Data Breaches Surpass 2007 Level, But Businesses Rarely Are Penalized

["Richard M. Smith" <rms () computerbytesman com>]

http://online.wsj.com/article/SB122093405633914081.html?mod=todays_us_market
place
 

Data Breaches Surpass 2007 Level, But Businesses Rarely Are Penalized
September 9, 2008; Page B9


U.S. businesses reached an ignominious milestone in August, when the number
of data breaches disclosed publicly for the first eight months of 2008
already surpassed the total number of disclosed breaches for all of last
year.

There were 449 publicly disclosed security breaches as of Aug. 22, compared
with a 446 total in 2007, according to Identity Theft Resource Center, a San
Diego nonprofit organization for victims of identity theft. The reasons why
businesses struggle keeping customer or employee data secure are many: Cyber
criminals are adopting more sophisticated techniques for breaking into
businesses; businesses are creating, storing, and sharing more data than
ever before; and employees don't understand the value of the data that they
work with or the myriad ways the data could fall into the wrong hands.

All of these make tech security difficult -- but not impossible. The real
reason that data breaches are on the rise is that businesses don't have a
real incentive to invest more than the minimum required in security, says
Bruce Schneier, chief security technology officer at BT Group PLC. 

"For the most part a company doesn't lose its data, they lose your data,"
says Mr. Schneier. Consequently, the entity responsible for the breach isn't
the party that is harmed by it. Victims are upset, but they are more likely
to learn about the fraud that is committed in their name -- not the breach
where a criminal obtained the data. They are often powerless to punish the
business that exposed the record because they can't link the fraud to a
cause, says Mr. Schneier. 

At least 44 states have laws that require businesses to disclose data
breaches. But a recent study by researchers at Carnegie Mellon University
found no evidence that these laws actually reduce the incidents. There are
potential loopholes: Sometimes only businesses in certain industries must
disclose a breach; or the breach may have to be disclosed only if a business
suspects that the information will be used to commit fraud. Also, aside from
potentially negative publicity, businesses are rarely penalized for a breach
as long as it is disclosed.

...

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.