After twelve months of increasingly dramatic press headlines about failures to safeguard personal data records, it's time to assess the size of the issue and identify best practice steps for reducing the incidence of, and damage caused by, these data breaches.
The IT Governance Data Breaches Report identifies that spectacular data breaches, such as the UK's HMRC CD-Rom fiasco and the prolonged theft of TK Maxx credit card records, are not caused by the misdemeanor of a junior employee but arise, rather, from systemically inadequate information security arrangements at the organizations where the incident occurs.
A data breach is 'the unauthorized disclosure by an organization of personally identifiable information, where that disclosure compromises the security, confidentiality, or integrity of the data that has been disclosed.'
The Attrition database shows that the numbers of reported data breaches in the US increased from 22 in 2004 to 326 in 2006. The pattern in the UK and elsewhere is similar. Three developments in recent years make addressing this issue a real priority:
1. Identify theft is a low-risk, high return option for organized crime. Traditional crime, including violent robbery and theft, has clearly identifiable risks. It is easy to be recorded on video by CCTV, seen by witnesses or caught by means of DNA, and the returns are relatively low. High-tech crime, on the other hand, creates real problems for the police force and is, conversely, relatively low-risk for the criminal. Contributing factors include the perpetrator's anonymity, the speed at which crimes can be committed, the volatility or transience of evidence, the trans-jurisdictional nature of cybercrime and the high costs of investigation.
2. Legal and regulatory compliance initiatives, such as the EU Data Protection directive and California's data breach disclosure law, SB1386, have both formalized the concept that personal data must be legally protected, and introduced penalties for failing to do so.
3. The proliferation of mobile data storage devices has changed the boundaries of where we store our data and effectively eliminated "fixed fortifications" as an effective tool for preventing data breaches.
The number of data breaches reported both within the US and the UK has been steadily increasing since 2006. In the US, the introduction of California's data breach disclosure law, SB1386, in July 2003 led to a greater awareness of data breaches and, as a consequence, greater reporting of them. Within the UK, the numbers of reported data breaches has also been steadily rising, with a large increase in the number of reported data breaches following the HMRC breach. The peaks in reported data breaches following the disclosure of the UK's HMRC data loss, suggests that there were - and probably still are - many data breaches that go unreported and research suggests that organizations are reluctant to officially report data breaches unless they have already been exposed. The evidence suggests that waiting to be found out is not the best strategy.
12% of reported breaches in the UK were at regulated financial services organizations. Those reported in the unregulated private sector are much lower. An extrapolation from this behavior is that the likely scale and cost of data breaches in this sector in the UK is probably much bigger than has actually been reported - and at least as great as that in the public and regulated sectors.
The reported number of internally caused data breaches remains lower than external ones, but averages to around a third of those reported each year since 2000. Many data breaches are self-inflicted in that organizations adopt confidentiality regimes that make it difficult for people to actually do their job and, as a result, they bypass controls with unpredictable but inevitable data breach consequences.
The Ponemon report commented that "the investment required to prevent a data breach is dwarfed by the resulting costs of a breach" and " the return on investment (ROI) and justification for preventative measures is clear". Costs of data breaches - legal costs, the costs of restitution, brand damage, lost customers and so on - are significant; for financial services organizations, it was about £55 per compromised record.
Whilst not involving legal compliance, if an organization has a credit card-related data breach and is found not in compliance with the Payment Card Industry Data Security Standard (PCI DSS), there are potentially severe contractual and financial penalties, including a bar on the business accepting payment cards.
All these factors make the protection of personal data a key business and compliance responsibility; the information security management standard ISO27001 provides a best-practice specification for an information security management system that would meet the requirements of the Data Protection Act 1998.
The most important steps for Data Protection Act compliance are:
As a minimum:
1. Encrypt all personal data on laptops; whole disk encryption is a more secure solution than folder or file level encryption, and FIPS 140-2 is the recognized standard for encryption engines.
2. Encrypt all removable and portable media that might contain personal data, including USB drives, CD-Roms and magnetic backup tapes.
3. Establish rigorous procedures to ensure the physical destruction of redundant computer drives, magnetic media and paper records prior to disposal, and ensure that disposals are made in line with a formal data retention timetable.
4. Organizations that accept credit and other payment cards should also comply with the PCI DSS.
5. Provide regular training and awareness on legal responsibilities for all staff that deal with personal data.
6. Deploy outward-bound channel (email, instant messenger) filtering software with customized dictionaries for relevant legislation such as DPA, PCI, etc
7. Establish a vulnerability patching program and implement anti-malware software.
8. Implement a business-driven access control policy, combined with effective authentication.
9. Develop an incident management plan that enables the organization to respond effectively to any data breaches.
Article Source: http://EzineArticles.com