Industry View

When the Dike Breaks: Responding to the Inevitable Data Breach

Have you taken steps to prevent AND plan for a breach of your data security?

December 06, 2005 — CSO —

The California Information Practice Act of 2003—also known as SB-1386—was the nation’s first law requiring notice to those impacted by a loss of personal information. Notice given under that statute in 2005 set off an avalanche of press regarding one data breach after another, and legislatures nationwide jumped on the breach disclosure bandwagon. So far, as many as 19 different states have passed such legislation. Congress is considering some nine different bills, some of which are sweeping in scope.

It has been said that SB-1386 "uses fear and shame" to make companies take information security more seriously. That may be the desired result, but the dozens of stories in the media over the past year suggest that data security has yet to improve markedly. One fact has been made clear: Data breaches come in many forms. The breaches reported in 2005 have resulted from hacking incidents, viruses, lost or stolen computer equipment, vendor mistakes, employee mistakes and fraud by data thieves. Apart from legislation, the sheer variety of data breaches should be enough to strike fear in anyone who has responsibility for managing and protecting data. But the list of entities reporting data breaches this year should also be convincing evidence that no amount of fear or shame will lead to a commercial atmosphere in which data breaches cease. The list includes two of the world’s largest financial institutions (Bank of America and CitiFinancial), three respected research institutions (Cal Berkeley, Boston College and Tufts), and two U.S. government agencies normally associated with the ability to keep a secret (the IRS and the Justice Department).

It is also fair to assume that the threat of public shame will not soon subside. ChoicePoint was not the first to report a breach in compliance with SB-1386, but it became a national media target because the story of its breach caused many Americans to realize for the first time that the collection of personal data is a business. The reaction by many was visceral. Given the simplicity of these "stories of shame" and the very predictable response from the public, they will continue to be newsworthy.

The takeaway is simple: No one is immune. There are companies whose core business is the collection of data. But many other businesses collect "personally identifiable information"—not because they want to, but because it is unavoidable. Airlines, for instance, request identification upon check-in. Often, the i.d. number is entered into the airline’s computer system for future security reference. Hotels often request and record similar information. Couple that information with a credit card number and, like it or not, these companies are in the data collection business.

1 2 3 »

$firstKeyword

RESOURCE CENTER

buy a link »

E-GUIDE

Log Management in a Cyber World

With so many potential cyber villains poking around the gates, enterprises must have strong protections and pristine visibility into what's happening on the network. Explore the increasing importance of log management as cybercrime and other malicious threats grow.

» Read this eGuide

WHITE PAPER

Comparing Research in Motion and Microsoft Mobile Solutions

Organizations must look carefully at the requirements of mobile devices and accompanying middleware that can increase cost, complexity and administrative overhead. This white paper provides an independent analysis and detailed comparison of RIM and Microsoft's mobile solution.