Introduction: Data Breaches-Is it possible to prevent the inevitable?
As the settlement terms of the most talked about data breach in 2007-the TJX data breach-are being assessed in the millions, the Media's attention has only increased its focus on data breaches.
Industry-specific guidelines and compliance measures, such as the Payment Card Industry's Data Security Standards (PCI DSS), are continuing to emphasize the enforcement of measures to close any and all security loopholes in a company's infrastructure.
With the plethora of data breach information currently available, along with the IT technology implementation and physical monitoring that are now part of most companies' routine security protocols, logic dictates that data breaches should be decreasing.
However, these data breach loopholes are still popping up for companies as fast as a game of "Whac-a-Mole". Remember this popular arcade game?
A mechanical mole pops up, and another pops up, then another and another, while you spend your time hammering each one and watching for the next mole to hammer. For most organizations, time is spent constantly whacking each breach, or leaving one breach to whack another one that rears its ugly head.
It seems that no matter how focused an organization is on security, hackers, ID thieves, and human error make data breaches the continuing moles that cannot be whacked.
In January 2008, GE Money--a part of the General Electric Capital Corp., which manages credit card operations for J.C. Penney and other retail companies-revealed that due to a missing computer tape, the personal information of 650,000 J.C. Penney customers could be compromised.
The missing data includes 150,000 Social Security numbers of J.C. Penney customers, and GE Money also reported that up to 100 other retailers could be affected by the breach as well.
What is ironic about this breach is the fact that it wasn't some sophisticated hacker, or some system glitch that caused the breach; It was human error on behalf of the third-party records and data storage company that GE Money contracted for all of their records storage and data protection--Iron Mountain, Inc.
In published reports about the incident, the details of the breach involved the information from a backup tape, stored in one of Iron Mountain's warehouses, which came up missing in October 2007.
In response to the breach, GE Money Spokesman Richard C. Jones, said that the tape was never checked out and there was nothing to indicate that theft was involved, nor was there evidence of fraudulent activity on any of the accounts on the tape.
According to the Ponemon Institute's 2007 Annual Study: Cost of a Data Breach, third-party data breaches were reported by 40 percent of the study's respondents-35 organizations, who experienced a data breach ranging from 4,000 records to 125,000 records, across 15 industry sectors-a drastic jump from 29 percent from the institute's 2006 study.
Moreover, 49 percent of data breaches reported by the respondents of the 2007 study were a result of a lost or stolen laptop or a lost portable device such as a USB flash drive, or, in the case of Iron Mountain, a lost backup tape.
The institute, founded by Dr. Larry Ponemon, an inaugural member of the Unisys Security Leadership Institute, an Adjunct Professor of Ethics & Privacy at Carnegie Mellon University's CIO Institute, a former CEO of the Privacy Council and a former Global Managing Partner for Compliance Risk Management at PricewaterhouseCoopers, conducts independent research, educates leaders from both the private and public sectors and reports on privacy and data practices of industries spanning a variety of industries.
If this report is any indication, data breaches have only increased over the past year and the cost of breaches is skyrocketing in terms of the actual breach itself, and the efforts to contain, correct and respond to the breach.
According to the report's other findings, data breaches caused the following:
- An increase in the total average cost of a data breach: $197 per compromised record, up from $182 in 2006, and from $138 in 2005. For each reporting company, the average cost for a data breach was more than $6.3 million per breach and ranged from $225,000 to $35 million.
- An increase in lost business due to data breach: Lost business due to a data breach accounts for 65 percent of data breach costs compared to 54 percent in 2006, averaging up to $4.1 million or $128 per record compromised.
- An increase in third-party data breaches: 40 percent of the study's respondents reported breaches by third-party companies (vendors, outsourcers, business partners), up from 29 percent in 2006.
- An increase in legal defense and public relations in response to breach: The cost to defend, contain and inform about a data breach grew to 8 percent up from 3 percent in 2007.
How can organizations protect themselves from the data breach, as well as contain the fallout resulting from a data breach?
Is it possible to prevent the inevitable by combining the PCI guidelines and an organization's existing security program?
The following five steps can help your organization with procedures to prevent or contain a data breach.
 Print this page
 Send this page to a friend
|
