Data Breaches Part I - Is it possible to prevent the inevitable?
Industry-specific guidelines and compliance measures, such as the Payment Card Industry's Data Security Standards (PCI DSS), are continuing to emphasize the enforcement of measures to close any and all security loopholes in a company's infrastructure.
With the plethora of data breach information currently available, along with the IT technology implementation and physical monitoring that are now part of most companies' routine security protocols, logic dictates that data breaches should be decreasing.
However, these data breach loopholes are still popping up for companies as fast as a game of "Whac-a-Mole". Remember this popular arcade game?
A mechanical mole pops up, and another pops up, then another and another, while you spend your time hammering each one and watching for the next mole to hammer. For most organizations, time is spent constantly whacking each breach, or leaving one breach to whack another one that rears its ugly head.
It seems that no matter how focused an organization is on security, hackers, ID thieves, and human error make data breaches the continuing moles that cannot be whacked.
In January 2008, GE Money--a part of the General Electric Capital Corp., which manages credit card operations for J.C. Penney and other retail companies-revealed that due to a missing computer tape, the personal information of 650,000 J.C. Penney customers could be compromised.
The missing data includes 150,000 Social Security numbers of J.C. Penney customers, and GE Money also reported that up to 100 other retailers could be affected by the breach as well.
What is ironic about this breach is the fact that it wasn't some sophisticated hacker, or some system glitch that caused the breach; It was human error on behalf of the third-party records and data storage company that GE Money contracted for all of their records storage and data protection--Iron Mountain, Inc.
In published reports about the incident, the details of the breach involved the information from a backup tape, stored in one of Iron Mountain's warehouses, which came up missing in October 2007.
In response to the breach, GE Money Spokesman Richard C. Jones, said that the tape was never checked out and there was nothing to indicate that theft was involved, nor was there evidence of fraudulent activity on any of the accounts on the tape. According to the Ponemon Institute's 2007 Annual Study: Cost of a Data Breach, third-party data breaches were reported by 40 percent of the study's respondents-35 organizations, who experienced a data breach ranging from 4,000 records to 125,000 records, across 15 industry sectors-a drastic jump from 29 percent from the institute's 2006 study.
Moreover, 49 percent of data breaches reported by the respondents of the 2007 study were a result of a lost or stolen laptop or a lost portable device such as a USB flash drive, or, in the case of Iron Mountain, a lost backup tape. The institute, founded by Dr. Larry Ponemon, an inaugural member of the Unisys Security Leadership Institute, an Adjunct Professor of Ethics & Privacy at Carnegie Mellon University's CIO Institute, a former CEO of the Privacy Council and a former Global Managing Partner for Compliance Risk Management at PricewaterhouseCoopers, conducts independent research, educates leaders from both the private and public sectors and reports on privacy and data practices of industries spanning a variety of industries.
If this report is any indication, data breaches have only increased over the past year and the cost of breaches is skyrocketing in terms of the actual breach itself, and the efforts to contain, correct and respond to the breach. According to the report's other findings, data breaches caused the following:
- An increase in the total average cost of a data breach: $197 per compromised record, up from $182 in 2006, and from $138 in 2005. For each reporting company, the average cost for a data breach was more than $6.3 million per breach and ranged from $225,000 to $35 million.
- An increase in lost business due to data breach: Lost business due to a data breach accounts for 65 percent of data breach costs compared to 54 percent in 2006, averaging up to $4.1 million or $128 per record compromised.
- An increase in third-party data breaches: 40 percent of the study's respondents reported breaches by third-party companies (vendors, outsourcers, business partners), up from 29 percent in 2006.
- An increase in legal defense and public relations in response to breach: The cost to defend, contain and inform about a data breach grew to 8 percent up from 3 percent in 2007.
How can organizations protect themselves from the data breach, as well as contain the fallout resulting from a data breach? Is it possible to prevent the inevitable by combining the PCI guidelines and an organization's existing security program? The following five steps can help your organization with procedures to prevent or contain a data breach.
Though PCI Compliance is now mandatory for any organization that processes credit card transactions, it's still seen as a compliance issue instead of a preventative step to prevent a data breach before it happens.
Integrating the tenants of PCI DSS, whether or not an organization must comply with the standards at this time, with an organization's security policy, ensures that the instances of a data breach decrease.
