In January, Perimeter eSecurity released a research report where the company analyzed data breaches at retail companies in the United States. I am a curious person, so I took the time to wade through this 32-page report.
Perimeter's analysis covered data breaches that occurred from 2000 through 2007. It included both breaches where consumers' sensitive personal information were lost/stolen, and breaches where this information wasn't lost/stolen -- to provide a more complete view of the problem. First, a definition of "data breach:"
"Nearly all organizations maintain records for their customers and employees. When this information falls into the wrong hands, or has the opportunity to be extracted, viewed, captured, or used by an unauthorized individual, it constitutes a data breach."
Corporations are notorious for being tight-lipped about details of their data breaches:
"... nearly one quarter of the incidents did not or could not disclose the number of records that were part of their data security breach."
Some of the retail companies listed in the report that didn't disclose the number of records lost/stolen because they either didn't know or didn't want to tell consumers:
- April 27, 2001: Egghead.com
- July 12, 2003: PetCo
- June 21, 2005: CVS
- October 8, 2005: Blockbuster
- November 7, 2005: Papa John's
- December 12, 2005: Sam's Club
- February 19, 2007: Stop & Shop
- March 29, 2007: Radio Shack
- June 23, 2007: Winn-Dixie
- July 11, 2007: Disney Movie Club
- September 28, 2007: Gap, Inc.
- October 17, 2007: Home Depot
- October 23, 2007: Blockbuster
This means that all media reports that have cited statistics, about the number of consumers affected by data breaches, are low. The true number of lost or stolen records -- and hence affected consumers -- is much higher.
The research report also discussed "PCI DSS" requirements -- the Payment Card Industry (PCI) Data Security Standard (DSS) requirements that companies should follow when handling and storing consumer data. The Perimeter eSecurity report was helpful for me to understand what PCI DSS is and how it is used (or supposed to) by companies. PCI DSS is something most consumers aren't aware of and have no way of verifying if the company that shop at or bank with complies with the PCI DSS standards.
The worldwide PCI DSS standards permit companies to store certain portions of consumers' sensitive personal data (e.g., credit card account number, cardholder name), and prohibit the storage of other portions of consumers' data (e.g., information on the magnetic strip on credit/debit cards, PINs). The standards also specify which data must be protected and the type of protection the company should use (e.g., personal ID required for online access, encryption, etc.). The important points to know:
"PCI DSS requirements are applicable if a Primary Account Number (PAN) is stored, processed, or transmitted. If a PAN is not stored, processed, or transmitted, PCI DSS requirements do not apply. These security requirements apply to all "system components." System components are defined as any network component, server, or application that is included in or connected to the cardholder data environment..."
While I am not a data security professional, the PCI DSS standards seem kind of leaky to me. If a company chooses not to store any consumer data, then it seems they don't have to abide by these standards. That seems like lax security to me. Maybe some of the security professionals that read this blog can clarify this point.The report also discussed breach notification and the ambiguity of many states' breach notification laws:
"How quickly is notification required? Vaguely defined in most legislation, except Florida and Ohio (45 days after the security breach), many use the California definition of "the most expedient time possible and without unreasonable delay" and include provisions for the needs of law enforcement."
This may partially explain the delay by many organizations with notifying affected consumers after a data breach. In my experience, IBM notified me in May 2007 after its February 2007 data breach -- about two-and-a-half months later. That's plenty of time for identity thieves to do damage.
Regarding the loss/theft of sensitive consumers' personal data, you'd thing that there would not be any exceptions allowing companies to avoid (the cost) of notifying consumers affected by a data breach. Sadly, there are exceptions:
"Among the various states, encryption of customer data generally provides an exception to disclosure requirements... Kansas, Colorado and Delaware are among 18 states that have provisions exempting companies from disclosure if, upon investigation, it is believed that the stolen data will likely not be misued... Among the various states, encryption of customer data generally provides an exemption to disclosure requirements."
What?! It is prudent to assume the worst so consumers (and the company) can protect themselves in the future. How can company executives truly know the thieves' intent or motives, especially if they don't catch them or the stolen data? Even if the criminals' intent was to steal the computer hardware, mos criminals are smart and now recognize the value of consumers' sensitive personal data.
That "if you believe" clause in states' laws sounds plain stupid. It may help companies avoid breach notification costs, but it does nothing to protect consumers. If anything, it leaves consumers even more unprotected.
The problem with the exception for encrypted data:
"Security of the encryption keys themselves is also very important. If the keys are stolen along with the data, then the hacker can gain access to the information. These gaps were apparently being considered in Pennsylvania when they passed Senate Bill 712..."
In most breach notification letters I've read, few organizations (e.g., government agencies, corporations) mention whether or not the data was encrypted. Even fewer organizations mention whether or not the hackers also stole the encryption keys.
And there are still even more exemptions:
"Half of the states with data breach laws specifically mention data redaction as offering an exemption to disclosure requirements (as is the case in Arizona's Senate Bill 1338)..."
What I conclude from the report is this: the true number of data breaches is far higher because we consumers aren't told about breaches that fall into the exemption categories. So, the number of affected consumers is also higher. And, uninformed consumers can't make good decisions about avoiding companies with poor data security habits and records.
All of this is enough to scare the daylights out of anyone. Interested individuals can download the Perimeter eSecurity study (PDF format).