| June 23, 2005 |
Volume 6, Number
2
|
http://www.securius.com
|
Attack of the Data Thieves
Data thieves have been busy this year. Recent thefts of legally protected information include 600,000 unencrypted records from Time Warner, 1.2 million federal employee records from Bank of America, 180,000 Polo Ralph Lauren customer records, 1.4 million customer records from shoe retailer DSW, 3.9 million records from CitiGroup, and many more. The topper was announced last Friday: tens of millions of MasterCard customers exposed to risk by a data security breach. News reports of these thefts are front cover stories in the trade press like Information Security magazine, Bank Technology News, and Network World, and the issues are being picked up in national news outlets such as USA Today, Fortune Magazine, and National Public Radio. The word finally is getting out that sensitive financial and medical data files on computers and digital media are being stolen.Judging by the headlines, these data breaches appear to be epidemic, and lurid media reports suggest that companies are battling an outbreak of new and novel data security problems. But there's nothing intrinsically unusual about the past several months. The fact that breaches are now being reported in the press can be attributed almost entirely to California's Data Breach Notification Act (SB 1386). Before SB 1386 was passed into law July 2003, neither companies nor government agencies were required to report security breaches or theft of sensitive financial records. This serves as a reminder that data theft is not new. It's been a serious problem that has been going unreported for years. See: http://www.consumeraffairs.com/news04/2005/choicepoint_congress.html Harm from these ugly incidents could have been prevented had the data on the storage devices been encrypted — a fact that is explicitly recognized in the SB1386 text:
The recent spate of thefts has angered members of the US Congress and other politicians, including those in Illinois that passed a breach reporting law on Monday. Senator Dianne Feinstein, who earlier this year introduced a national version of the California law (S115), introduced another bill (S751) that increases the burden on entities when private information may have been compromised. S751 would require prompt written or other notification to those individuals whose personal information may have been breached, and it would force organizations to send notices to credit reporting agencies if the security breach involved more than 1,000 individuals. In addition, the bill would impose penalties of $1,000 per person (a $50,000 per-day cap). Language in S751 makes it unambiguous as to when an entity must report a breach of security: (2) BREACH OF SECURITY OF THE SYSTEM. The term 'breach of security of the system' (A) means the compromise of the security, confidentiality, or integrity of data that results in, or there is a reasonable basis to conclude has resulted in, the unauthorized acquisition of personal information ... Encryption is the core technology for protecting electronic information and for fulfilling these rapidly evolving legal mandates. As we know, encryption is the process of transforming information to ensure two key attributes:
Traditionally, encryption has been used to guarantee military and diplomatic secrets. However, with the emergence of the Internet, encryption has been deployed to protect information in all kinds of settings, from electronic funds transfers to ecommerce transactions. The use of encryption in business and government has become necessary due to the lack of trust. Individuals need to protect their financial and medical information. Companies must not lose trade secrets to competitors. Governments must protect the national interest. The scenarios range from the simple to the complex. Historically, an enterprise organization needed to use encryption for isolated problems, such as protecting data on the laptops of key executives. Data protection has now evolved into a compliance issue. Daily news reports of information security breaches only reinforce the importance of installing fool-proof data protection at every level of an organization. There is no better fool-proof technology than encryption. Every organization either is or will soon be searching for a pervasive encryption solution that is scalable, easily managed and affordable. Vulnerable entities are reducing the risk of data exposure, and loss of public trust, by protecting sensitive information with PC Guardian Technologies' information security solutions, especially Encryption Plus Hard Disk, Encryption Plus Email and the latest Encryption Anywhere CD-DVD. Qualified enterprises can evaluate these solutions. For more information, visit http://www.pcguardiantechnologies.com Also, you might be interested in reading Senator Feinstein's Op/Ed piece about the recent data thefts, which appeared in the San Francisco Chronicle March 31, 2005: http://feinstein.senate.gov/news-data-breaches.html Upcoming issues of the Securius Newsletter will explore the social and technological implications of data thievery. 'Til then, keep your guard up. PC Guardian News PC Guardian Technologies Inc. recently announced it has received $6 million in a Series A round of financing. The round was funded by Altos Ventures and Cardinal Venture Capital, with equal participation by each firm. Investment banking firm, SVB Alliant, served as the financial advisor and placement agent. The company will use the infusion of capital to support ongoing research and development and expand sales and marketing efforts. The full announcement can be found at: http://www.pcguardiantechnologies.com/pradamc242ess/ About the Author |
By
Steven Lerner-Wright