While most of us have heard statistics about the financial losses surrounding identity theft, most people aren’t surprised to learn that data theft is growing at more than 650% over the past three years, according to the Computer Security Institute and the FBI. What some individuals might be surprised with thought is the growing responds by lawmakers that are carrying some very real consequences.
When the California Senate Law 1386 was passed and became effective 1 July, 2004, it was virtually unnoticed by the press or companies doing business in the state, remaining an obscure law in October of 2004 when Georgia-based ChoicePoint, Inc.internally identified that their data network had been compromised.
Almost four months went by from the time ChoicePoint, Inc. recognized that their network had been compromised and the announcement of the breach. During that time, ChoicePoint Inc. executives had decided it was best to attempt to isolate the degree of damage before approaching their customers with the news that their personal identities had been stolen.
ChoicePoint, Inc eventually estimated the number of people, whose personal data had been compromised, at 145,000. The incident might have gone by completely undiscovered if ChoicePoint, Inc. had not contacted the local police at the initial detection of the security violation.
By neglecting to rapidly informing it’s customers of the potential misuse of their consumer identities due to a breach in their network security, ChoicePoint, Inc. violated the California Senate Bill 1386. When it was finally announced in February of 2005 that their data network was compromised, no one knew of the legal firestorm it would produce with legislators all over the country.
Law Makers Reply to Data Loss
Out of the 145,000 individuals believed to have lost their personal identification, only 35,000 California citizens were initially notified because the California law only required notification of California residence. As news spread, outraged politicians threw out the country pressured ChoicePoint, Inc. to disclose the extent of the network breach to all affected individuals and then began drafting bills that would fill the gaps for their constituents.
While individual laws vary from state to state, approximately 15 states at the time of this writing, including New York, Illinois, Connecticut and Florida, have passed bills that require businesses to notify customers of a network breach that could result in the loss of personal identity. While state legislators are passing notification laws, U. S. Senators Patrick Leahy and Arlen Spector have introduced the “Personal Data Privacy and Security Act” to address compromised data networks with some proposed bills going as far as to require a national registry.
With the passage of these laws, businesses that maintain consumer information, which has been defined by most states as social security number, drivers license numbers, state id numbers, credit and debit card numbers, and account numbers (bank, checking, saving, etc. ), are being forced to assume responsibility of the consumer data they maintain and are being penalized with fines if they do not.
Over the last few years, American businesses have begun to get use to the idea of mandatory compliancy programs, the health care industry has Health Insurance Portability and Accountability Act (HIPAA), publicly traded corporations are required to be compliant with Sarbanes-Oxley Act, the Gramm - Leach - Bliley Act (GLBA) affects how financial institutions like banks, and retail organizations must comply with mandatory credit card company's programs requiring secure data networks.
With the rash of new laws being drafted and passed by both state and national legislators, businesses will be compelled to implement best practices for their data network security to protect their consumers data. Company’s now have the choice of either securing their networks or face embarrassment, and negative press associated with insecure data networks. Even worst, if companies do not publicly disclose security breach’s to their customers, they run the risk of being held liable for civil damages or can face class action lawsuits.
Window of Opportunity for Companies in States with Pending Laws
Company’s that exist in states with pending laws have a window of opportunity to tighten up their network security before they become open to potential liability and lawsuits. This window of opportunity is an excellent time to educate employees of the laws concerning network security, and implement security controls in their network that will make them compliant with their respective state law.
Listed are five major steps that organizations should take to keep nonpublic information private outlining how organizations can establish and enforce information-security policies that will help them comply with these privacy regulations.
Step 1: Identify and prioritize consumer information
The majority of businesses have never addressed how to protect consumer information. By categorizing the types of information by value and level confidentiality, businesses can prioritize what data to secure first.
Step 2: Study the internal flow of information and perform risk analysis
It's critical for a business to understand how information flows within the company to see how confidential information flows around an organization. Identifying the major business processes that involve confidential information is a straightforward exercise, but determining the risk of leakage requires a more in-depth examination. Organizations need to ask themselves the following questions of each major business process:
Which employees have access to the information?
How is the information created, modified, processed, and distributed by employees?
What is the workflow of consumer information?
Are there gaps between stated policies/procedures and actual workflow?
By analyzing information flows with these questions in mind, companies can quickly identify vulnerabilities in their handling of sensitive information.
Step 3: Determine appropriate access, usage and information-distribution policies
Based on the risk analysis, a business can quickly design policies for various types of consumer information. These policies govern who can access, use or receive which type of content and when, as well as oversee enforcement actions for violations of those policies.
The access to consumer information through out the data network should be secured to reflect the workflow threw the use of password authentication, proper use of user groups, closure of Operating System vulnerabilities, altering a network in appropriate sub-nets, and implementation of firewalls.
Step 4: Implement a monitoring and enforcement system
The ability to monitor and enforce policy adherence is crucial to the protection of consumer information. Control points must be established to monitor information usage and traffic, verifying compliance with policies and performing enforcement actions for violation of those policies. Management must be able to accurately identify threats and prevent them from passing those control points.
Due to the immense amount of digital information in modern organizational workflows, these monitoring systems should have powerful identification abilities to avoid false alarms and have the ability to stop unauthorized traffic. A variety of software products can provide the means to monitor electronic communication channels for sensitive information.
Installation of adequate virus and spy-ware protection should be installed. Host-based and network-based Intrusion Detection and Intrusion Protection Sensors should be considered on critical workstations, servers and networks. The use of regular Security Audits performed by qualified individuals should be performed regularly, as well as monitoring of related log files on servers that maintain sensitive data.
Step 5: Review progress periodically
For maximum effectiveness, organizations need to regularly review their systems, policies and training. By using the visibility provided by monitoring systems, organizations can improve employee training, expand deployment and systematically eliminate vulnerabilities. In addition, systems should be reviewed extensively in the event of a breach to analyze system failures and to flag suspicious activity. External audits can also prove useful in checking for vulnerabilities and threats.
Companies often implement security systems but either fails to review incident reports that arise or to extend coverage beyond the parameters of the initial implementation. Through regular system benchmarking, organizations can protect other types of confidential information; extend security to different communication channels such as e-mail, Web posts, instant messaging, peer-to-peer and more; and expand protection to additional departments or functions.
Protecting confidential information assets throughout an enterprise is a journey rather than a one-time event. It fundamentally requires a systematic way to identify sensitive data; understand current business processes; craft appropriate access, usage and distribution policies; and monitor outgoing and internal communications. Ultimately, what is most important to understand are the potential costs and ramifications of not establishing a system to secure nonpublic information from the inside out.
Keith Tyson - Midwest Business Performance, Inc. (http://www.mbp-inc.net )