Our guest blogger this week is Dr. Larry Ponemon, Chairman and Founder of the Ponemon Institute.

Our latest study, Aftermath of a Data Breach Study, was conducted to better understand how a data breach affects organizations over the long term. In this study, IT professionals weigh in on how their organizations dealt with a data breach that had both serious financial and reputational consequences. While we asked respondents to focus on just one breach, 85 percent say that their organizations had more than one breach involving customer/consumer data in the past 24 months. It is interesting to note that in many cases it took a serious data breach to make privacy and data protection a greater priority and allocate additional resources to the IT security function.

While many respondents were unable to determine the root cause of the data breach, there is a consensus among respondents that insider negligence is making their organizations vulnerable to a data breach. As a result, organizations are investing in training and awareness and technologies that minimize the human factor risk.

The findings also show the concern organizations have about losing the loyalty of their customers. Of the IT practitioners surveyed, few felt that prompt notification to victims was enough to reduce the negative consequences of the data breach. This suggests that compliance with data breach notifications laws in and of itself is not sufficient if an organization is concerned about customer loyalty and reputation. Other lessons learned from the data breach are to limit the amount of personal data collected, limit sharing with third parties and limit the amount of personal data stored. We invite you to read the full report here.

Our guest blogger this week is Karen Barney of the Identity Theft Resource Center (ITRC).

The number of breaches reported so far in 2011 is down from 2010, yet 2011 is still considered by many to be yet another “Year of the Breach”.    Several high profile events throughout the year have kept the spotlight on the issue of data exposures, especially those where millions of consumers information was obtained by malicious hackers.  Although the information involved, emails and passwords, does not rise to the level of a “personal identifying information” (PII) breach, it is definitely troubling that such a large number of consumers may become targets of phishing and related attacks, which do attempt to get consumers PII.

More and more entities are now tracking data breach occurrences by:

• Industry sectors (categories): Business, educational, government, medical, financial
• Breach “type” (method of access): hacking, insider, portable device (“data on the move”), accidental exposure, subcontractor, and lost or stolen.  In some cases, discarded paper documents.
• various attributes: paper or electronic, encrypted, password-protected, number of records unknown or published

While most definitions and terms are relatively consistent between these monitoring sources, there are some notable differences.  Differing filters applied by each monitoring entity as to what qualifies as a data breach on any given list create some divergence in comparison of breach lists.  These filters may range from whether the incident involves specific types of exposed PII to whether a designated minimum number of records have been compromised (i.e. 10 or 500 minimum).

Often it is how a “record” is defined that yields the greatest disparity in determining the number of “records” exposed.  Many breach analysts consider “records” to those persons whose sensitive personal identifying information (PII), such as Social Security numbers, debit or credit card numbers, financial account numbers, medical record numbers, and driver’s license or state identification numbers have been exposed.  How then, does one then account for compromised non-PII information, such as email addresses, user names, or other non-financial account information?

Many hacking incidents this past year didn’t target personal identifying information, but instead focused on emails addresses, passwords and other pieces of non-sensitive personal information.   The challenge for many who analyze breach incident statistics is how to “quantify” the number of breached records that do not involve PII.  Should emails and passwords be counted as “records” in the same way as Social Security numbers and financial account numbers?   As of now, most state laws do not include non-sensitive personal information as triggers for breach notification therefore there is no obligation to report the incident.

“The law only requires that an entity notify those who had sensitive information compromised, like Social Security numbers,” says Lisa Sotto, a managing partner for New York-based law firm Hunton & Williams, in a recent interview with BankInfoSecurity.   “But now we know other things, like e-mail addresses, can lead to compromise through social engineering and phishing.

The challenge then for the incidence response team is determining if a breach notification is required.  If so, “what happened?”, “who needs to be notified”, “what specifics are required?”, “when do we do it?”, “how did it happen?”, and “what have we done to make sure it won’t happen again?”  The answers to these questions should all be part of an established Breach Response Plan.  Other pieces of this plan should include best practice protocols, procedures, corporate training guidelines and employee education.  In addition, an organizational ethic must be created so that all employees realize the importance of protecting personal information.  A corporate environment must be maintained which fosters and strengthens information security awareness at all levels of the organization.

