-profit, school district, utility, college, and local government needs to have in place a policy to address data security and identity theft prevention and response. Within that written policy there needs to be language that effectively states "All sensitive information must be encrypted when it is stored in an electronic format." Since federal legislation leaves the door open by not mandating encryption it is incumbent on business to make encryption a standard practice.
It should be noted that new Massachusetts legislation requires all businesses to encrypt data stored on servers. Other states are sure to follow. The blog article points out also that HIPAA sees encryption as an addressable standard. There are rules for addressable standards that require risk management assessments. They then require reports showing why such steps were not taken.

What is regrettable in my opinion is that a lot of businesses seem to look at this as a chore and an expense, but encryption, along with other steps, will prevent data loss, identity theft and thereby offset risk from law suits. Isn't an estimated $48 Billion loss to business and individuals an expense? That is an FTC estimate of direct and indirect cost to American business from identity theft in 2007. In a time of economic crisis is the hemorrhaging of unnecessary expenses acceptable?

Aren't we supposed to be looking for ways to prevent identity theft? If so how are we going to stem the tide of data breaches and subsequent identity theft episodes if the business community ignores the obvious? A business must do everything that the resources of the business will allow. Is encryption such a chore that initiating an encryption program is not worth the effort? Consider the possible outcome from a data breach. The loss of one valued customer or a single law suit could be enough to shut down a small business, and would likely result in many times the cost of basic encryption procedures. Anyone who is following the stories of the Southern California wildfires can see what an out of control fire can do in a very few minutes. Data breach is no different. Besides a public loss in confidence the net effect of data breach is the out of control rampant growth of data theft and misuse. After all, it isn't someone elses' information at stake. It is ours, yours and mine.

John