Cutter Consortium :: Strong Data Theft Regulations Needed

About the Service

Related Products & Services

19 April 2005

STRONG DATA THEFT REGULATIONS NEEDED

by Curt Hall, Senior Consultant, Cutter Consortium

It seems like every day brings yet another account of how some organization's consumer data has been illegally accessed or stolen. In fact, over the past six months, approximately 2.3 million consumers have had their personal information exposed to fraud, identity theft, or other possible criminal uses due to hacking incidents or computer hardware thefts that have occurred at various organizations. Here they are. You can add them up yourself:

1.2 million -- loss of digital tapes containing credit card information at Bank of America
310,000 -- consumer information database hacked at data broker Seisint/LexisNexis
185,000 -- computer theft at San Jose Medical Group
180,000 -- theft of credit card information at retailer Ralph Lauren
145,000 -- consumer information database hacked at data broker ChoicePoint
100,000 -- customer information database hacked at retailer DSW Shoe Warehouse
100,000 -- laptop theft at University of California at Berkeley
9,000 -- computer theft at the Department of Motor Vehicles, Las Vegas, Nevada, USA

Total: 2,229,000 consumers exposed to possible identity theft, fraud, and other crimes.

As I noted several weeks ago when I first touched on the consumer data theft problem, in recent testimony to the US Congress, Federal Trade Commission officials estimate there were 10 million US victims of identity theft between early 2002 and early 2003. This resulted in a total estimated cost of US $53 billion to US businesses and individuals (see the 11 March 2005 Advisor, " The Web Analytics Association").

What in the World Is Going On?

Sitting at my favorite cafe sipping tea the other morning, I heard a fellow patron exclaim to her friend: "What in the world is going on with all these recent 'cyber break-ins'?" That's when it dawned on me: consumer information thefts have probably been going on for some time. And the only reason all these recent incidents have come to light is because of a California law that took effect in 2003. That law, the only one like it in the entire US, requires that organizations disclose security breaches when information pertaining to California consumers has been compromised. And sure enough, as it turns out, consumer data brokers ChoicePoint and LexisNexis both had data breaches prior to 2003 that they failed to reveal. Incredibly, LexisNexis' parent company Reed Elsevier went on to divulge that 59 incidents took place over the past few years in which the company was suckered by thieves into revealing passwords to gain access to consumer information -- including Social Security numbers, drivers license numbers, and other data.

As a result of these incidents, legislation has been introduced into the US Congress that would regulate data broker companies like ChoicePoint, LexisNexis, and Acxiom (which has not revealed any data break-ins, to the best of my knowledge).

I usually hate to see any form of government regulation enacted, because they typically become so watered down in committee that by the time they actually get passed they tend satisfy no one. In this case, however, I think it is required.

Simply put, the data broker companies have amassed gigantic data warehouses consisting of billions of database records containing all sorts of personal and financial information on every adult in the US. This information is used to make a wide range of personal, business, financial, legal, and even law enforcement decisions. Moreover, one issue no one seems to have considered (at least publicly) is whether or not the security lapses have in some way compromised the integrity of the data stores at ChoicePoint and LexisNexis.

Not all hackers seek financial gain from their misdeeds; many do it simply to be malicious. Having considered these issues, to not have current regulations covering the data collection/security practices of the data broker companies makes about as much sense as a major city not having a modern fire department. It's simply inviting disaster.

Data broker industry representatives appearing before Congress indicate they will support federal laws requiring that consumers be notified in the event of a security breach. However, they stress that they would only support such notification in instances that put consumers at risk of identity theft or fraud. As a result, any regulations implemented will need to very clearly define what specifically constitutes security breaches requiring notification as well as include very appropriate incentives (i.e., significant fines, legal recourses) for companies that fail to comply. Simply put, the actions of ChoicePoint and LexisNexis show that it cannot be left to such companies' discretion when it comes to determining when consumers have been exposed to the risk of identity theft or fraud. Thus, any legislation is going to need real "teeth" if it is to have the desired effect.

While laws regarding data broker information practices are almost surely just around the corner, not all the recent security breaches have involved data brokers. As a result, some legislators are also considering extending California's consumer information protection law nationwide (or using it as a model). Basically, such a law would require that any organization -- not just the data brokers -- disclose security breaches when information pertaining to US consumers had been compromised.

It's also important to point out that the biggest loss of consumer information (recently revealed) did not involve hacking. Rather, it was the result of a loss or theft in which Bank of America somehow misplaced digital tapes containing the credit card account records of 1.2 million federal employees. In addition, other consumer information breaches have been the result of stolen PCs and laptops. Even so, I am hesitant to say whether legislation should be written to insure against such incidents. It seems that with all the negative PR companies have been getting from the recent information breaches, and that some companies' stocks have taken a hit, too, as well as law suits enacted by furious consumers and stockholders, such regulation is unnecessary. But that's up to the government representatives -- in all their wisdom -- to decide.

The bottom line is that consumer information should never, ever be stored on laptop computers, and it should only be stored on desktop PCs when encrypted and when other security measures are in place against hacking (e.g., firewalls, intrusion detection programs). The same goes for digital media -- consumer data should be encrypted. Violating any of these rules simply opens your organization up to data security breaches via theft or hacking along with all their nasty repercussions.

As always, your comments and insights on this announcement and the business intelligence, data warehouse, and CRM markets in general are welcome. Send your comments to chall@cutter.com or call me at +1 510 848 7417.

Sincerely,
Curt Hall, Senior Consultant
Cutter Consortium Business Intelligence Practice
E-mail: chall@cutter.com

Strong Data Theft Regulations Needed

SITEMAP SEND FEEDBACK NEED HELP?

Cutter Consortium, founded in 1986, is a global IT advisory firm helping organizations forge solutions to the business technology challenges they face. Through its research, consulting, and training, Cutter assists enterprises as they create, implement, and maintain IT systems and organizations that support business objectives and encourage innovation. Cutter pushes the thinking in the field by fostering debate and collaboration between thought leaders from different domains, countries, and disciplines. As a completely independent entity that has no special ties to vendors, Cutter Consortium is beholden to no one and dedicated to providing completely objective, unbiased information to its clients. Cutter Consortium gives you access to the top thinkers in IT.

Cutter Consortium, 37 Broadway, Suite 1, Arlington, MA 02474, USA. Phone: +1 781 648 8700, Fax: 781 648 8707