While going through some FAA manuals, I was reminded of a particular term that is highly applicable in the world of cybercrime. It is referred to as the “chain of events” or the “error chain.” These terms simply mean that multiple factors, rather than a single one, lead to an accident. The same can be said for security incidents, such as data leakage. Take, for instance, some of the largest data breaches to date – such as the those experienced by TJX Companies or Heartland Payment Systems (which I've written about in the past here and here).
When the chain of events is unraveled, interesting details begin to unfold – one after another. These are obviously valuable lessons so that the majority of companies can take steps to protect themselves from these severe incidents in the future. But there will always be another way to “get to the goods.”
What are “the goods”? They are, primarily, the unencrypted customer information that resides deep within the core of organizations. In August 2008, I read a Yankee Group analyst research paper by Phil Hochmuth entitled, “Anywhere Data is Powerful, Data Everywhere is Dangerous.” In this paper, Phil discusses the challenge of data security and an increasingly untethered workforce. While that particular paper's focus covered the mobile workforce, it also conveys the key point applicable to all businesses: Customer data is essential to running a business and supporting our customers, but it can also be considered a dangerous liability that must be well-protected.
Three proposed solutions to securing customer data.
- End-to-end encryption (E3). In this context it is from where data is captured, through all intermediaries to the final credit issuer or debit gateway endpoint (https://www.e3secure.com/pdf/E3Security_Model.pdf);
- Mandatory encryption of personally identifiable information (PII) at rest and in motion (this brings up painful key management issues);
- Heartland is requesting the Accredited Standards Committee X9 (ASC X9) develop a standard to protect cardholder data.
Data breach consequences. There are a slew of consequences that can impact companies after a breach occurs. Some of them bandied about by industry experts are noted below:
- According to the Ponemon Institute's 2009 Annual Study “U.S. Cost of a Data Breach,” the average cost of a data breach (per record) is $204;
- Loss of sales;
- Investigation and notification costs;
- Fines and litigation;
- Cost of credit monitoring service;
- Interruption of operations;
- Last, but definitely not least, brand erosion (reputation, customer trust).
Regulatory compliance mandates that may impact breached organizations. Of course, many organizations began really paying attention to protecting data as a result not only of some of the consequences noted above, but also because of various industry and government compliance mandates. A sampling includes:
- Health Insurance Portability and Accounting Act (HIPAA);
- Sarbanes-Oxley (SARBOX);
- Graham-Leach-Bliley Act (GLBA);
- Payment Card Industry Data Security Standard (PCI DSS);
- Federal Information Security Management Act (FISMA).
These are but a few points that are relevant to data breaches of all sizes – not only those that potentially revealed more than 100 million customer records in one incident. Keep in mind that at the time of the breaches, the companies I mentioned were PCI compliant. This should reinforce the point that we still have a long way to go to secure our data and reduce the severity of data breaches.
Data security risk is as unlimited as human intelligence, ingenuity and ignorance.