In William Shakespeare's play Julius Caesar, a soothsayer approaches Caesar on his way to the Senate, where his enemies conspire. The soothsayer warns, "Beware the ides of March." Caesar dismisses the clairvoyant as a "dreamer." As the ides of March 2006 approaches, how would your CEO respond if he or she were told, "Beware the personal information your company possesses?" Nearly every organization, public and private, possesses some amount of personal information regarding its customers, prospective customers, employees—and in some cases the general public—that it uses in core business activities. The California Security Breach Information Act requires organizations "to disclose in specified ways, any breach of the security of the data, as defined, to any resident of California whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person." This law has changed the landscape of security by shining a light on the kinds of data exposure that often went unreported prior to the legislation. Now, the unauthorized disclosure of personal information will almost certainly lead to a highly publicized event. If your CEO is as dismissive of the handling of personal information as Caesar was of the soothsayer, their ends may be uncomfortably similar.
5 Personal Information Security Debacles
The manner in which personal information is disclosed to unauthorized parties varies greatly; consequently, your company's protection mechanisms must be up to the task. Here are five recent highly publicized examples that illustrate the different ways in which personal information can be disclosed to unauthorized individuals. Each situation represents a unique set of threats.
Fraudulent customer. In February 2005, ChoicePoint, which provides identification and credential verification, made headlines when it acknowledged that it had sold personal information about more than 140,000 consumers to criminals posing as legitimate businesses. ChoicePoint's Securities and Exchange Commission (SEC) filings show that the direct costs of the incident were $11.4 million, $2 million of which was spent just to notify affected consumers. The potential cost of ongoing lawsuits resulting from the incident could dwarf this figure.
Network compromise. CardSystems, a credit card transaction-processing firm, disclosed in June 2005 that an unidentified attacker had compromised its transaction database and stolen more than 40 million records. Its two largest customers, Visa and MasterCard, which together contributed the vast majority of CardSystems' revenue, canceled contracts with CardSystems after the company acknowledged that it hadn't secured its records to the level that Visa and MasterCard had specified. The assets of CardSystems were purchased by another company in October 2005.
Stolen laptop. In November 2005, Boeing reported that a company laptop containing personal information about more than 160,000 employees, including financial data and Social Security numbers, had been stolen. Boeing offered to pay each affected employee for fraud protection and credit monitoring. No cost estimates for this incident were published.
Stolen backup media. Within a span of months in 2005, Citibank, Ameritrade, Time Warner, and Bank of America each reported that backup tapes containing personal information about customers and employees had gone missing, and none of the companies could rule out theft. Several US senators were among the 1.2 million Bank of America customers whose personal information had been exposed by the loss of the unencrypted backup tapes. Not surprisingly, several senators called for strengthening regulations for how banks and other financial institutions handle backup media.
Sale by insider. What might be the type of unauthorized disclosure that executives lose the most sleep over became reality for four banks (Wachovia, Bank of America, Commerce Bank, and PNC Bank) in February 2005, when a criminal ring that included insiders from each bank was arrested for illegally selling personal information that had been stolen from the banks. The ring was reported to have generated several million dollars in profits from the sale of stolen data in the 4 years prior to the arrests. Bank employees in the criminal ring were paid $10 for each account they stole.
How—and What—Is Your Company Doing?
Dismissing the potential danger of the unauthorized disclosure of personal information is naïve at best and inherently reckless. What can you do to provide your company's executives clear direction for averting disaster? Give them an assessment of where potential exposure exists, particularly regarding the five areas of vulnerability I just described. One helpful strategy is to trace the personal information your company possesses through the following areas. In each area, determine how data is protected and who can access it.
Acquisition. Identify where personal data comes into the company's possession. Common acquisition points include Web site registrations, manual entry from paper forms, and information sent via email. Obtain the notice given to individuals when their personal information is gathered. Such documentation might contain information about acceptable use and acceptable onward transfer of the data. Later, you can use this information to make sure the personal data isn't used outside its intended scope or tranferred to systems in which it might not have the same protections it did in its original location. Not only will this documentation help establish a chain of custody for the personal information your organization possesses, but it will assist you in maintaining your privacy practices.
Transfer. The personal information your company gathers is likely transferred between computer systems and employees, and often to other computer systems, in many areas. Every time the information is transferred, an opportunity is created for an attacker to access it. Identify how the information is protected during transfer, and how the employee or system receiving the information is authenticated.
Storage. The personal information will be stored somewhere in your company, perhaps even in multiple locations at the same time. Determine who has authorized access to the information, where it's stored, and how it's protected.
Use. Determine whether and how personal information your company gathers will be used by authorized employees and applications. Identity the employees who have authorized access to the information while it's in use, and determine how applications protect it and whether the use is permitted by the policy under which the information was gathered.
Disposal. Personal information should be stored only as long as the company requires it for its intended and express purpose. At the end of its useful lifetime, the data needs to be disposed of, which usually means formatting or wiping hard disks and destroying other types of media. Be sure to also consider the disposal of nonelectronic formats, such as printed documents. What is your company's plan for disposing of expired personal information?
Et Tu, IT?
Tracing the flow of personal information that your company gathers through these five areas of potential exposure will help you to quickly locate points of obvious vulnerability, such as unencrypted backup tapes or weak database security, and will provide an excellent foundation for deeper assessments of a particular area. Should you find areas of risk, you'll be able to give your company's executives better defined and more effective warning than the soothsayer gave Caesar.