In January, Perimeter eSecurity released a research report where the company analyzed data breaches at retail companies in the United States. I am a curious person, so I took the time to wade through this 32-page report.
Perimeter's analysis covered data breaches that occurred from 2000 through 2007. It included both breaches where consumers' sensitive personal information were lost/stolen, and breaches where this information wasn't lost/stolen -- to provide a more complete view of the problem. First, a definition of "data breach:"
"Nearly all organizations maintain records for their customers and employees. When this information falls into the wrong hands, or has the opportunity to be extracted, viewed, captured, or used by an unauthorized individual, it constitutes a data breach."
Corporations are notorious for being tight-lipped about details of their data breaches:
"... nearly one quarter of the incidents did not or could not disclose the number of records that were part of their data security breach."
Some of the retail companies listed in the report that didn't disclose the number of records lost/stolen because they either didn't know or didn't want to tell consumers:
- April 27, 2001: Egghead.com
- July 12, 2003: PetCo
- June 21, 2005: CVS
- October 8, 2005: Blockbuster
- November 7, 2005: Papa John's
- December 12, 2005: Sam's Club
- February 19, 2007: Stop & Shop
- March 29, 2007: Radio Shack
- June 23, 2007: Winn-Dixie
- July 11, 2007: Disney Movie Club
- September 28, 2007: Gap, Inc.
- October 17, 2007: Home Depot
- October 23, 2007: Blockbuster
This means that all media reports that have cited statistics, about the number of consumers affected by data breaches, are low. The true number of lost or stolen records -- and hence affected consumers -- is much higher.
The research report also discussed "PCI DSS" requirements -- the Payment Card Industry (PCI) Data Security Standard (DSS) requirements that companies should follow when handling and storing consumer data. The Perimeter eSecurity report was helpful for me to understand what PCI DSS is and how it is used (or supposed to) by companies. PCI DSS is something most consumers aren't aware of and have no way of verifying if the company that shop at or bank with complies with the PCI DSS standards.
The worldwide PCI DSS standards permit companies to store certain portions of consumers' sensitive personal data (e.g., credit card account number, cardholder name), and prohibit the storage of other portions of consumers' data (e.g., information on the magnetic strip on credit/debit cards, PINs). The standards also specify which data must be protected and the type of protection the company should use (e.g., personal ID required for online access, encryption, etc.). The important points to know:
"PCI DSS requirements are applicable if a Primary Account Number (PAN) is stored, processed, or transmitted. If a PAN is not stored, processed, or transmitted, PCI DSS requirements do not apply. These security requirements apply to all "system components." System components are defined as any network component, server, or application that is included in or connected to the cardholder data environment..."
While I am not a data security professional, the PCI DSS standards seem kind of leaky to me. If a company chooses not to store any consumer data, then it seems they don't have to abide by these standards. That seems like lax security to me. Maybe some of the security professionals that read this blog can clarify this point.The report also discussed breach notification and the ambiguity of many states' breach notification laws:
"How quickly is notification required? Vaguely defined in most legislation, except Florida and Ohio (45 days after the security breach), many use the California definition of "the most expedient time possible and without unreasonable delay" and include provisions for the needs of law enforcement."
This may partially explain the delay by many organizations with notifying affected consumers after a data breach. In my experience, IBM notified me in May 2007 after its February 2007 data breach -- about two-and-a-half months later. That's plenty of time for identity thieves to do damage.
Regarding the loss/theft of sensitive consumers' personal data, you'd thing that there would not be any exceptions allowing companies to avoid (the cost) of notifying consumers affected by a data breach. Sadly, there are exceptions:
"Among the various states, encryption of customer data generally provides an exception to disclosure requirements... Kansas, Colorado and Delaware are among 18 states that have provisions exempting companies from disclosure if, upon investigation, it is believed that the stolen data will likely not be misued... Among the various states, encryption of customer data generally provides an exemption to disclosure requirements."
What?! It is prudent to assume the worst so consumers (and the company) can protect themselves in the future. How can company executives truly know the thieves' intent or motives, especially if they don't catch them or the stolen data? Even if the criminals' intent was to steal the computer hardware, mos criminals are smart and now recognize the value of consumers' sensitive personal data.
That "if you believe" clause in states' laws sounds plain stupid. It may help companies avoid breach notification costs, but it does nothing to protect consumers. If anything, it leaves consumers even more unprotected.
