Our guest blogger this week is Karen Barney of the Identity Theft Resource Center (ITRC).
The number of breaches reported so far in 2011 is down from 2010, yet 2011 is still considered by many to be yet another “Year of the Breach”. Several high profile events throughout the year have kept the spotlight on the issue of data exposures, especially those where millions of consumers information was obtained by malicious hackers. Although the information involved, emails and passwords, does not rise to the level of a “personal identifying information” (PII) breach, it is definitely troubling that such a large number of consumers may become targets of phishing and related attacks, which do attempt to get consumers PII.
More and more entities are now tracking data breach occurrences by:
- Industry sectors (categories): Business, educational, government, medical, financial
- Breach “type” (method of access): hacking, insider, portable device (“data on the move”), accidental exposure, subcontractor, and lost or stolen. In some cases, discarded paper documents.
- various attributes: paper or electronic, encrypted, password-protected, number of records unknown or published
While most definitions and terms are relatively consistent between these monitoring sources, there are some notable differences. Differing filters applied by each monitoring entity as to what qualifies as a data breach on any given list create some divergence in comparison of breach lists. These filters may range from whether the incident involves specific types of exposed PII to whether a designated minimum number of records have been compromised (i.e. 10 or 500 minimum).
Often it is how a “record” is defined that yields the greatest disparity in determining the number of “records” exposed. Many breach analysts consider “records” to those persons whose sensitive personal identifying information (PII), such as Social Security numbers, debit or credit card numbers, financial account numbers, medical record numbers, and driver’s license or state identification numbers have been exposed. How then, does one then account for compromised non-PII information, such as email addresses, user names, or other non-financial account information?
Many hacking incidents this past year didn’t target personal identifying information, but instead focused on emails addresses, passwords and other pieces of non-sensitive personal information. The challenge for many who analyze breach incident statistics is how to “quantify” the number of breached records that do not involve PII. Should emails and passwords be counted as “records” in the same way as Social Security numbers and financial account numbers? As of now, most state laws do not include non-sensitive personal information as triggers for breach notification therefore there is no obligation to report the incident.
“The law only requires that an entity notify those who had sensitive information compromised, like Social Security numbers,” says Lisa Sotto, a managing partner for New York-based law firm Hunton & Williams, in a recent interview with BankInfoSecurity. “But now we know other things, like e-mail addresses, can lead to compromise through social engineering and phishing.
The challenge then for the incidence response team is determining if a breach notification is required. If so, “what happened?”, “who needs to be notified”, “what specifics are required?”, “when do we do it?”, “how did it happen?”, and “what have we done to make sure it won’t happen again?” The answers to these questions should all be part of an established Breach Response Plan. Other pieces of this plan should include best practice protocols, procedures, corporate training guidelines and employee education. In addition, an organizational ethic must be created so that all employees realize the importance of protecting personal information. A corporate environment must be maintained which fosters and strengthens information security awareness at all levels of the organization.
Another important issue to consider in your company’s incident response plan is whether it is in the best interest of the company to report a data breach incident when there is no legal obligation to do so. Under these circumstances, it is critical that the response team identify the best notification and crisis management tactics before a breach ever occurs. Those companies with strong incident response plans are able to react more quickly and accurately, prevent further data loss (and potential fines), and present factual reporting to the public that minimizes customer backlash and negative publicity.