PCI Compliance regulations stipulate the following protocols to decrease the chance of data breaches, for organizations that routinely handle credit card data and money transactions with credit cards:
- Build and maintain a secure network - Install firewalls and make sure that any changes to existing rules are sufficiently logged. Ensure that Web servers that must access the Internet are hosted in a neutral area between the organization's private network and the outside public network. All database servers, which hold customer account information, should be inside the company's network, protected by a firewall.
- Protect cardholder data - SSL encryption or higher should be utilized when storing customer account numbers, or for data in motion over public networks. As well, all customer data must be disposed of when no longer needed.
- Maintain a vulnerability management program - Any vulnerability management program should include antivirus software on all workstations and servers. As well PCI DSS dictates that an organization follow guidelines from the Open Web Application Security Project (OWASP) for developing Web applications.
- Implement strong access control measures - All stored passwords should be encrypted and an organization should restrict access to only those who need the information as part of their job. Routinely audit account numbers and remove outdated or malicious accounts.
- Regularly monitor and test networks -Review and monitor server logs, perform routine vulnerability scans and install Intrusion Detection Systems (IDS) or Intrusion Prevention Systems (IPS).
- Maintain an information security policy - Create and maintain an information security policy that covers access control, network and physical security, and application and system development. Keep the policy updated, change when needed and distribute it to all system users.
When thinking of a risk assessment, it's easy to only think in terms of information technology security, but with human error at the top in the data breach equation-lost or stolen laptops, disk drives, USB drives, backup tapes-a complete and comprehensive assessment that goes above and beyond the IT department is imperative.
- IT Systems - Assess all Internal hardware and software. Are we-the organization--utilizing 128 bit encryption for file transfers, file uploads, web servers, email servers, data in motion, data at rest? Do we employ tools such as intrusion detection/intrusion prevention (IDS/IPS)? Who has access to computer mainframes, databases, passwords, and any other area where sensitive data is stored? Do we monitor network and system performance, disk usage, Internet activity, and access routines? Do we utilize network security monitoring tools, security event and log correlation and analysis tools?
- Data and document disposal - Who handles the retrieval and disposal of all sensitive data and documents? What are the current procedures for proper disposal? Are records physically thrown away? Are we following state and federal guidelines in document disposal?
- Third-party vendors - How do the third-party vendors handle and store customer's data? How do we-the organization-confirm that the third party is compliant in properly using and disposing of customer data? Who verifies the third-party company?
- Human Resources - How does the HR department retrieve, disseminate and dispose of sensitive information such as Social Security Numbers, employee resumes, employee credit check information, and background criminal checks? What are the practices and procedures for the HR department? How does the HR department respond and evaluate employee exit strategies?
All organizations should have a current and up-to-date security policy, including a risk assessment, which should be consistently updated and disseminated to all employees and contractors.
Every employee should have a copy of the policy and indicate that they have read and understand the procedures, before a data breach occurs.
Educate employees not only about data breaches that result from a hacker or another external cause, but educate them on personal responsibility as it relates to physical security the perils of leaving a laptop in an open office, or other physical vulnerabilities that can result in a data breach.
Having a pre-breach response plan in place, not only validates your organization's stand against data breaches, but it instills a trust in consumers that your organization has taken precautionary steps-before a data breach-to address any current security loopholes.
One of the most important components of any pre-breach plan is a communications/public relation's response.
Assess what information is already available and what are the best ways to gather and disseminate that information. Organizations should prepare themselves for different types of data breaches including credit card numbers or account numbers.
The number one issue an organization should be concerned with, when it comes to a communication plan is how it is going to respond to different audiences after the breach.
The different audiences and communication strategies to consider include:
- Internal audience-Management, employees and any other member of the organization who has customer contact.
- External audience-Consumers and any other outside party that is affected by the data breach.
- Third party audience-Any and all third-party vendors involved with consumer contact, including help centers, call centers, websites, ATMs and other bank branches.
- Internal communication strategy-Create an information tree, establishing designated members from upper management, IT department or public relations to receive the information about the data breach, and to disseminate the details of the data breach via email to the appropriate organization team members.
- External communication strategy-Draft consumer breach notification letter templates for all types and levels of the organization's consumers, including special groups. Conduct an immediate meeting with the heads of all of the management teams and discuss what solutions should be offered to the targeted victims of the data breach. Choose a spokesperson to represent the organization to the media, after a data breach, as well as contacting law enforcement and any other local or state authorities that are needed.
- Third party communication strategy-Create specific call center scripts for use by the support staff, when a data breach occurs. Create a plan to handle the increased call center traffic, if a data breach occurs.
