Posted By: Stacy Steele on 30th March 2009
Does the recent surge in data breaches really have customers concerned? Amazon seems to think so. According to an article on StorefrontBacktalk, Amazon and Western Union have implemented a plan to ease the minds of customers who might shy away from ordering online for fear of being the victim of a data breach. Instead of having to enter your credit card information online, customers can walk into one of 44,000 Western Union’s and have cash turned into an online gift card. An additional (but minimal) fee is added to the gift card (i.e. $3.95 for a $500 gift card).
In the article, author Evan Schuman brings up an interesting advantage of why customers might find this option appealing during an economically difficult time.
“If any of those businesses has a glitch and tries to overcharge the consumer - as recently happened to both Macy’s and Best Buy – the consumer is completely safe as there exists no more money to access.”
But doesn’t this extra step of going to Western Union to purchase a gift card take away from the reason some people shop online in the first place? If you have to physically go out to a Western union to purchase the gift certificate, why not just go shopping for the things you need while you’re out? Let’s face it, sometimes Amazon has the best deals and in economic times like these, people are not merely looking for what is most efficient anymore, they are also looking for what is the most cost effective.
The most interesting question is whether or not the fear customers have about data breaches will lead online shoppers to take that extra step for piece of mind? Schuman doesn’t seem to think so. I, on the other hand, think Amazon might be on to something. Often times I purchase items through Amazon, and with the number or data breaches I have seen and written about in the past few months, that extra step to purchase a gift card seems pretty minimal compared to the work that goes into saving your identity after a breach.
Loading ...
Posted By: Travis Smith on 27th March 2009
It seems that Visa is taking data breaches seriously now. Well, at least more serious than sending a bill to those responsible for the breach. Visa has announced that Heartland Payment Systems and RBS WorldPay have been removed from the list of service providers who are PCI DSS compliant. This goes along with what I talked about last week when I related the PCI DSS compliance with the health inspections in restaurants. It doesn’t make any sense for a company who has leaked data to remain on any compliance list until they have been re-certified.
In essence, this is an act for Visa to protect themselves against litigation. Heartland and RBS are major payment processing companies - without their business, a lot of companies would have to spend a large sum of money switching to a new vendor. That just won’t fly for any company, large or small. As a sports nut, I like to put a lot of things into sports analogies. So I say PCI and Visa should adopt the three strike rule. It worked for the California State Penitentiary system, why not the credit card industry?
Here’s how it will work. You need to get up to PCI DSS compliant speed before coming up to the plate. You let the first one get by you, dust yourself off, pay the fines, fix your leak, and get back in the game. You let a second one get by you, now it’s time to get nervous. It doesn’t mean the game is over, it just means you are at the edge of the cliff. You let that last one get by you, and it’s time to warm the bench. Even former President Bush seems to agree with this method of business. He once stated, “Fool me once, shame on you. Fool me and you can’t get fooled again.”
Loading ...
Posted By: Jonathan Brill on 26th March 2009
Well, regardless of what my information may want, I don’t want it to be free. I want it to be locked down and accessible only to me and anybody I personally choose to share it with. I guess I’m old school that way.
In a post a couple weeks ago I mentioned the Google Docs privacy bug that inadvertently shared documents with people other than those intended by the document owners. Scary stuff but it looked like Google was plugging that leak.
Unfortunately, Ade Barkah found a number of other security holes unrelated to the original. We can draw a number of conclusions from this turn of events, one of which is that clearly there are even more security exploits that have yet to be found that might even be more serious. As someone who is not personally using Google Docs, this is more of a curiosity than anything else but I’d think that if I depended largely on Google Docs for anything of any sensitivity I would be more paranoid than curious.
It’s very possible that Barkah is one of the world’s foremost hackers and has an inhuman ability to compromise a perfectly reasonable security system and there’s nothing that can really be done to prevent it. But it’s more likely that Barkah is just a good security consultant from Canada with a pretty cool blog who put a little effort into poking Google Docs enough to find security holes.
As someone who meets with paranoid security architects and privacy officers about protecting inherently secure documents in locked down networks with multiple layers of solid authentication and packet filtering, virus protection, and intrusion detection – I can tell you that the thought that documents themselves might have a security hole that renders everything else moot would be terrifying.
