Budgeting for security breaches
By Ephraim Schwartz, InfoWorld

This article was originally published by E-Commerce Times at http://www.infoworld.com/article/06/04/04/76979_15OPreality_1.html on April 4, 2006.

It appears, according to a reliable source, that a national retailer has lost the debit card information from thousands of its customers, but as we go to press, it has still refused to fess up.

The debit card numbers are being used to withdraw money from banks in Russia and Eastern Europe, according to Randy Gainer, an attorney at Davis Wright Tremaine. That means the retailer has yet to notify its customers of the loss. Although it’s true that the affected cardholders are being notified by their banks, most of which have security systems that flag overseas withdrawals, the notification comes after the fact. It would be nice if the retailer would come forward.

However this particular scam plays out, we all know it’s only the tip of the iceberg. And who do you think is in front of the firing line? IT, of course.

The problem stems from the fact that, in the old days, financial information was between consumers and their bankers. But now, all companies are holders of financial information, says Bruce Eissner, CEO of Polar Cove, an IT data security consultancy. IT has to struggle to protect data from insider and outsider misuse, both while it’s at rest in data banks and when it’s in motion.

To make sure that happens, 22 states have passed legislation requiring that companies make public any compromise of customer data in a “reasonable amount of time.” The idea is that reporting a loss will be such an embarrassment and such a potential blow to customer confidence, it will encourage companies to develop strict security standards.

However, with each of the 22 states requiring different reporting standards, companies are struggling to develop systems to accommodate customers wherever they might reside. Determining what data was stolen, finding the valid customer addresses, and then sending out the notices can get expensive.

In addition, when Fidelity lost data on some 200,000 Hewlett-Packard employees, it promised to pay for a credit-watch service for a year to help ensure that future credit requests are legitimate and that HP (Profile, Products, Articles) employees’ credit ratings wouldn’t be compromised. Is it any wonder that recent estimates indicate that security expenditures have grown to an average 7 percent of IT budgets, up from 2 percent?

Besides the state statutes, there is a handful of federal bills now working its way through Congress. H.R. 3779, the Financial Data Protection Data Act of 2005, was just released from committee. Although it’s a watered-down version of what most states require, and it will pre-empt state statutes, according to Gainer, it does have one benefit: It would be a single standard for companies to deal with.

As much as IT is involved, both Gainer and Eissner say it really comes down to a management issue. Here’s the collective advice of both of these experts.

First, don’t underestimate the inadvertent loss of data because of insider error, such as lost laptops. Make sure that everyone is security aware and security trained. Then, establish best practices and do not violate them. Eissner also says to “take the Volvo approach,” by which he means advertise safety and promote it as a positive, rather than trying to explain away a negative.

Ultimately, all companies that handle financial information must realize that they are in effect finance companies, and they must build compliance and security into their strategic planning.