- State and Federal communication strategy-Make sure that your organization follows all applicable state data breach laws and any federal laws concerning data breaches, if applicable. If an organization conducts transactions with consumers in another state, the organization must know the data breach laws of that state as well.
Quality and timing of the communication response
Timing is everything, especially when responding to a data breach.
According to an older Ponemon Institute report from 2005, along with a quick response, it's the quality of the response that seems to matter to consumers and the quality of the response ultimately helps the organization maintain creditability.
"It seems that what determines an organization's ability to protect its reputation and maintain the trust of its customers and employees in the aftermath of a breach is the quality of the notification," according to Ponemon, concerning the report's findings.
Only 1,109 of the 9,154 individuals interviewed said that they had been notified of the data breach. A letter and/or a phone call are the most frequent modes of communicating a data breach, but, according to this study, many consumers mistake a form letter for junk mail, an email for Spam and a phone call for telemarketer. With the GE Capital/J.C. Penney breach, it took GE Money over two months to reconstruct the data tape and to notify the affected customers.
According to an article written by Associated Press Reporter David Koenig, GE Money has been working since December 2007 to notify customers in batches of several thousand. GE Money set up a phone call center to deal with breach and has been directing the affected consumers to call the center.
One J.C. Penney credit card holder-Elizabeth Rich or Everett, Washington-received a letter from GE Money, but she almost threw it away because it looked like a piece of junk mail. Though she was told her Social Security number was not on the tape, she was told that her address and account number 'might' have been compromised.
Ms. Rich assumed the letter was a credit card solicitation, when she saw the GE Money return address. Since she used a J.C. Penney credit card, not a GE Money card, she almost threw the letter away.
"I think the average consumer has thrown away that GE Money letter because they don't know it's about J.C. Penney," Rich said in the article. "Not everybody opens junk mail."
Once the plan is created, and distributed company-wide, including distribution to all upper management team members, it's best to determine who will serve on an internal audit/compliance team.
It's this team who should review, revise, test and enforce the policies and procedures on a regular timetable, as well as determine what security areas should be audited at any given time.
Based on the outcomes of the routine testing of policies and procedures, revisions and/or new policies should be enforced. This is an area where PCI DSS and an organization's own security policy can converge, in order to prevent data breaches before they have a chance to even occur.
In an article entitled, "PCI Compliance after the TJX data breach," it's author, Joel Dubin-a Chicago-based CISSP, an independent computer security consultant, a Microsoft MVP, specializing in Web and application security and the author of The Little Black
Book of Computer Security-described how PCI can easily integrate into an organization's existing security plan. "To stay compliant, keep complete records of how the required controls are set up, maintained and changed. Internal IT auditors should also use the PCI standard as a point of reference in regular audits to ensure the company remains compliant," wrote Dubin.
"It's also a good idea to hold employee training sessions for those who handle credit card data in compliance procedures." Dubin explained that organizations should use two keys for PCI compliance: Remote vulnerability scans and assessments.
"Remote vulnerability scans should be conducted on a quarterly basis, cover all Internet connections to and from the company, including dedicated ones, like those for Web and email servers," wrote Dubin.
Continuing, he wrote, "When choosing a QSA and ASV for a compliance program, check if they have the technical experience and expertise in the six control areas. A QSA should be able to audit for the 12 controls, while an ASV should have a track record of conducting vulnerability assessments."
In addition to creating and deploying an audit/compliance team, every organization should have a rapid response team ready to address the aftermath of any data breach when it occurs.
It's up to each organization to determine what areas should be represented in a data breach response team, but many come from HR, legal, IT and especially public relations.
Having a response plan and the rapid response team to carry out the plan will be the focal point of all information, if and when a data breach occurs. Having the tools in place before a data breach will determine whether an organization will survive the data breach and retain their customer base.
"Although it's difficult to make specific plans for an unspecified event, spending time now on your response plan can be a wise investment. It's always easier and faster to fine-tune your plan, should a breach occur, than to start from scratch. Ask anyone who has been through a data breach event - immediate action is critical to a successful response," wrote Beth Lynn, a vice president at First Data Corporation and the privacy officer for First Data Debit Services in Wilmington, Del., in an article entitled, "Are You Prepared for a Data Breach?"
PCI Compliance standards and an organization's security plan should work hand-in-hand, if an organization is cognizant that protecting customer data is not only a law in most states, it should be an internal standard at all times no matter the cost.
"While PCI compliance seems like another IT security headache, most of it is based in established security procedures and policies. And, with a lineup of well-known consultants, compliance can be integrated into a company's existing security program," wrote Dubin.