Attack of the Data Thieves
Data thieves have been busy this year.
Recent thefts of legally protected information include 600,000
unencrypted records from Time Warner, 1.2 million federal employee
records from Bank of America, 180,000 Polo Ralph Lauren customer
records, 1.4 million customer records from shoe retailer DSW, 3.9
million records from CitiGroup, and many more.
The topper was announced last Friday: tens of millions of MasterCard
customers exposed to risk by a data security breach.
News reports of these thefts are front cover stories in the trade
press like Information Security magazine, Bank Technology News,
and Network World, and the issues are being picked up in national
news outlets such as USA Today, Fortune Magazine, and National Public
The word finally is getting out that sensitive financial and medical
data files on computers and digital media are being stolen.
Judging by the headlines, these data breaches appear to be epidemic,
and lurid media reports suggest that companies are battling an outbreak
of new and novel data security problems. But there's nothing intrinsically
unusual about the past several months.
The fact that breaches are now being reported in the press can
be attributed almost entirely to California's Data Breach Notification
Act (SB 1386). Before SB 1386 was passed into law July 2003, neither
companies nor government agencies were required to report security
breaches or theft of sensitive financial records.
This serves as a reminder that data theft is not new. It's been
a serious problem that has been going unreported for years. See:
Harm from these ugly incidents could have been prevented had the
data on the storage devices been encrypted a fact that is
explicitly recognized in the SB1386 text:
Any entity shall disclose any breach of the security of the
system ... to any resident of California whose _unencrypted_ (emphasis
added) personal information was, or is reasonably believed to
have been, acquired by an unauthorized person ...
The recent spate of thefts has angered members of the US Congress
and other politicians, including those in Illinois that passed a
breach reporting law on Monday. Senator Dianne Feinstein, who earlier
this year introduced a national version of the California law (S115),
introduced another bill (S751) that increases the burden on entities
when private information may have been compromised.
S751 would require prompt written or other notification to those
individuals whose personal information may have been breached, and
it would force organizations to send notices to credit reporting
agencies if the security breach involved more than 1,000 individuals.
In addition, the bill would impose penalties of $1,000 per person
(a $50,000 per-day cap).
Language in S751 makes it unambiguous as to when an entity must
report a breach of security:
(2) BREACH OF SECURITY OF THE SYSTEM. The term 'breach of security
of the system' (A) means the compromise of the security, confidentiality,
or integrity of data that results in, or there is a reasonable basis
to conclude has resulted in, the unauthorized acquisition of personal
Encryption is the core technology for protecting electronic information
and for fulfilling these rapidly evolving legal mandates.
As we know, encryption is the process of transforming information
to ensure two key attributes:
- Confidentiality (the information is kept secret), and
- Integrity (the information is not corrupted)
Traditionally, encryption has been used to guarantee military and
diplomatic secrets. However, with the emergence of the Internet,
encryption has been deployed to protect information in all kinds
of settings, from electronic funds transfers to ecommerce transactions.
The use of encryption in business and government has become necessary
due to the lack of trust. Individuals need to protect their financial
and medical information. Companies must not lose trade secrets to
competitors. Governments must protect the national interest. The
scenarios range from the simple to the complex.
Historically, an enterprise organization needed to use encryption
for isolated problems, such as protecting data on the laptops of
key executives. Data protection has now evolved into a compliance
issue. Daily news reports of information security breaches only
reinforce the importance of installing fool-proof data protection
at every level of an organization.
There is no better fool-proof technology than encryption. Every
organization either is or will soon be searching for a pervasive
encryption solution that is scalable, easily managed and affordable.
Vulnerable entities are reducing the risk of data exposure, and
loss of public trust, by protecting sensitive information with PC
Guardian Technologies' information security solutions, especially
Encryption Plus Hard Disk, Encryption Plus Email and the latest
Encryption Anywhere CD-DVD.
Qualified enterprises can evaluate these solutions. For more information,
Also, you might be interested in reading Senator Feinstein's Op/Ed
piece about the recent data thefts, which appeared in the San Francisco
Chronicle March 31, 2005: http://feinstein.senate.gov/news-data-breaches.html
Upcoming issues of the Securius Newsletter will explore the social
and technological implications of data thievery. 'Til then, keep
your guard up.
PC Guardian News
PC Guardian Technologies Inc. recently announced it has received
$6 million in a Series A round of financing. The round was funded
by Altos Ventures and Cardinal Venture Capital, with equal participation
by each firm. Investment banking firm, SVB Alliant, served as the
financial advisor and placement agent. The company will use the
infusion of capital to support ongoing research and development
and expand sales and marketing efforts.
The full announcement can be found at:
About the Author
Steven Lerner-Wright is the Marketing Communications Director at
PC Guardian Technologies.