Call for worldwide breach notification laws

[InfoSec News <alerts () infosecnews org>]

http://www.siliconrepublic.com/news/news.nv?storyid=single9222

By John Kennedy
17.09.2007

High profile security breaches such as the theft of financial details of 
more than 46.7 million TK Maxx customers and the burgeoning level of 
personal data held by business has led to the chief security strategist 
of a major software firm calling for unified and stringent international 
laws requiring firms to reveal breaches as they occur.

Chief security strategist at Citrix Kurt Roemer said that governments, 
including Ireland, should establish laws requiring organisations to 
notify individuals in the event that their personal information is 
compromised in a data security breach.

In March of this year it emerged that details of 45.7 million customers 
of US retailer TJX (known here in Ireland as TK Maxx) were stolen. The 
data was accessed on TJX’s systems in the UK and in Massachusetts over a 
16-month period and the data accessed covered credit and debit card 
transactions dating as far back as December 2002.

Such breaches have prompted governments around the world to consider 
implementing stringent breach notification laws.

He said that as well as protecting consumers, these laws will also be 
important to businesses. Irish companies, for example, operating in 
Ireland but who may have offices in other locations around the world 
could find complying with a patchwork of breach notification laws 
onerous.

Roemer, however, believes that these laws must be unified in order to 
reduce costs for businesses and that companies should support such a 
movement.

“I see there being a tremendous sense of urgency on this. Digital 
identities are being created and managed online every day leading to a 
tremendous amount of data on consumers sitting on servers in 
organisations in the retail, healthcare and financial world. In the 
past, this information was locked in filing cabinets but today they are 
on a server that if not properly secured could be accessible to anyone 
with a browser and who knows what they’re doing.”

In most cases breach notification laws are created on the basis of a 
major revelation such as the exposure of 145,000 customer records by 
hackers at Choicepoint, which cost the company US$6m. He pointed to the 
US where 39 states have breach notification laws and said the EU is 
actively looking at providing a new directive enforcing more member 
state participation.

He said that since January 2005 more than 166 million data records have 
been exposed through hackers attacking servers, executives losing 
laptops and malicious corporate insiders. “It’s not just hackers and 
criminals that are the problem, people in organisations can do stupid 
things.”

Roemer continued: "For PR reasons businesses that have experienced 
security breaches would have tried to keep them out of the press to 
avoid embarrassment. Unfortunately this policy puts consumers at risk."

He said that once a security breach occurs, costs can continue to mount 
even after the event. “TJX had some 45.7 million customer records 
exposed and took a US$256m charge — this is 10 times the charge they 
originally estimated and they are nowhere near done.”

Roemer cited research firm Forrester which estimates that it can cost a 
business between US$90 and US$305 per lost record.

He pointed to the California State Bill AB779 which makes retailers 
responsible for the cost of the breach. "Previously, if you incurred a 
breach, merchant banks ate the cost of that breach. Now retailers have 
to pay the cost of lost records. It can take businesses weeks and even 
months to rebuild credit and create their automated payments system, and 
this could be just after a minor breach."

The movement to support unified international breach notification laws 
may still be quite nascent but Roemer believes there is a groundswell of 
support for them. "A UK House of Lords committee is calling for it, the 
European Commission is recommending a directive for it. The US 
government is requiring all Federal agencies to have breach notification 
procedures and at overall government level they are requiring breach 
notification laws for all states.

"Unified breach notification laws are in everyone’s interest. Businesses 
shouldn't fear disclosure. When you take a look at TJX it hasn't 
materially affected the company’s continuing performance. But while it 
is continuing to grow its business, it is finding executives are 
spending a lot of time responding to the fallout of the breach," Roemer 
concluded.

__________________________________________________________________      
CSI 2007 is the only conference that delivers a business-focused
overview of enterprise security. It will convene 1,500+ delegates,
80 exhibitors and features 100+ sessions/seminars providing a
roadmap for integrating policies and procedures with new tools
and techniques.  Register now for savings on conference fees   
and/or free exhibits admission. - www.csiannual.com