As we move into a world where sharing is cool and “information wants to be free” is the mantra, we’re going to need people like Ade Barkah to remind us that tearing down the barriers to collaboration can’t mean tearing down the walls of privacy and information security.
Loading ...
Posted By: MJ Knudsen on 25th March 2009
Many in the health industry are upset with new rules set forth by the “stim” also known as the American Recovery and Reinvestment Act. The stim, and more specifically the section called “Health Information Technology for Economic and Clinical Health” (HITECH), makes changes and additions to HIPAA which is the cause for the concern to small medical practices, as they might be facing higher costs to keep up with HIPAA compliance.
For example, it extends “covered entities” to include all those a physician’s practice does business with — lawyers, accountants, suppliers, etc. Meaning all data exchange between physicians and their vendors is covered by HIPAA. Another change is that “covered entities” must now report and alert patients of data breaches. This was already a law in California and Alaska, but now it’s all states. So previously, if personal medical information had leaked and it was outside California or Alaska, was nothing done?
Health care providers are concerned about the costs that such changes will incur:
Even David Kibbe (friend of the blog) told a reporter this means small medical practices will “face additional costs for health IT implementation” as a result of all this.
Please.
Are you handing patient records to all and sundry? Are you giving them willy-nilly to your accountant, your lawyer, your suppliers? With names attached? Really?
I doubt it. If you are, shame on you. If not, you don’t have much to worry about here. Don’t start.
As to the notification requirements isn’t that simple common sense? Lose your wallet and you’re going to call the cops — same with your patient records.
Overall, I think the new requirements both benefit patients and help protect their privacy. It’s always interesting to me to see these requirements implemented now - seems like they should have been taken care of a long time ago.
Loading ...
Posted By: Molly Mulally on 24th March 2009
With the massive amounts of data breaches over the last couple months, other companies are beginning to take stock of what information they have that could possible be compromised. Many are realizing that the amount and type of data they have in-house is more of a burden to keep then to toss.
Forbes.com recently wrote about two Wharton marketing professors that say having a large amount of personal data is becoming a liability, and suggested finding ways to minimize the amount of information a company has. Eric Bradlow and Peter Fader suggested utilizing a technique they called “data minimization,” which means keeping customer data that the company really needs for their competitive analysis, and getting rid of the rest. Although some companies need incredibly detailed data for their competitive analysis (which usually means ALOT of data), more is not always better.
With the cost of data breaches at the level it is today, the companies that are keeping massive amounts of data in-house are at incredible risk for lengthy and costly breaches. They also at risk to being unable to manage these great amounts of data. Yes, there are solutions out there to manage, organize and classify data, but companies are not spending the money that is needed to buy the software.
Fader and Bradlow recommend the following simple approach to their concept, data minimization:
- Determine which information is needed to track consumer behavior.
- Aggregate the information over a defined period, such as two to four months.
- Create histograms and throw away original data.
Although it is more of a concept than a security tool, Bradlow says data minimization will become key in a company’s success.
Loading ...
Posted By: Stacy Steele on 23rd March 2009
We are undoubtedly in an economically challenging time. I find myself feeling more and more pressure to spend wisely and plan for the uncertainties of the future. Although people and companies alike are cutting costs, there is one place costs should not be cut carelessly: IT security.
Ellen Richey, Chief Enterprise Risk Officer of Visa, recently gave a speech at the Visa Security Summit where she expressed her concerns about cutting costs surrounding data security.
“When every cost center is being targeted for reduction, we can safely assume that data security will not be immune. We should all be concerned when businesses connected to the payment network are under pressure to shortchange security measures. I expect those of us in this room would all agree that this kind of cost-cutting is short-sighted and dangerous.”
In her speech, Richey mentioned a recent report released by Javelin Strategy and Research that shows the U.S. experienced an increase in identity theft by 22 percent in 2008. Richey offers little sympathy to companies who are not maintaining compliance with “ongoing vigilance.” Although there clearly seems to be a link between the state of the economy and the increase in identity theft, what exactly can be done to help keep this growing problem under control? Richey offered four main ways people in the industry can keep fraud from happening before it becomes a major issue:
- Make sure we are actively managing the threat of compromises, and doing so in a way that does not unnecessarily burden businesses.
