ITEXPO begins in:   New Coverage :  Asterisk  |  Fax Software  |  SIP Phones  |  Small Cells

Cultivating Data Security: What's Real, What's Tail-Chasing

By Tracey E. Schelmetic, Editorial Director, Customer Inter@ction Solutions


It's been hard not to see evidence of the increasing tide of criminal data thefts lately. This year alone, CitiFinancial's data breach was announced in June, LexisNexis in April, and both Bank of America and ChoicePoint in February. These are only the highlights'there were many more, including banks, catalog companies and universities. Most organizations would like to avoid seeing their names in The Wall Street Journal under similar circumstances, but most of them are doing little more than crossing their fingers and hoping.

The problem is this: data security breaches can happen in many ways, so it's hard to know which tower to man the strongest. The ChoicePoint data breach occurred when criminals posing as legitimate customers asked to purchase, and were sold, the personal data of 145,000 people. (There was not, in this case, any hacking involved.)

Congress Wakes Up ' Then Hits Snooze Button
The string of data breaches has drawn strong responses from both parties in Congress, though thus far there is little evidence that the many bills that have been drawn up are progressing to where they need to be: laws. As of the writing of this article, there were 22 bills in Congress dealing either directly or indirectly with identity theft. (One of these includes a rather odd bill, S.884, which was introduced to 'conduct a study evaluating whether there are correlations between the commission of methamphetamine crimes and identify theft crimes.') Other bills that have been introduced address identity theft and anti-phishing, Social Security number protection and customer notification of data breaches.

Part of the problem with data security legislation is in knowing where to start. Bruce Schneier, internationally renowned security technologist and author who has been described by The Economist as a 'security guru,' said legislators' efforts should focus on making companies accountable for data theft. 'Make companies liable for leaking identity information,' said Schneier. 'Make companies liable for the effects of fraudulent transactions; that is, if a bank or credit card company accepts a fraudulent transaction in my name that is not made by me, they should be liable for the losses that incur because of that mistake.'

When I asked Schneier whether it's possible that Congress is always two steps behind both technology and its potential abuses because the legislators do not understand the technologies well enough to get a grip on how to protect consumers, Schneier told me that it doesn't matter, and he laid the blame at a different door. 'It has nothing to do with being savvy enough,' he said. 'Legislators and judges have staffers who understand technology. It's simply that there is too strong a lobby ' it directly affects legislators and pays for litigators that affect judges ' preventing any real solutions.'

California, The Early-Warning Beacon
At the state level, California's SB 1386 is the only state data theft disclosure bill in existence. It mandates that companies which maintain databases of private information on consumers MUST notify those customers if their data are lost, hacked or exposed in any way. It's taken as conventional wisdom that, were it not for this California law, U.S. consumers would be none the wiser to the data breaches at ChoicePoint, LexisNexis, Acxiom, Bank of America and other companies, until those mysterious designer clothing purchases and tickets to Tahiti started showing up on their credit cards.

The problem is, during the damage-control proceedings initiated by these companies, they inadvertently did more damage to themselves. By telling customers, 'Look, we won't sell your Social Security numbers, drivers' license numbers and income details to anyone anymore,' consumers didn't say, 'Great!' They said, 'Where did you get off selling that information in the first place?' The ugly reality is that few people were actually aware how much of their deeply personal information is bought and sold daily in Corporate America. Now that they know, they're becoming increasingly angry. The phrase 'legislative backlash' continues to take place in discussions regarding what's on the horizon for data brokers or any company maintaining personal customer data in its system.

In March of this year, U.S. Senator. Charles E. Schumer (D-NY) released a statement hard on the heels of the disclosure that DSW, an Ohio-based shoe retailer, is currently undergoing an investigation into credit card fraud. Said Schumer, 'ChoicePoint has become a rallying point for consumer advocates in the Congress to do something substantial about the weak national laws to protect Americans' privacy. These new incidents of identity theft through stolen credit card information at DSW, and through account fraud at LexisNexis, should force Congress to act soon to bolster our pitiful privacy protections for consumers.' Among some of his top agenda items, Schumer counts protecting consumers from predatory loan offers and putting reigns on some of the excessive fees and interest rates many credit card companies regularly levy on consumers.

Additionally, Sen. Diane Feinstein (D-CA) has put forth several bills that cover the prevention of identity theft.

First, there is the Notification of Risk to Personal Data Act (S. 115), a federal bill modeled on the California law, which defines sensitive information as a Social Security number, driver's license number, state identification number, bank account number or credit card number. This law would require 'a business or government entity to notify an individual when it appears that a hacker has obtained unencrypted personal data; levy fines by the FTC of $5,000 per violation or up to $25,000 per day while the violation persists; and allow California's privacy law to remain in effect, but preempt conflicting state laws.' The bill was introduced to Congress in January, read twice and referred to the Committee on the Judiciary.

The second of Feinstein's bills, presented with cosponsors, is the Social Security Number Misuse Prevention Act (S. 29), which would 'regulate the use of Social Security numbers by government agencies and private companies by prohibiting the sale or display of Social Security numbers to the general public, and by requiring Social Security numbers to be taken off of public records published on the Internet.' S.29, like S.115, was presented in January, read twice and referred to the Committee on the Judiciary. The bill was cosponsored by Sens. Judd Gregg (R-NH), Bill Nelson (D-NE), Patrick Leahy (D-VT) and John Sununu (R-NH).

Finally, there is the Privacy Act (S. 116), which would mandate the consent of any individual before any company can sell or market a consumer's personal information.