The problem with the exception for encrypted data:
"Security of the encryption keys themselves is also very important. If the keys are stolen along with the data, then the hacker can gain access to the information. These gaps were apparently being considered in Pennsylvania when they passed Senate Bill 712..."
In most breach notification letters I've read, few organizations (e.g., government agencies, corporations) mention whether or not the data was encrypted. Even fewer organizations mention whether or not the hackers also stole the encryption keys.
And there are still even more exemptions:
"Half of the states with data breach laws specifically mention data redaction as offering an exemption to disclosure requirements (as is the case in Arizona's Senate Bill 1338)..."
What I conclude from the report is this: the true number of data breaches is far higher because we consumers aren't told about breaches that fall into the exemption categories. So, the number of affected consumers is also higher. And, uninformed consumers can't make good decisions about avoiding companies with poor data security habits and records.
All of this is enough to scare the daylights out of anyone. Interested individuals can download the Perimeter eSecurity study (PDF format).
Interesting post. I have never taken the time to read the PCI DSS requirements. Thanks for providing the meat and potatoes and saving me the read.
I would have to agree, it certainly looks like there are a few holes in the requirements still.
Posted by: Data Breaches | Wednesday, March 25, 2009 at 10:16 AM
Grorge,
Thank you for a well researched article. The variances and exeptions in the now 46 state breach reporting laws are breathtaking. This shows yet again the power of the lobby.
In my work of helping businesses to meet standards of compliance with FACTA and GLB requirements I constantly run into lazy attitudes regarding encryption, and such basic steps like not recycling photo copies with sensitive data on them, and so forth. I was in a bank recently giving a talk on how data is stolen and in the office area where I was speaking the Chief Loan Officer had his computer monitor facing the street by way of a huge picture window only 5 feet away!
The bottom line for me is pretty simple. Given the attitude on the part of real businesses of all sizes, the massive holes in the PCI DSS, and state notification legislation, why is everyone wringing their hands wondering what to do? Get a real (read professional) identity theft service that will actually help people, and largely put the issue to rest. In 2001 I was a victim of identity theft that cost me over $26,000 dollars to solve, (is it really solved? I don't know), and 2 + years of agony. I can say without reservation that if I had the service I have now it wouldn't have cost me one dime more than my service. $26,000 is over 18 years of my identity theft service. Is that a cost effective service? I think so.
Now we are facing the Electronic Records Inititive as part of the economic recovery package. This is designed to compile all of our medical records in "cloud" servers available to, well, almost everyone. While this can be a massive cost savings to the healthcare industry, and potentially a great boon for the individual, it also opens a whole new security problem. Medical identity theft is the second largest category of identity theft, and potentially the most dangerous. When will Americans wake up and realize that identity theft is a vast subject and a fraud alert or monitoring service will not help? And waiting to be a victim so your employer will buy you a year of free monitoring is not very smart either. We all need to take the inititives our selves. and stop our victim mentality.
Just my opinion.
John
Posted by: John Taylor | Wednesday, March 25, 2009 at 11:16 AM
Most companies enjoy “security” insofar as they haven’t been targeted, or had an employee make a human error with catastrophic exposure. Price Waterhouse Cooper and Carnegie-Mellon’s CyLab have recent surveys that show the senior executive class to be, basically, clueless regarding IT risk and its tie to overall enterprise (business) risk. Data breaches and thefts are due to a lagging business culture – absent new eCulture, breaches will, and continue to, increase. As CIO, I’m constantly seeking things that work, in hopes that good ideas make their way back to me - check your local library: A book that is required reading is "I.T. WARS: Managing the Business-Technology Weave in the New Millennium." It also helps outside agencies understand your values and practices.
The author, David Scott, has an interview that is a great exposure: www.businessforum.com/DScott_02.html -
The book came to us as a tip from an intern who attended a course at University of Wisconsin, where the book is an MBA text. It has helped us to understand that, while various systems of security are important, no system can overcome laxity, ignorance, or deliberate intent to harm. Necessary is a sustained culture and awareness; an efficient prism through which every activity is viewed from a security perspective prior to action.
In the realm of risk, unmanaged possibilities become probabilities – read the book BEFORE you suffer a bad outcome – or propagate one.
Posted by: John Franks | Wednesday, March 25, 2009 at 02:23 PM