- We must actively engage consumers and empower them to protect themselves.
- We must increase collaboration across the payment system – to close security gaps and share critical information faster.
- We must continue to reduce the value of stolen data, through investment in new authentication measures.
The bottom line is that data security compliance is an incredibly important issue, and during these economic times, it is proving to require a great deal of attention and awareness. Cutting costs around IT security might seem like a quick fix to the current economic demands you find yourself in, but it could end up costing you far more in the long run. If you really don’t agree, just ask Heartland.
Loading ...
Posted By: MJ Knudsen on 19th March 2009
Companies in California have been required to report data breaches since 2003, when notifications became law. Ever since then, people have gone back and forth on the effectiveness of these notifications. On one hand – consumers want to know (and feel it’s their right) to know if their data has been compromised. On the other hand, large corporations see it as a burden and a huge cost to notify.
Before making my point, here are some interesting points that were found in the article, “Do Breach Notification Laws Work”:
- Since 2003 when California passed a notification law, 44 states have followed suit.
- Only 20% of firms say they would report serious breaches if not required by law.
- Fraudulent activity as the result of a breach often happens before the breach was detected.
- 55% of a surveyed group said they had received two or more notices with the last two years, and usually throw them in the trash.
- When Choicepoint notified 163,000 customers of a breach, only 10% chose to accept the free credit protection offered.
- One survey showed only 2% of those affected by data breaches experienced identity theft.
- When a company notifies customers of a data breach, on average, about 20% end their relationship with the company.
I don’t care how much it costs companies to notify me or how much business they lose. If only 1% of customers take action as a result of a data breach, GOOD. The other 99% is no reason not to notify customers. As a customer, I have every right to know what is done with my data and if or when my information is compromised. What it costs a company to notify me and whether or not I take action has no bearing on the issue!
Loading ...
Posted By: Travis Smith on 18th March 2009
It looks like states are starting to catch wind of a new way to raise money. While places like California are thinking about taxing visiting guests, others like Connecticut are seeing the rising trend of data breaches and jumping on the bandwagon for fining businesses. Connecticut public act 08-167 mandates a civil penalty of $500 for each violation, up to a maximum charge of $500,000 for an individual event. Not to be out done, Massachusetts stepped their game up and upped the stakes. They are combining the thought process of Connecticut and California. Massachusetts has outlined a guideline for protecting data that is nearly as complex as the PCI DSS standard. On top of that, they are “protecting” their residents by fining out of state companies for losing Massachusetts resident’s private data.
So we now have regulations from the federal government, state government, and private sectors. At what point does the headache of having to comply with so many regulations stop. The American dream of starting your own business is slowly losing is luster. I can’t imagine anyone saying: “I want to start my company in America and charge a lot more for my products and services because I have to comply with all these new regulations!”
In a report over at Law.com, they stated that this may be a trend away from a reactive approach at personal information regulation and more towards a proactive approach. Why not make this more like the food industry? With “private information” inspectors coming in every once in awhile to look behind the fridge and under the counters for something dirty. When something is found, a fine is issued until it’s resolved. Such should be the case with organizations; if nothing is found and some personal identifiable information ends up in the wrong hands, then it’s time to prevent them from doing much until their mess is cleaned up. If you can’t handle the heat, get out of the kitchen!
Loading ...
Posted By: Jonathan Brill on 17th March 2009
- Denial of fault for the breach? Check
- Notification of all customers? Of course not
- PR blitz minimizing the response and making no mention of corrective strategic action or ongoing investigation to find out how it happened? What do you think?
In my last post I mentioned the idea that each data breach is, in a way, a unique opportunity to understand the reactive nature of the companies we’re doing business with. All too often, these companies respond in similar and disappointingly unproductive ways. On the bad side, this is just another validation that our regulations for securing electronic customer information are insufficient and the penalties for failing to do so are way too lenient. The silver lining though is that we’re getting a real time education in how big fat corporations fail at every aspect of emergency management except for PR. It’s a lesson we should pay attention to because it doesn’t seem to be changing any time soon.
In the latest example, Comcast was alerted to a data breach by Brad Stone of the NY Times, who was notified by a customer who found their own Comcast username and password on a list with 4000-8000 others in a shared document on the document sharing site Scribd. At the time of his viewing, that document had been viewed 345 times and had been downloaded 27 times. Great.
