At the end of February, a box of backup tapes went missing from a transport truck belonging to Archive Systems, a records storage company based in Fairfield, N.J. By mid-March, Bank of New York Mellon (BNY), custodian of the backed up data, had identified 409 institutions belonging to its Shareholder Services unit affected by the loss, and notified 270,000 individuals whose names, accounts, balances and other personal information was determined to be at risk.
Unfortunately, there were another four million records belonging to nearly 300 additional institutions to sort through – records that may or may not meet the criteria of two pieces of personally identifiable information (name, plus something like a charge account or Social Security number). Before the bank could complete its painstaking work, the Connecticut attorney general gave a press conference. Shortly after, at the end of May, BNY was slapped with a class-action lawsuit for failing to report in a timely manner.
“We have been at this since February,” says BNY spokesman Ron Sommer. “We hired an outside forensics firm to assist with analysis of a very large legacy database to determine what data was backed up at that time. Once you determine whose information is at risk, you need to find those individuals. This data isn't inherent in the systems we backup.”
The main lesson here is not just about how delays in reporting a breach can lead to lawsuits. Nor is it about putting contractual, quality inspections and other controls around contractors, which is important.
The hardest lesson is about how difficult it is to do the right thing in following data breach laws in the first place – especially when considering that most organizations simply don't report them. Yet, despite the motivational drivers to not report, those organizations that accept the consequences of going public are actually ending up with better security.
The wrong thing?
According to a May Gartner study, 21 of 50 U.S. retailers said they were certain they'd had a data breach, most of them occurring in the last year. Of those, only three reported. Bryan Sartin, vice president of investigative response for Verizon Business, is not surprised.
“Back in 2005, when California set the standard, it seemed like three-fourths of breach investigations on which we did forensics work had disclosure attachments,” he says. “In one case, I was in my hotel room literally putting on my tie to go to a client and start an investigation while watching the governor of that state make the breach announcement on TV.”
Now, with laws in 43 states (as of June) and multiple federal bills pending, it's rare that organizations even report, he adds.
Cultural impact and employee firings, negative publicity, fines, loss of business and lawsuits now associated with organizations that do report, offer little motivation to follow breach laws. Also offputting to many is the fact that these laws vary from state to state and could be usurped by one or more of four federal breach bills now in process.
Instead of going public, Sartin says breached organizations are looking for loopholes in state statutes, creating a whole cottage industry around sidestepping disclosure investigations.
Citing a statistical breakdown of more than 500 criminal cases contained in Verizon's 2008 Data Breach Investigations Report, Sartin notes that 70 percent of the time, a breached organization doesn't learn of the compromise from internal sources. Instead, they learn from their banks, customers or law enforcement. In this case, it gets fuzzy who reports it, Sartin says, and organizations start passing the buck.
Multistate organizations also move from state to state looking for the most favorable laws so they don't have to report – for example, loose encryption definitions in states where organizations don't have to report a loss if data is “encrypted.” If their encryption is bad, they'll go to the state with the loosest definition.
In worse cases, Sartin says, some enterprises even try to falsify reports.
The right thing?
Avivah Litan, distinguished analyst responsible for the Gartner retail study, agrees that negative backlash is holding organizations back from reporting. However, she also contends that despite their difficulties, breach laws are making organizations more secure by acting as a deterrent, something Sartin and others strongly agree with.
“If data breach laws didn't exist, we wouldn't see half the security upgrades we're seeing,” Litan says. “In my areas of banking and retail, most security spend is driven by compliance. Breach disclosure laws feed into compliance.”
For example, some of the early poster child breaches in finance and retail led to stronger, more functional PCI DSS (Payment Card Industry Data Security Standard) rules, Litan adds. And organizations that have had the unfortunate experience of a breach will spare no expense to avoid going through that again, she notes.
AT&T, for example, is rolling out full disk encryption to all its mobile computing devices after having to report a stolen laptop in May. Since such information shouldn't have left the premises on portable devices without explicit authority to do so, AT&T is also revisiting its training, says a spokesperson.
BNY is revamping its data and vendor management practices and looking for ways to build encryption into the backup processes of hundreds of institutional customers – a difficult task given the varying formats and legacy systems from which data is being backed up, Sommer explains.
Federal Red Flag guidelines under the Fair Credit Reporting Act is also new legislation feeding into reporting, says Litan. This legislation issues a November compliance date for all credit-extending organizations to have fraud detection systems that flag patterns of identity fraud.
The majority of financial institutions already have systemic fraud detection well in hand, says Litan. But the rest of the retail, public services and other companies extending credit to their customers will have to learn and borrow technology from financial services to meet these new requirements, she adds.
While she doubts the FTC will be able to enforce Red Flag laws, it will probably take some CheckPoint-like breach to trigger enforcement where the organization would be made an example of, she says.
Considering that instances of identity theft are rising most rapidly in states with the most mature breach laws, according to a June Dartmouth College report, titled Do Breach Disclosure Laws Reduce Identity Theft?, there's not much motivation to go public with breaches in the future.
“The effects of data breach laws are a mixed bag,” Litan says. “There are more than six million companies in the U.S. that must comply. The laws have only been around for a few years. It's not going to all happen overnight.”