Identity infringements

Data breaches can be costly, inconvenient and critical, not least for the victims
of a data breach. However, simple procedures can offer protection

March 2, 1010

By David Jacobson

Last year's Heartland Payment Systems' spectacular data breach stemmed from errors that allowed hackers to break into the payment processor's networks and steal data on approximately 130 million credit and debit cards over several months.

But most data breaches do not involve sophisticated hackers. They usually result from not following simple procedures.

In 2009, the UK Financial Services Authority (FSA) fined three HSBC firms more than £3 million for not having adequate systems and controls in place to protect their customers' confidential details from being lost or stolen. These failings contributed to customer data being lost in the post on two occasions.

During its investigation into the firms' data security systems and controls, the FSA found large amounts of unencrypted customer details had been sent via post or courier to third parties. Customers' confidential information was also left on open shelves or in unlocked cabinets and could have been lost or stolen. In addition, staff was not given sufficient training on how to identify and manage risks like identity theft.

In April 2007, HSBC Actuaries lost an unencrypted floppy disk in the post, containing the personal information of 1,917 pension scheme members, including addresses, dates of birth and national insurance numbers.

In February 2008, HSBC Life lost an unencrypted CD containing the details of 180,000 policy holders in the post. The confidential information on both disks could have helped criminals to steal customers' identities and commit financial crime.

The firms have taken a number of remedial actions to address the concerns raised, including contacting the customers concerned, improving their staff training and requiring that all electronic data in transit is encrypted.

In the past four years, the FSA has also fined Capita Financial Administrators £300,000; Nationwide £980,000; BNP Paribas Private Bank £350,000; Norwich Union £1,260,000; and Merchant Securities £77,000 for failings relating to data security lapses and fraud.

Why are breaches bothersome?
Any breach of the secure storage of customers' personal information can result in the release of personal, identifying information of an individual. That personal information may be sufficient to allow an unauthorised person to assume the identity of the victim and use that illicit identity to open, for example, new accounts in the victim's name.

What is Australia doing?
In Australia, the Privacy Act currently does not require individuals to be notified when their personal information has been compromised or subject to a security breach. As Australia does not yet have mandatory data breach notification laws, we don't know about breaches other than those that get public notoriety (eg. files dumped in bins, stolen laptops or forgotten CDs.)

The Australian Privacy Commissioner, Karen Curtis, has released a 'Guide to Handling Personal Information Security Breaches'. It is a voluntary guide for use by businesses, agencies and non-government organisations in preventing and, if necessary, responding to a data breach. The Guide includes four key steps to consider when responding to a

breach:

Step 1: Contain the breach and do a preliminary assessment.
Step 2: Evaluate the risks associated with the breach (risk analysis is on a case-by-case basis: not all breaches necessarily warrant notification).
Step 3: Consider notification.
Step 4: Prevent future breaches.

With regard to Step 3, the Guide suggests individuals affected by a breach should only be notified where a breach creates a real risk of serious harm to the individuals. This is consistent with the recent Australian Law Reform Commission report recommendation, which seeks to provide individuals with a warning that their personal information has been compromised and an opportunity to take steps to protect themselves against the consequences of identity theft.

The Federal Government will not make a decision on mandatory data breach until the second stage of its response to the ALRC Report (to be considered once the first stages reforms have been progressed). In the meantime, the Privacy Commissioner's voluntary guide should be considered when developing a policy on responding to data breaches.

The cost of notification
The cost of notification does not just include the actual cost involved in notifying every individual affected by a security breach. Notifying customers of a security breach also gives rise to a real potential for market damage to the organisation, including reputational damage, lost customers and lost future profits.

Avoiding breaches
We can learn from an analysis of breaches notified in the US. Verizon's 2009 Data Breach Investigations Report concluded:

• 74 per cent were caused externally, 20 per cent internally;

• 67 per cent were aided by errors, 22 per cent involved privilege misuse;

• 69 per cent were discovered by a third-party, 87 per cent were considered avoidable through simple controls.

The five recommendations were:

• Ensure essential controls are met

• Have data retention policies: find, track, and assess data

• Collect and monitor event logs

• Audit user accounts and credentials

• Test and review web applications.
•