Intrusions at merchants and universities, lost backup tapes – just about everything is being classified as identity theft, from lost data to where identity actually is stolen. Phishing and pharming (I hate cute names for criminality) are adding to the concern.
There is little doubt legislation will soon be passed in the U.S. The states are already passing laws, most requiring customer notification similar to California's SB1386.
And regulatory guidance has been added to GLBA requiring the notification of regulatory agencies, law enforcement and customers about any compromise of customer information when there's a reasonable possibility of it being misused.
There is a lot of talk about two-factor authentication, too. But while I'd be the first to say that we should have moved beyond passwords as an authentication mechanism years ago, it seems clear that organized crime is ready to move to other attack methodologies as soon as two-factor becomes prevalent.
If the purpose is to stop phishing, why spend large amounts of money on something that will only solve the problem for a short time?
Encryption is also being suggested as a mandatory control. After all, if we encrypt all the customer data, it will be protected, right? Well, maybe – if it can even be done.
Lost mainframe tapes are not very useful unless you have access to the mainframe they run on. What would it cost to encrypt them and how much will the security of that information be improved? Most large businesses have customer data in multiple computing environments.
And have you come across any encryption products that can encrypt data in every type or brand of database currently in use? No, neither have I.
Key management is critical to any encryption implementation. One of the greatest dangers with encryption is the possibility of key compromise. If the compromise goes undetected, the thief can steal information over a protracted period of time. And what about all those paper files holding customer information? Encryption is an answer – and an answer that should be aggressively pursued. But it is not a panacea.
So what should be done? I would endorse extending GLBA to other components of the system and providing the regulatory oversight and scrutiny to go along with it. It will get results without prescribing a solution that may break more than it fixes.
I would also like to see the Payment Card Industry Data Security Standard rigorously enforced at all levels.
I don't think we need more laws – just better enforcement of the ones we have.