Also fluttering around Congress since March 2005 are the Information Protection and Security Act (H.R. 1080), a bill that would 'regulate information brokers and protect individual rights with regards to personally identifiable information,' and the Social Security Numbers Protection Act (H.R. 1078), designed to 'strengthen the authority of the Federal Government to protect individuals from certain acts and practices in the sale and purchase of Social Security numbers and Social Security account numbers, and for other purposes.' Both of these acts are cosponsored by Nelson and Rep. Edward Markey (D-MA).

The Senate Judiciary Committee held a hearing on April 13, 2005, titled 'Securing Electronic Personal Data: Striking a Balance Between Privacy and Commercial and Governmental Use,' and included on the panel representatives from the Federal Trade Commission, the FBI, the Secret Service, the National Association of Attorneys General, ChoicePoint, LexisNexis, Acxiom Corp., the Center for Democracy and Technology, and PrivacyToday.com.

During the course of this hearing, Leahy stated, 'Our hearing today is not about shutting down these data brokers or abandoning their services. It is about shedding a little sunshine on current practices and weaknesses, and establishing a sound legal framework to ensure that privacy, security and civil liberties will not be pushed aside in this new and evolving age.' The Vermont senator went on to say that companies such as LexisNexis and ChoicePoint 'play a legitimate and valuable role in the information economy. Their data services facilitate important commercial transactions, improve hiring decisions, deter fraud, assist law enforcement and enhance homeland security. But as with any other significant beneficial industry, the information industry is subject to mistakes, abuse and unintended consequences that can flourish absent transparency, oversight and proper boundaries.'

Sen. Russ Feingold (D-WI) focused his talk on the uses the U.S. government is making of such information and how it may impact U.S. civil liberties. (The Federal Government is a large customer of private data dossiers.) During Feingold's Committee address, he discussed his Data Mining Reporting Act, 'which would require all federal agencies to report to Congress on data mining programs used to find a pattern indicating terrorist or other criminal activity and how these programs implicate the civil liberties and privacy of all Americans. The bill does not end funding for any program, does not determine the rules for use of the technology or threaten any ongoing investigation that uses data mining technology. But it would allow Congress to conduct a thorough review of the costs and benefits of the practice of data mining and make considered judgments about which programs should go forward and which should not.'

It's not hard to see 'too many cooks spoiling the enchiladas' syndrome here. Many of the bills in both houses of Congress are simultaneously overlapping and conflicting. It would be helpful if the issues were addressed by a united front, with a single bill to cover all bases.

From The Consumer Side
According to the FTC, there are four steps that should be taken when one becomes a victim of identify theft:

' Contact the fraud departments of any one of the three major credit bureaus (visit tmcnet.com/171.1 for more information) to place a fraud alert on your credit file. The fraud alert requests creditors to contact you before opening any new accounts or making any changes to your existing accounts. As soon as the credit bureau confirms your fraud alert, the other two credit bureaus will be automatically notified to place fraud alerts. Once the alert is placed, you may order a free copy of your credit report from all three major credit bureaus.

' Close the accounts that you know or believe have been tampered with or opened fraudulently. Use the I.D. Theft Affidavit (tmcnet.com/172.1) when disputing new unauthorized accounts.

' File a police report. Get a copy of the report to submit to your creditors and others that may require proof of the crime.

' Visit tmcnet.com/170.1 to file a formal complaint with the FTC. The FTC maintains a database of identity theft cases used by law enforcement agencies for investigations. Filing a complaint also helps the FTC learn more about identity theft and the problems victims are having so that the agency can better assist you.

At The Enterprise Level
If you're an enterprise that collects large amounts of customer data, you have a double-whammy situation to worry about: your personal information, and the information your company keeps, which is vulnerable to theft and abuse. I asked Schneier to identify a customer-data-holding company's most important process to put in place. He indicated that, hands down, security monitoring is the most important.

'There's no other way to deal with unknown threats, dedicated attackers or employee error,' said Schneier. 'If you don't know what's happening on your network, you don't have a chance of stopping the bad guys.'

Second to that, according to Schneier, are training and education of all company employees to understand what data theft is, what its repercussions are, and how to spot the warning signs that the company's infrastructure may be being breached. Next, understand what NOT to do.

I asked Schneier what are the biggest mistakes thus far made, particularly by the companies whose data losses have been prominent and infamous. First, he identified the fact that these companies assumed covering up the breaches, or the extent of them, was a good idea. Second, he said another part of the problem is that these companies assumed that just because they were spending some money on security, they were safe.

In the introduction to the second edition of his book, 'Secrets And Lies,' Schneier states that the problem a lot of companies have today is that they've become very complex. 'Simply put, complexity is the worst enemy of security. As systems get more complex, they necessarily get less secure.' (Visit his Web site at www.schneier.com for more information.)

The idea here is that no company is completely safe, nor will any company ever be. Even if your security procedures are cutting edge, expert approved and fully operational, there's always the disgruntled employee who downloads 5,000 Social Security numbers and bank account numbers before he quits his job and subsidizes his unemployment with the fruits of his labor: selling this valuable information to I.D. theft perpetrators. To address this, I asked Schneier if anything could ever be done by companies to protect against this type of employee-perpetrated data leak.

His response was not comforting. In a word: 'No.' CIS

If you are interested in purchasing reprints of this article (in either print or PDF format), please visit Reprint Management Services online at www.reprintbuyer.com or contact a representative via e-mail at [email protected] or by phone at 800-290-5460. For information and subscriptions, visit www.TMCnet.com or call 203-852-6800.

[Return To The Table Of Contents ]

| More