Lax Breach Laws Endanger Businesses
Weak Notification Requirements Hurt Consumers
Data breaches continue to impact organizations, and cyberattacks are usually to blame. In fact, hacking was behind most large-scale breaches in 2011, according to a study conducted by the Identity Theft Resource Center.
Over the past five years, the ITRC has categorized nearly 700 breaches. [See the ITRC's state-by-state breach analysis.]
Karen Barney, who oversees research at the ITRC, says organizations need to develop formal processes to review and evaluate their systems and breach response policies.
"What information is being gathered and how is it being safeguarded?" Barney asks in an interview with BankInfoSecurity's Tracy Kitten [transcript below]. "If there's important information to be protected, then measures need to include strong passwords and encryption."
Organizations also need to review the reasons why they're collecting certain information in the first place. If the data isn't relevant, why have it?
"There need to be protocols for both electronic data destruction as well as paper files," she says.
During this interview, Barney discusses:
- Steps banks, business and government are taking to notify consumers after breaches;
- How adequate breach notification impacts branding and reputation;
- How insufficient breach notification has impacted reporting figures.
Barney, a former victim of identity theft, has served in a variety of positions for the Identity Theft Resource center since joining in 2002. In her current role as the center's program director and research analyst, she provides and disseminates information about the center and its data. Barney presents ID theft statistics to civic and community organizations, especially where cybersecurity risks, consumer and business best practices, and protection of PII are concerned. She also plays an active role in most of the ITRC's partnerships.
TRACY KITTEN: In this most recent analysis, the ITRC compares breach stats from 2007 all the way through 2011. The breaches continue to increase though the percentages have shifted a bit. What stands out to you about the results that were collected in 2011?
KAREN BARNEY: The main things that we were seeing throughout 2011 were breaches that were occurring as result of hacking and in 2011 that represented nearly 26 percent, which is a significant jump from 2010. Following that, we have data on the move and in that area we showed that the medical industry and business seemed to suffer the highest percentages in those two categories. Other types of causes would basically include insider theft, accidental exposure and subcontractor incidents. Those statistics vary from one industry sector to the next.
KITTEN: That's a perfect segway into my next question, and that was to ask if you can explain a bit about how the ITRC defines and categorizes breaches.
BARNEY: Basically since 2005, we've been identifying five industry sectors: business, educational, government, military, medical healthcare and the banking credit financial sector. Since 2007 the business sector has consistently held the number-one spot for the highest number of breaches, growing to nearly 50 percent in 2011. Following that is the health medical sector, and then it goes down from there.
The banking credit financial industry we identify specifically as credit or cash issuers, credit cards, bank loans, they are the bank's credit unions, mortgage brokers, credit card providers, or those entities which extend money. Businesses can be subcontractors which provide third-party services for all of the other industries. Medical healthcare is the medical provider or the insurance provider and government military is any city, county, state, national or military entity.
Further categorization is the type of breach that has occurred, which I mentioned earlier, the insider employee threat, which we consider to be a malicious attack; data on the move we consider to be accidental. It might be the laptop stored in the back of a car. Hacking is again malicious. Accidental exposure is somebody inadvertently leaves something up on a website that's discovered down the line. And subcontractors can actually be an occurrence of any of the above. It's just going to depend on how that type of breach occurred.
Collecting Breach Figures
KITTEN: What about the breach figures themselves? How are the breach figures collected?
BARNEY: The breach figures are collected pretty much on a daily basis by reviewing other credible public resources that are available online. Basically, we review all of the attorneys general offices that make this information available. There are the media sources as well as the other entities out there that capture this information from what they're finding on publicly available sources.
KITTEN: Now since not all states have breach notification laws and because laws and requirements vary so much from state to state, what special consideration should we take into account when we review this data?
BARNEY: Basically that this information is only the tip of the iceberg. Because there's inconsistent and incomplete information provided, 41 percent of our reported breaches are categorized as unknown. That means we don't know how they happened. We don't know what kind of information was compromised. So there are too many variables that are inaccurate or incomplete. We currently know that a number of breaches go underreported or unreported. We've heard this from several business entities that actually provide breach mitigation efforts to breaches that never make the list. There are a number of breaches that underreport the details. They don't clearly define the specifics, and there are a number of breaches that are incomplete as to how the breach occurred.