Another important issue to consider in your company’s incident response plan is whether it is in the best interest of the company to report a data breach incident when there is no legal obligation to do so.  Under these circumstances, it is critical that the response team identify the best notification and crisis management tactics before a breach ever occurs.   Those companies with strong incident response plans are able to react more quickly and accurately, prevent further data loss (and potential fines), and present factual reporting to the public that minimizes customer backlash and negative publicity.

Amidst this time of continuous, high-profile data breaches, lawmakers are scrambling to pass privacy legislation with teeth – the kind of bite that will really push companies to strengthen their data security measures and safeguard some customer data from even being collected or shared.  At the recent data security and privacy hearing held by the Senate Commerce, Science and Transportation Committee, there appeared to be widespread agreement that national data breach laws are needed; the question is how to balance privacy regulations with the commercial interests of Internet businesses.

Three major bills currently circulating in the Senate attempt to address this delicate balance:

1. The bipartisan Commercial Privacy Bill of Rights, led by Senators John Kerry and John McCain, would impose new restrictions on companies that collect personal data from consumers, including seeking permission from consumers before collecting and sharing sensitive religious, medical and financial data with third party entities.
2. The Data Security and Breach Notification Act, led by Committee Chairman Jay Rockefeller and Mark Pryor, would require companies that own or collect sensitive customer data to undertake “reasonable” security measures to protect consumer privacy, alert customers within a set timeframe when their data has been breached, and entitle customers affected by a breach to two years of free credit monitoring or credit reporting services for two years.
3. The Do-Not-Track Online Act, also led by Senator Rockefeller, would allow customers to block the ability of companies to track their online activity.

Which of these bills becomes law remains to be seen, and there is as yet no broad consensus for the details of privacy legislation.  Nevertheless, the federal movement towards greater consumer protection should please ordinary consumers, who largely agreed in a recent poll that they should be able to opt out of Internet tracking from a single location.  Consumer advocacy groups and even big technology companies have also expressed support for the legislative efforts, even if some business trade groups believe that the bills are overly restrictive.

According to Privacy Rights Clearinghouse, at least 500 million sensitive records have been breached since 2005, and a survey by the Samuelson Law, Technology & Public Policy Clinic at the University of California, Berkeley has shown that even with notification letters, 28% of consumers don’t understand the potential consequences of these breaches.  It’s a serious problem that just about every state in the country continues to address.

Years ago, California ushered in landmark privacy legislation with AB 700: Security Breaches (2001) that is now modeled by most other states.  Now that California has a new governor, a new bill SB 24: Data Breach Notification (2011) is being re-introduced which further strengthens notification requirements when data breaches occur, establishing added standard information that all businesses must provide to consumers about the breach.

But California is just one state.  Along with national data privacy laws such as FACTA, HIPAA, and COPPA, there are currently 48 different data breach notification laws in just about every state.  No wonder it’s tough for businesses to surf the tidal wave of legislation, especially if a company does business in different states.

A new law expected to be passed in 2011, the Data Accountability and Trust Act, or DATA, would supersede all state laws, to provide one standard across the board.  Provisions include requiring companies to notify consumers about breaches within 60 days, alert customers to specific information that has been compromised, report breaches to the credit bureaus if more than 5,000 accounts are compromised, and provide two years of credit monitoring to consumers and a toll-free number to call for more information about the breach.

For businesses that don’t comply with these new regulations, stiff penalties will be added to the burdensome costs of breaches (and how can you even tabulate costs like the loss of public trust?)  The new regulations headed our way in 2011 provide one more reason for businesses to protect themselves from breaches, swiftly take action when a breach has been detected, and stay informed about the legal currents that are taking shape.