Penalties and dangers for improper controls continue to rise - a brief report.        [ PDF ]
By Michael Terban, CISSP, SSCP, HIPAA Security

Rising costs attributed to loss of private information reaffirm the argument for proper controls for companies that house customers' private data.

Ameriprise Financial, the financial advisory firm revealed on January 25th that the financial data of some 158,000 clients and 68,000 advisers was compromised when a company laptop was stolen from an employee's car. The crime occurred last December in a public parking area. The laptop was password protected, but the employee admitted that the files were "not encrypted." Ameriprise policy is to encrypt private data. The employee has since been let go.

The Providence Journal reported on Jan. 27th that security was breached last month at a state web site containing credit card information of people who have done business online with state agencies. Hackers broke into ww.RI.gov and claim to have gained access to credit card information for up to 53,000 transactions.

ChoicePoint, a credit checking service, has been fined $15 million by the Federal Trade Commission after hackers gained access to personal financial records of more than 163,000 of its customers. The FTC was concerned that ChoicePoint had failed to implement sufficient security measures in authenticating new customers. "Evident red flags", such as companies registered at post office boxes rather than genuine addresses, were ignored, it reported. The $10 million fine in civil penalties is the largest fine of its type ever to be imposed by the FTC. ChoicePoint will also have to pay a further $5 million to a fund set up to compensate affected consumers. Choice point now has to undergo a company security audit every other year.

The FBI calculated the price ChiocePoint penalty by extrapolating results from a survey of 2,066 organizations. The survey, released January 2006 found 64 percent of companies surveyed suffered a financial loss from computer security incidents over a 12-month period.

Mobile devices continue to present significant risks. Symantec has released a study of the actual cost of data stored on mobile devices and the cost of losses of that data. Here are some of the statistics from the Symantec report: On the average, company mobile computers systems hold content valued at $972,000, and some could store as much as $8,800,000 worth of commercially sensitive data and intellectual property, including sensitive executive-level information, source code for new products, and other business-critical data.

These current stories and reports from many other data breaches within the past year indicate the need for all companies to implement proper controls over computer systems in general. Polar Cove continues to implement appropriate controls for business size and data sensitivity requirements.

More Information: For more detailed and technical information, please contact Polar Cove. To learn more about Polar Cove and best practices for security, please write to either of the author, mterban@polarcove.com or to info@polarcove.com.

© Copyright Orbidex Inc./Polar Cove, 2006.