PC Data Security Blog

The financial crisis could be more costly than you think.

I have read two recent articles that are troubling: “IT administrators admit they would steal data” and “When Credit Crunch = Data Security Crunch” .Both discuss the likelihood that employees would steal from their employers if they were laid off or otherwise perceived that their loyal service to their organization was not being reciprocated.

Especially in these difficult times, companies and organizations should recognize that it is increasingly risky to rely on their employees to be an integral part of their data security posture. What, you say, are you asking them to do? If you demand that sensitive data not leave the building on laptops, are you sure this is not happening? If you instruct your employees to transport and store their laptops out of sight, are they? And how about protecting their passwords? Does anybody share and/or write down their passwords in your organization? Even if you encrypt the data on a laptop, are you aware that all it takes is the password to decrypt that data?

Do you really want to depend on your users to comply with all of your data security policies if there are technologies available that could effectively remove the user from that equation?

New economic threat: Vulnerable data.

In times of economic downturn, one of the first things organizations cut is security and compliance projects. It is also the worst time to cut in these areas. When the economy is unstable, the threats against data security increase. You have more IT-savvy individuals out of work and sometimes desperate. You may also have made cuts in your own IT staff. A recent survey of 300 IT administrators found that 88 per cent said they would steal company secrets if they were laid off.

IT staff know where you may be vulnerable and also have greater abilities to gain unauthorized access to your data. So many organizations just don’t see the immediate need for protecting sensitive data because they have yet to experience a loss. The key word here is “yet”. If your organization is currently feeling the pinch of this tight economy, just think how much worse it would be if you were to have a publicized data breach. Laptop data security is so important and the real threat evident by more and more losses publicized every month. Data Encryption and trigger-based actions taken to secure or delete at-risk data is easy to implement and is the best insurance against making tough times tougher.

What will it take to get businesses to care about your privacy?

In a recent blog post on WSJ.com, Why All the Data Breaches? Businesses Just Don’t Care, Bruce Schneier, chief security technology officer at BT Group, weighed in on the staggering number of data breaches we’ve seen this year. “For the most part a company doesn’t lose its data, they lose your data,” Schneier said. The victims of the breach, Schneier went on to say in his interview, “are often powerless to punish the business that exposed the record because they can’t link the fraud to a cause.”

Indeed, the legal precedents in this type of case support Schneier’s statement. In recent years, several class action suits have been brought against companies who lost consumer data. According to The New York Law Journal, in Randolph v. ING Life Insurance & Annuity Co., plaintiffs brought a consumer class action in District of Columbia federal court for invasion of privacy, gross negligence and negligence against ING following an announcement of the theft of an employee laptop from that employee’s home containing the personal information of 13,000 government workers and retirees. In Guin v. Brazos Higher Education Service Corporation Inc., plaintiff brought a negligence suit against Brazos after it announced the theft of a laptop containing personal information for 550,000 customers.

Both judgments ruled in favor of the defendant, citing that the plaintiff “proved no actual damages and, thus, no ‘recognized injury.’”

But is this enough reason for companies to simply ignore the security protocols that protect consumer data? And do you really think consumers experienced no “recognized injury” knowing their social security numbers and private information were in the hands of criminals? Anyone who has ever been the victim of identity theft will probably tell you, it’s not something you just “move on” from. The effects can last for years.

“Schneier says that what is happening in the tech-security world is a market failure similar in nature to what has happened with global warming: There is a problem that everyone is contributing to, but individual businesses don’t have a reason to do anything about it,” according to the WSJ.com article.

In the comments on this post,  reader Steve Muck suggests “a better approach is the adoption of national technology standards applied to IT systems and networks designed to safeguard PII. This approach recognizes that human error will always be problematic so why not leverage technology to reduce the likelihood of human error associated with PII handling. As an example and following the Federal Government lead, require encryption of all data used by industry. This action alone will signifcantly reduce the risk of harm.”

And another reader adds, “It is one thing to impose criminal and civil penalties on businesses, but what do you do with the federal government?”

Indeed. What about the breach at the Veterans Administration that exposed the personal information millions of American veterans? There is an ongoing case against the VA that could change the precedent. With claims of $1,000 per veteran (or $26.5 billion,) a settlement in favor of the plaintiffs might very well inspire government–and businesses–to “care.”

Security News Brief: 09-09-08

• UK security expert asks, “Why bother holding up a bank when you can steal a laptop?” after Bank of Ireland and the Department of Social and Family Affairs expose personal information of over 500,000 people in separate laptop theft cases. (Sunday Business Post, September 7, 2008.)
  
• Erie County laptop stolen from a health facility in Buffalo, NY contained personal private information of county residents. (WBEN Buffalo, September 5, 2008)
• Laptop with personal data stolen from National Technical Institute for the Deaf. The data contained the names, birth dates and social security numbers of 12,700 applicants to the NTID and another 1,100 people at the Rochester Institute of Technology.  (Democrat and Chronicle, August 31, 2008)
• Ohio school district laptop with student data stolen from Reynoldsburg school employee’s car. The breach affected 4,259 students enrolled in the district. (Columbus Dispatch, August 29, 2008)

Dell’s Kill Switch

In a recent CNBC.com interview, when confronted with the scenario of a business laptop filled with sensitive data being accidentally left in a taxicab, Michael Dell explained the need for businesses to have access to a mechanism to “remotely kill the data on the device (laptop) if the device is lost”.  He went on to report that Dell offers such “Mission: Impossible” capability.  One can infer from this that Dell offers an Internet-based kill switch that allows the business administrator to remotely wipe all data if it ever again connects to the Internet.  That’s a great start but what if the crook doesn’t let it connect?  Laptops need be able to protect themselves by having behavior and time-based triggers that can take self-protective actions even if they never connect to a server again. And, of course, the data needs to be encrypted as well.  This is the security that PC makers should really offer.

A kill switch is nice but Mission: Impossible’s Mr. Phelps never connected the tape recorder to anything like the Internet – it simply self destroyed with a timer.