Underreporting of Data Breaches
KITTEN: Do you see more breaches being reported now than in years past?
BARNEY: Actually, we don't. The number of breaches that we captured this year, for 2011, was down significantly from the number that we did report in 2010, down by about 37 percent. Now in reality, there are other industry reports that do reflect higher numbers, but they use different criteria for how they define and report on a data breach incident. As to the decrease, again we feel that it's due to underreporting and in some cases no reporting. With 47 state breach notification laws, I think a lot of businesses don't really know how many laws they have to deal with when it comes to reporting.
KITTEN: In what industry or what sector have you seen the largest increase in reported incidents?
BARNEY: That would definitely be business. Since 2005, every year the business sector has grown from 17.8 percent, when we first started in 2005, up to nearly half, 47 percent in 2011. Another industry demonstrating growth is the health medical industry, which again, 8.3 percent in 2005, it was up to 20.5 percent, or one in five of the breaches, last year.
KITTEN: On the internal compromise front, I found a few figures related to insider compromises, subcontractor compromise and unintentional or accidental exposure interesting. Individually, percentages for those three categories have remained relatively steady for the last three to four years. But is it safe to lump those three together, and if so what does it tell us about internal security risks?
BARNEY: The ITRC would not be inclined to combine these categories. By definition insider employee theft is when someone inside the company participates in stealing records. It's therefore malicious in nature and is frequently combined with our hacking statistics. We're going to be adding a new category of employee error/negligence in our new reports, because other surveys and studies do include that as a category so it's something that we figure that we should recognize. We will not have comparison figures for past years, but it will enable us to know where we are going forward. The accidental web, Internet exposure is just that. It's accidental and it really wouldn't be seemingly appropriate to categorize that in any sort of area that would be malicious in nature. And as subcontractors, as more and more companies subcontract out, it's really kind of hard to say, because as to subcontractors it would all depend on the type of the breach. The issue here is who's responsible for protecting the information. And I know that more and more efforts are being placed on educating those who have subcontractors and third-party entities providing services to know that they have to vet and verify the security practices of those third parties.
Preventing Data Breaches
KITTEN: Then what should organizations be doing to help prevent some of these breaches, or to protect themselves against some of these threats?
BARNEY: Organizations and businesses of all sizes, from corporate down to small and medium-size businesses, need to have a formal review process to evaluate several areas of concern. One is: what's the information being gathered and does it need to be safeguarded? With breach notification laws varying, there's no real demand to protect or safeguard things like passwords, e-mail addresses and non-personal information. I believe that needs to be reevaluated. If there's important information to be protected, then measures need to include strong passwords and encryption for protecting that information. Review needs to be determined to clearly identify the reason for collecting the information in the first place. Is it relevant? I think there needs to be the concern over whether or not the information is necessary to continue business or is it redundant and maybe able to be truncated or minimized.
And if there are policies in place limiting access to this information, tiered passwords and tiered access are all things that need to be considered. Also, how long is the information going to be stored and how will it be stored? That includes the onsite and offsite considerations, as well as reviewing those third-party and subcontractor's security practices. And last but not least, how's the information going to be disposed or destructed at the end of its life cycle? There needs to be protocols for both electronic data destruction as well as paper files, and even though paper files are not mandated as being covered under most breach notification laws, unfortunately when it's exposed it puts many consumers at risk. So the importance of shredding paper documents should not be minimized even though there's no mandate in protecting those paper documents.
KITTEN: Finally, how should banks as well as other organizations view and digest this data? What can they glean from it and how should they use it to make improvements?
BARNEY: As one looks into these numbers, the various business sectors can see where they have strengths and where they have weaknesses. The business sector has a definite weakness and vulnerability under hacking which is going to fall under IT in making sure that there are security measures in place to protect against that. Insider theft ranks high under business, as does data on the move. On the other hand, education, government does really well in those categories. I won't say they can rest ... and say that they're doing so great; they don't need to consider looking at it. But on the other hand, they have shown strengths and strong promise in protecting those areas. On the other hand, medical has shown some weaknesses on data on the move and as more and more records become electronic and mobile due to mobile devices, that's going to be a significant area of concern, and also insider theft is a growing issue in medical as well from years past.