Breach Disclosure Laws are Pointless

June 10th, 2008 by Alina (0) Data Loss, Data Theft, Identity Theft, In The Spotlight, Laws & Standards

Researchers at the Carnegie Mellon University have just released data showing information security breach laws enforced in the US have failed to reduce identity theft. According to the Register, these findings come at a time when there’s an increased demand for similar laws in Europe that would oblige organizations to notify customers in cases where their personal details become exposed.

Research findings were based on a state-by-state analysis of data from the US Federal Trade Commission (FTC). They analyzed identity theft complaints made to the FTC from 2002 to 2006, trying to spot differences after states introduced data breach disclosure laws. California was the first state to introduce such regulations and 43 other states have since followed its lead.

The researchers determned that factors such as changes in average income and population in a state or overall levels of fraud had a much greater impact on fraud rates than these laws, as a Register reproduction of the abstract to the paper shows:

We find no statistically significant effect that laws reduce identity theft, even after considering income, urbanization, strictness of law and interstate commerce. If the probability of becoming a victim conditional on a data breach is very small, then the law’s maximum effectiveness is inherently limited. Quality of data and the possibility of reporting bias also make proper identification difficult. However, we appreciate that these laws may have other benefits such as reducing a victim’s average losses and improving a firm’s security and operational practices.

“There doesn’t seem to be any evidence that the laws actually reduce identity theft,” Sasha Romanosky, a PhD student at Carnegie Mellon and one of three authors of the study, told Computerworld.

Builders of London Olympics Site - Biometricaly Authenticated

March 5th, 2008 by Alina (0) DLP, In the News, biometrics, security breach

All workers involved in building the London Olympic site for the 2010 games will go through a thorough biometric authentication process. The biometric screening will consist of a two-tier process, reports the Times, palm-print reading and face recognition. A total of 100,000 workers will have to comply with this security requirement until the completion of the Olympic site. If the system works, it might also be used for stadium ticket holders.

The biometric screening project is on the other hand already rising serious questions about the level of protection it can provide for private data:

The use of biometrics is part of a £354 million strategy to secure the 500-acre Olympic Park during its construction, which starts in June. But it has raised concerns about data protection among unions and civil liberty groups.

Alan Ritchie, general secretary of Ucatt, the main construction union, said: “We do not foresee a problem, providing the ODA [Olympic Delivery Authority] guarantee that the biometric data will not be passed on to any third parties and will be wiped once the project is complete.”

The methods employed to prevent data losses, theft or security breaches aren’t clear for now. I’d recommend a thorough analysis of what endpoint security and DLP solution will be chosen to make sure biometric data is not lost or stolen before its final deletion at the end of the project.

US Government Agencies Have Higher Security Levels

March 4th, 2008 by Alina (0) IT security, In the News, security breach

Although US government agencies fall short when it comes to protecting private data, apparently their level of security has been improved throughout 2007 according to their compliance analysis to the Federal Information Security Management Act (FISMA) of 2002. This is the core finding of a report recently issued by the Office of Management and Budget and quoted by ScurityFocus.

The Inspectors General for 22 of the 25 agencies required to comply with FISMA inventoried at least 80 percent of their systems in 2007, compared with 20 agencies that had reached that milestone in 2006. While an improvement over the previous year, only two-thirds of the IGs claimed that their auditing processes were rated “satisfactory” or better.

The increased awareness of their systems have also caused the agencies to report more attacks, the report stated. In 2007, incidents reported to the US Computer Emergency Readiness Team (US-CERT) jumped to 12,986, an increase of 150 percent over the previous year. While nearly a third of the incidents were alarms created by the US-CERT’s EINSTEIN network monitoring system and remain uncategorized, about a quarter were classified as improper usage and about 15 percent classified as unauthorized access, according to the OMB report.

OMB identified the four stars of the compliance efforts as being the National Aeronautics and Space Administration (NASA) and the Departments of State, Treasury and Defense, all doing a great job at complying to FISMA. The Department of Defense however did not do that great. It looks like security policies and compliances fall short for this particularly important agency.

Security Experts Run Scarce

February 28th, 2008 by Alina (0) IT security, In the News

A survey recently published by the Computing Technology Industry Association (CTIA) and quoted by DarkReading shows that companies do not find the IT security skills they need in the experts they hire. CTIA surveyed 3500 technology professionals from three continents, Europe, North America and Asia, and concluded most of them hold security expertise as a top of the game skill when looking for techies to hire. Yet the skill set of existing IT professionals does not match their demands.

Among organizations surveyed in nine countries with established IT industries (Australia, Canada, France, Germany, Italy, Japan, the Netherlands, U.K., and U.S.), 73 percent identified security, firewalls, and data privacy as the IT skills most important to their organizations. But just 57 percent said their IT employees are proficient in these security skills, a gap of 16 percentage points.

The gap is even wider in five countries where the IT industry is still emerging (China, India, Poland, Russia, and South Africa). Among respondents in these countries, 76 percent identified security as the top skill their organization needs; but just 57 percent said their current tech staff is proficient in security. That’s a difference of 19 percentage points, CompTIA noted.

Data Breaches Change Customer Behavior

February 9th, 2008 by Alina (0) Data Loss, security breach

According to a Gartner report interpreted on InformationWeek’s Security Weblog, consumers affected by the large number of data breaches occurring lately are more apt to alter their online payment behavior.

In fact, according to this report, shoppers — who are already online at the merchant’s Web site — are more likely to pick up the phone to provide payment information. So much for convenience always trumping security.

This only goes to show that security matters. And that it’s time for merchants to stop treating security as a necessary burden, and as the responsible cost of business it is, and as the competitive differentiator that it can be.

The date in the report called U.S. Consumer Secure Payment Preferences Create Opportunities for Nonbanks was published after analyzing the results of a survey of 4,500 online U.S. adults conducted last year in August. It shows that customers switching to payment methods that they find safer will eventually lead to less profits for banks handling online payments.

The same Gartner report showed that over 33% of all adult Internet users have decided to completely ignore the Internet retail channel as a result of ongoing data breaches.

This not only shows that good security pays, but that online shoppers will reward merchants that go the extra mile to provide a safer shopping environment, communicate those efforts to them, and also make available payment options that shoppers feel to be more secure.