So Comcast is on the case, right? They’ve notified their customer base that there is someone compiling lists of usernames/passwords and to be extra vigilant, right? They’re sending their crack investigative team to search through Scribd download records to find out who might have posted it and who might have downloaded it, right? They’re forensically analyzing the data itself to trace the patterns back to likely systems of breach, right? They’re working with law enforcement and auditors to identify all possible methods of getting that data to shore up the defenses, right? And most of all, I’m sure they’re notifying their now paranoid customer base that their crack response team is on top of it and keeping them notified of their progress on all fronts?
Right.
Here’s Comcast’ response:
Comcast said it did not believe the information came from inside the company, pointing to duplicated data on the list and the lack of structured information like account numbers. “We have no reason to believe this came from Comcast. It looks like a phishing or related type of scheme,” said Jennifer Khoury, a Comcast spokeswoman. (Asked about this possibility earlier today, Mr. Andreyo said that he doubted he was ever the victim of a phishing scheme.)
There are many possibilities for how that data was aggregated, stolen and posted. One of them is a phishing scheme. Others could be employee theft, which is by far the most common source of data breaches. Comcast of course doesn’t acknowledge that possibility here. Nor will they anywhere else. Denying it’s a data breach allows them to skirt notification laws designed to protect customers whose data may be at risk. That’s letting PR come before what’s good for the customer.
But of course, it’s not like we should expect Comcast to respect it’s customer’s right to privacy and security after incidents like this one, this one or this one.
Loading ...
Posted By: Jonathan Brill on 16th March 2009
What’s becoming evident through all of these data breaches is that the lack of policy, not technology, is what’s most egregious in every one of these incidents. Each time there’s a breach, we get to see the nature of how these organizations will react. Not surprisingly, many react poorly.
It’s becoming clear that not only are data breaches not taken seriously enough to prevent, but there’s not nearly enough discussion on what do in the case of it happening. At the earliest possible age, we’re able to indoctrinate children will lessons of “calling 9-1-1” and “stop, drop and roll” so they know how to react when calamity strikes. But these companies and organizations we’re trusting with our data seem to be totally lacking in emergency response preparation. And make no mistake, we are talking about emergencies here. A breach of thousands of names and credit card numbers is a financial debacle for the people and the credit card companies involved.
Yet people who collect electronic customer transactional data seem to be largely ignorant of the best practices for protecting that data and what to do in the case of it getting exposed. The latest example is former Minnesota Senator Norm Coleman’s campaign. As reported by Politico:
The campaign’s disclosure Wednesday night that a hacker may have gained access to about 5,000 donors’ financial information will almost certainly deter new online contributions, further hindering Coleman’s ability to raise money for the ongoing recount lawsuit against Democrat Al Franken..
On the legal side, experts say there’s a valid question about whether the campaign violated a state law that requires any person or business that conducts business in the state to notify consumers immediately that their personal information has been breached. As early as Jan. 28, Minnesota bloggers reported that personal security information could be downloaded by anyone after a brief crash of the Coleman for Senate website.
“Assuming that the hack occurred in January and not just a couple days ago, and he didn’t notify donors, then he probably violated state laws,” said David Schultz, a professor at the Hamline University School of Business in St. Paul, Minn.
On top of that, there’s a question about whether the Coleman campaign was allowed by state law to retain the full credit card information and security codes of their online contributors — and whether the data were properly encrypted.
There are so many things wrong with that I’m not even sure where to begin. I can’t even put this in the frame of something like the breach at Countrywide because at least Countrywide was explicitly authorized to obtain and store customer’s transactional information. It’s not clear that’s even the case here. The Politico article builds out a nice timeline (albeit in longhand) of how the breach happened and the disappointing response by Coleman’s team which can only be described as dishonest and negligent.
Based on their response, does it seem like Coleman’s team had a “stop drop, and roll” plan in place? Or that they were ever knowledgeable about the laws they were subject to for holding that information? I don’t think so. The difference between Coleman’s campaign, however, and a company is that Coleman’s race is largely over. Companies that make the mistakes he did will have to earn that trust back, customer by customer. You’d think that would be incentive enough to build better policy for preventing and dealing with breaches. Not so far though.
Loading ...
