Barely a week goes by these days without news of laptops stolen or lost, and loaded with data that can expose employees,
consumers or patients
to identity theft.
For companies involved, data breaches harm more than a corporate image. They impact the bottom line.
According to research from the Ponemon Institute, a research firm focusing on privacy and data protection practices, data breaches cost companies $182 per record lost. The Privacy Rights
Clearinghouse counts more than 100 million records lost to data breaches since February 2005. An FBI survey pegged losses due to data breaches at $67.2 billion in 2006.
And it’s not just companies handling personal data, such as Social Security numbers
or medical information, bearing the costs. According to Ponemon,
81 percent of the companies it surveyed reported annually losing one or more
laptops containing confidential data. Each laptop contains data worth around
$972,000, according to a 2006 Symantec survey.
That’s why security experts already see a shift in security policies underway, with more to come this year. Data minimization is one of them.
“People are running scared with their hair on fire,” said Troy Allen, a risk consultant and CEO of security firm Kroll’s Fraud Solutions unit. That sense of alarm has created an unregulated industry offering consumers and companies ways to “prevent” data breaches.
“You can’t stop identity theft. Period,” Allen said. No matter what
policies are in place, laptops will walk off with data. And fraud
alerts, the ubiquitous answer to data breaches have become meaningless,
he added.
Indeed, the rash in stolen laptops led Kroll to label 2006 “The Year of the Data Breach.” Plenty of online auctions exist where identities are bought and sold, where, eBay style, the sellers get reviews. He said clean identities can go for as much as $40 a pop.
When Pennsylvania’s Geisinger Health Systems learned personal data of some
of its patients might be exposed as a result of a laptop theft, it offered
ID theft protection from American Insurance Group (AIG). Begun in 2006, the
policy covers businesses, providing up to $25 million in coverage for
companies facing costs, including legal, regulatory and other. AIG’s
policies provide form letters helping ID theft victims contact creditors,
even covering lost wages due to time off due to recovering a stolen
identity.
With identity theft and data breaches a costly reality, what can companies
do to protect data? The most common response – simple passwords – is rarely
enough, say experts.
“Password protection only is very weak,” Yankee Group’s Sal Capizzi said.
Securing mobile data is a three-prong process. Capizzi recommended
authentication, encryption and automated policies. It is not enough to have
policies in place. Boeing had a policy requiring data downloaded be
encrypted, but an employee skipped encryption. The result: a laptop stolen
containing employee’s personal data. To avoid the human element, security
policies must be automated, according to Capizzi.
The new year will see greater focus on corporate and employee education
regarding preventing data breaches. Allen predicts firms will also restrict
or ban downloading data to CD or USB flash drives. “Employers will begin
insisting that more information exchange takes place via secure online
transfer,” Allen said in a statement.
Kroll is advising data minimization, a concept counter to the prevailing
belief that customer information is an advantage. “Information is a
liability,” Allen said.
NEW Data minimization involves three steps. Don’t require or maintain
information you don’t absolutely need. Minimize the number of locations the
information is stored and purge the data once it’s no longer needed.
Just as ego-satisfying virus writing evolved to for-profit criminal behavior,
so will data breaches. Identity theft is now linked to organized crime, drug
financing and illegal immigration, according to Kroll.
For Allen, excuses that a stolen laptop was only a “smash and grab” where
thieves aren’t interested in the data stored there doesn’t hold water.
Thieves don’t work alone. One person may want only
to pawn the hardware, other thieves will siphon off the data.
Not satisfied with a few hundred or thousand data files, criminals will turn
to social engineering to gain access to data, according to Allen. A popular
method is either bribing employees or planting employees hired to steal
records. The employees use stolen identities to get the jobs, according to
Allen.
Data breaches will likely increase this year as companies that once
thought a stolen laptop was a property theft understand it as a potential
identity theft, according to Kroll.