Biscom Delivery Server Blog

The International Legal Technology Association (ILTA) just published its March issue of Peer to Peer magazine. You’ll find an article I authored on data breaches, privacy laws, and how secure file transfer can help companies distribute their confidential information while complying with various legal requirements. You can also use this link to download the specific article as a PDF.

Up to $204 per compromised record. That’s the latest data the Ponemon Institute has collected based on their annual study. Ellen Messmer’s PC World article on the cost of data breaches again supports the notion that, just like your doctor keeps telling you, preventive strategies will save you in the long run, in more ways than one.

The article also contains a link to the 2009 Data Breach Hall of Shame, which is interesting reading. Heartland Payment Systems topped the list with 130 million records breached through SQL injection! Ouch.

TJX finally settles suits in 41 states for $9.75 million for the huge data breach that exposed up to 94 million accounts. Makes Ben Franklin’s saying “an ounce of prevention is worth a pound of cure” really resonate.

“This settlement ensures that companies cannot write off risk of a data breach as a cost of doing business,” Massachusetts Attorney General Martha Coakley. If you look at the risk reward ratio, it’s pretty skewed. It’s good emprical evidence that investing in security policies and tools is definitely worthwhile.

During my research into the new MA law on data privacy, I also found this law (Public Act No. 08-167) which became effective on October 1, 2008. The act is aimed at protecting social security numbers. The interesting thing about this act is that it’s not just businesses that are required to adhere — individuals will be held responsible as well. Here’s a quote from the actual act:

Any person in possession of personal information of another person shall safeguard the data, computer files and documents containing the information from misuse by third parties, and shall destroy, erase or make unreadable such data, computer files and documents prior to disposal.

It’s a $500 civil penalty per violation, and maxes out at $500,000 per event. By the way, personal information doesn’t just include social security numbers, but also driver license numbers, passport numbers, credit or debit card numbers, and health insurance identification. I love that they added this extremely important item too: “account number” — is it just me or is that just a wee bit vague?

Catchy title? Well, maybe not, but it’s a new privacy and security law in Massachusetts that takes effect May 1, 2009 (postponed from January 1, 2009).

The purpose and scope, as described on the Mass.gov site:

(a) Purpose
This regulation implements the provisions of M.G.L. c. 93H relative to the standards to be met by persons who own, license, store or maintain personal information about a resident of the Commonwealth of Massachusetts. This regulation establishes minimum standards to be met in connection with the safeguarding of personal information contained in both paper and electronic records. Further purposes are to (i) ensure the security and confidentiality of such information in a manner consistent with industry standards, (ii) protect against anticipated threats or hazards to the security or integrity of such information, and (iii) protect against unauthorized access to or use of such information in a manner that creates a substantial risk of identity theft or fraud against such residents.

(b) Scope
The provisions of this regulation apply to all persons that own, license, store or maintain personal information about a resident of the Commonwealth.

While this sounds quite onerous for many companies, and has pretty far reaching implications on IT data management processes and procedures, it’s a step in protecting against the increasing incidence of identity theft and other data leaks. Was this law spurred by the TJX breach of 45.7 million credit cards or when 4.2 million credit card numbers were nicked from Hannaford Foods in 2007? The cleanup efforts far outweigh the investment in security that might have prevented these data breaches (some estimates put TJX at $4.5 billion in accumulated costs in fines, legal fees, notification expenses, and brand damage).

I see stories like these, and dozens of other high profile breaches, as the tip of the iceberg. I doubt there’s going to be any law or compliance legislation that will protect 100% of individual and company data from being lost or stolen, but it does make sense for companies to reassess their data storage and transmission policies to harden their defenses against this.

Companies must look holistically, however, and can’t overlook the fact that data must be protected from many angles. In the introduction to the book Practical Cryptography, the authors, Niels Ferguson and Bruce Schneier, mention scores of companies obsessed with building robust and highly protected network security to foil hackers, but ignored internal concerns, both malicious and unintentional, akin to installing a huge steel front door in your house, but having an unlocked screen door in the back.

With this law, the pendulum has swung quite a bit in requiring companies to have implementations in place to protect personal data, but I hope solutions built for this have both the technical aggressiveness to maintain security, but provide it in a way that is not so complex and hard to use that individuals dismiss it and look for alternative methods that may compromise security.