2009 was the first year since 2005 that the number of data breach incidents recorded actually dropped. If that makes you feel a little more secure — there is a counter side. The same site reports on personal records that have been exposed: 220 million records in 2009 as compared with 35 million in 2008.
There are two important trends to note here. First, technology advancements (and simplifications) have made breaches increasingly difficult. Second, there is the people side of the equation. In some cases, the small entry errors involved in large-scale breaches are more difficult to manage than the technology issues.
With a poor economic state and online shopping becoming a necessary tool for tough times, merchant readiness for handling confidential data — both on the technology and people front — is critical for a successful online presence.
As the new year unfolds, it is important to review the lessons learned from 2009 and reflect on how we can use past trends to correct and innovate data security in 2010.
What Have We Learned?
Lesson 1: Be ready to handle confidential data before you flip the switch.
The healthcare industry suffered a flurry of data breaches in 2009. Most recently and noticeably — the Blue Cross Blue Shield Association was targeted in an August data breach that exposed information of more than 850,000 physicians throughout the United States. Critical personal information such as their Social Security, taxpayer ID, and NPI numbers may have been compromised when a laptop containing sensitive data was stolen in Chicago. [*Correction – Jan. 26, 2010]
What can we learn from this very basic case of information theft? The Blue Cross Blue Shield Association was not prepared to handle confidential data. [*Correction – Jan. 26, 2010]
Carrying secure data on physical media requires specialized security , and merchants should have those processes well integrated. At times, it boils down to simple processes that include how authorization and communication are carried out in an organization.
Once systems start humming, there is a human tendency to start focusing on day-to-day operational issues, and data security begins to take a back seat. As a merchant, it’s important that you have your people-related systems in place, and conduct regular audits and training to keep data security in the forefront.
Lesson 2: Think about Data Security up front while working on your online initiatives.
Whether you are working with a vendor or in-house staff, ensure that you have proven expertise on board. With a vendor, this could mean checking if its systems have necessary security certifications. As an example, PCI PA Certification applies to all software vendors handling card data in any form or fashion, and the certification body has published information on certified software for public access.
For in-house staff, there are a couple of options: SSCP certifications for network administrators and CSSLP certifications for developers. Through these public initiatives, you can learn about data security and make decisions that give data security the green light.
Lesson 3: If you are an e-commerce merchant, get PCI-certified.
Over the years, PCI has become a leading authority for merchants to learn about data security threats and mechanisms to prevent attacks. As a merchant, you can get PCI DSS-certified by ensuring that you meet all criteria laid out by the Security Council.
There is also self assessment available that any merchant can use to ensure it can handle confidential data.
IF you treat PCI certification as a fixed-asset purchase, it will serve you over a long period and ensure the trust of your customers, which has a very definite ROI over a period of time.
Lesson 4: Compliance is not a golden ticket. Secure your systems: once, twice, three times.
Last July, Network Solutions, a Web-hosting firm, announced a data breach of approximately 574,000 individuals’ credit card information. The company claimed it discovered unauthorized code on servers that supported its e-commerce merchants’ Web sites. It was determined that the transaction data of about 4,343 of its merchant Web sites was breached sometime between March 12, 2009, and June 8, 2009. In a statement release by Network Solutions, the firm claimed to have been violated despite is PCI-compliance status.
What can we learn? Being compliant is the minimum bar required to switch your online systems.
Remaining compliant means you work carefully with your team and processes that handle confidential data. Security standards and guidelines are great to learn from, but they are not solutions in themselves. Having the right people on your team to do regular audits and compliance checks becomes a very difficult and expensive lesson to learn after a data breach occurs.
Lesson 5: Be transparent with your customers at all times!
So, what if a breach occurs? What should you do? First thing is to inform everyone who was affected and immediately reach out to law agencies for help.
Anthem Blue Cross was heavily criticized for not notifying the victims of the theft (mostly healthcare providers) in a timely manner. Reports indicated that several states, of the 50 states affected, were not notified until up to two months after the breach.
Transparency is important if a data breach occurs. The quicker your response, the faster and easier the issues can be resolved, and the data can be recovered or protected. It is critical that your customers be educated and aware of the dangers of the marketplace. There are free resources that allow consumers to monitor, freeze, and simply check their credit status with the three major reporting agencies — Equifax, Experian and TransUnion — to protect themselves from personal data breaches. That puts the power in their hands.
Where Do We Go From Here?
Finally, the law seems to be catching up – With the recent passage of the Data Breach Notification Act (S. 139), introduced in January by Senator Dianne Feinstein, D-Calif., data security has become a hot topic of discussion for all types of businesses. The Data Breach Notification Act will require any federal agency or business entity to notify an individual of a security breach involving personal information without “unreasonable” delay, meaning “any time necessary to determine the scope of the security breach, prevent further disclosures, and restore the reasonable integrity of the data systems and provide notice to law enforcement when required.”
A complementary bill to the Data Breach Notification Act, also pending, is the Protecting the Privacy of Social Security Numbers Act (S.141), introduced in July by Sen. Patrick Leahy, D-Vt. This bill sets notification requirements and tighter criminal penalties for identity theft and willful concealment of a breach, and requires businesses to implement preventive security standards to guard against threats to their databases.
Data Security now has increasing legal ramifications as well. Just as you would make sure your business investments comply with local laws of the land, you will have to make sure your data security investments comply, which is good. Let 2010 be a year when you commit to training and educating your employees to make your organization ready to handle confidential data. Rework your processes to have a continual audit of your systems to make sure they remain ready. At the end of the day; your processes should NOT be like this one.
Pankaj Kumar is the CTO of Ignify, a technology provider of ERP, CRM and e-commerce software solutions to businesses and public sector organizations.
*ECT News Network editor’s note – Jan. 26, 2010: Our original publication of this article incorrectly stated that Anthem Blue Cross and Blue Shield of California was targeted in the data breach and “not prepared to handle confidential data.” The reference was meant for the national Blue Cross Blue Shield Association, which is a separate entity.