[Dataloss] Less Data, More Security

[Richard Forno]

Less Data, More Security
By Ed Sutherland
http://www.internetnews.com/bus-news/article.php/3654211

Barely a week goes by these days without news of laptops stolen or lost, and
loaded with data that can expose employees, consumers or patients to
identity theft.

For companies involved, data breaches harm more than a corporate image. They
impact the bottom line.

According to research from the Ponemon Institute, a research firm focusing
on privacy and data protection practices, data breaches cost companies $182
per record lost. The Privacy Rights Clearinghouse counts more than 100
million records lost to data breaches since February 2005. An FBI survey
pegged losses due to data breaches at $67.2 billion in 2006.

And it's not just companies handling personal data, such as Social Security
numbers or medical information, bearing the costs. According to Ponemon, 81
percent of the companies it surveyed reported annually losing one or more
laptops containing confidential data. Each laptop contains data worth around
$972,000, according to a 2006 Symantec (Quote) survey.

That's why security experts already see a shift in security policies
underway, with more to come this year. Data minimization is one of them.

"People are running scared with their hair on fire," said Troy Allen, a risk
consultant and CEO of security firm Kroll's Fraud Solutions unit. That sense
of alarm has created an unregulated industry offering consumers and
companies ways to "prevent" data breaches.

"You can't stop identity theft. Period," Allen said. No matter what policies
are in place, laptops will walk off with data. And fraud alerts, the
ubiquitous answer to data breaches have become meaningless, he added.

Indeed, the rash in stolen laptops led Kroll to label 2006 "The Year of the
Data Breach." Plenty of online auctions exist where identities are bought
and sold, where, eBay style, the sellers get reviews. He said clean
identities can go for as much as $40 a pop.

When Pennsylvania's Geisinger Health Systems learned personal data of some
of its patients might be exposed as a result of a laptop theft, it offered
ID theft protection from American Insurance Group (AIG). Begun in 2006, the
policy covers businesses, providing up to $25 million in coverage for
companies facing costs, including legal, regulatory and other. AIG's
policies provide form letters helping ID theft victims contact creditors,
even covering lost wages due to time off due to recovering a stolen
identity.

With identity theft and data breaches a costly reality, what can companies
do to protect data? The most common response - simple passwords - is rarely
enough, say experts.

"Password protection only is very weak," Yankee Group's Sal Capizzi said.
Securing mobile data is a three-prong process. Capizzi recommended
authentication, encryption and automated policies. It is not enough to have
policies in place. Boeing had a policy requiring data downloaded be
encrypted, but an employee skipped encryption. The result: a laptop stolen
containing employee's personal data. To avoid the human element, security
policies must be automated, according to Capizzi.

The new year will see greater focus on corporate and employee education
regarding preventing data breaches. Allen predicts firms will also restrict
or ban downloading data to CD or USB flash drives. "Employers will begin
insisting that more information exchange takes place via secure online
transfer," Allen said in a statement.

Kroll is advising data minimization, a concept counter to the prevailing
belief that customer information is an advantage. "Information is a
liability," Allen said.

NEW Data minimization involves three steps. Don't require or maintain
information you don't absolutely need. Minimize the number of locations the
information is stored and purge the data once it's no longer needed.

Just as ego-satisfying virus writing evolved to for-profit criminal
behavior, so will data breaches. Identity theft is now linked to organized
crime, drug financing and illegal immigration, according to Kroll.

For Allen, excuses that a stolen laptop was only a ³smash and grab² where
thieves aren't interested in the data stored there doesn¹t hold water.
Thieves don't work alone. One person may want only to pawn the hardware,
other thieves will siphon off the data.

Not satisfied with a few hundred or thousand data files, criminals will turn
to social engineering to gain access to data, according to Allen. A popular
method is either bribing employees or planting employees hired to steal
records. The employees use stolen identities to get the jobs, according to
Allen.

Data breaches will likely increase this year as companies that once thought
a stolen laptop was a property theft understand it as a potential identity
theft, according to Kroll.