[Dataloss] REDUCING THE IMPACT OF PII SECURITY BREACHES

George Toft george at myitaz.com
Tue Jul 18 17:38:41 EDT 2006 

A quick google for the terms:
	information security program GLBA
shows several universities that realize that they ARE financial 
institutions per the Federal Government's definition under the 
Gramm-Leach-Bliley Financial Modernization Act.  The GLBA Security Rule 
has been in effect for over three years now, so those universities that 
are behind the times need to catch up and comply with already existing 
laws.  See 
http://www.google.com/search?num=50&hl=en&lr=&safe=off&q=information+security+program+GLBA&btnG=Search

George Toft, CISSP, MSIS
My IT Department
www.myITaz.com
480-544-1067

Confidential data protection experts for the financial industry.


henry ojo wrote:
> 
> REDUCING THE IMPACT OF PII SECURITY BREACHES
>  
>  
> The persistent security breaches that occur in so many organisations and 
> institutions are no longer big news. What is worrying is that while it 
> is expected in financial institutions, as obvious targets for their 
> ‘monetary rewards’, it is rather unexpected in that about a third of the 
> reported security breaches in the U.S. occur in educational institutions.
> Obviously the level of protection afforded the information (mainly 
> Personal Identifiable Information PII) held by  these educational 
> institutions is much less than their financial counterparts, yet the 
> data breaches could be just as damaging.
> What makes the PII so valuable to fraudsters? Loans, mortgages, credit 
> cards, illegal employment could be obtained using this kind of information.
> This now rests the burden of responsibility at the feet of organisations 
> that use PIIs as the only way to validate the identity of applicants for 
> their services.
> Fraudsters use this information largely because it is inherently ‘low 
> risk’ with huge returns as the risk of being physically present is 
> eliminated by organisations relying heavily on e-commerce.
> The question is, do the benefits of cost cutting, easing organisation’s 
> operations by doing substantial amounts of business online outweigh the 
> impact of not providing enough protection to customers PII by not 
> streamlining processes and procedures to aid the security of customers 
> PII at the risk of legislative/regulatory fines etc.
> A suggestion to revert to the stone ages is not being conceived but the 
> emphasis on using PIIs for validations, verifications and even in some 
> cases authentication by a lot of institutions should be reduced.
> Biometrics, token password solutions provide alternative authentication 
> mechanisms, which organisations avoid because of costs, but in the long 
> term an ROI might justify the investment against legislative/regulatory 
> fines, litigation, legal fees and loss of goodwill/reputation.
>  
> 
> 
> Henry Ojo BSc HISP BS7799 Auditor
> www.efortresses.ie
> Cell: 00353 874182266
> Office:+(0) 7958430094
> Fax :+(0) 7092 0950843
> 
> ------------------------------------------------------------------------
> The all-new Yahoo! Mail 
> <http://us.rd.yahoo.com/mail/uk/taglines/default/nowyoucan/free_from_isp/*http://us.rd.yahoo.com/evt=40565/*http://uk.docs.yahoo.com/nowyoucan.html> 
> goes wherever you go - free your email address from your Internet provider.
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> Dataloss Mailing List (dataloss at attrition.org)
> http://attrition.org/errata/dataloss/
>

More information about the Dataloss mailing list