From: InfoSec News (alertsinfosecnews.org)
Date: Wed Sep 19 2007 - 01:06:01 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

http://www.siliconrepublic.com/news/news.nv?storyid=single9222

By John Kennedy
17.09.2007

High profile security breaches such as the theft of financial details of
more than 46.7 million TK Maxx customers and the burgeoning level of
personal data held by business has led to the chief security strategist
of a major software firm calling for unified and stringent international
laws requiring firms to reveal breaches as they occur.

Chief security strategist at Citrix Kurt Roemer said that governments,
including Ireland, should establish laws requiring organisations to
notify individuals in the event that their personal information is
compromised in a data security breach.

In March of this year it emerged that details of 45.7 million customers
of US retailer TJX (known here in Ireland as TK Maxx) were stolen. The
data was accessed on TJX’s systems in the UK and in Massachusetts over a
16-month period and the data accessed covered credit and debit card
transactions dating as far back as December 2002.

Such breaches have prompted governments around the world to consider
implementing stringent breach notification laws.

He said that as well as protecting consumers, these laws will also be
important to businesses. Irish companies, for example, operating in
Ireland but who may have offices in other locations around the world
could find complying with a patchwork of breach notification laws
onerous.

Roemer, however, believes that these laws must be unified in order to
reduce costs for businesses and that companies should support such a
movement.

“I see there being a tremendous sense of urgency on this. Digital
identities are being created and managed online every day leading to a
tremendous amount of data on consumers sitting on servers in
organisations in the retail, healthcare and financial world. In the
past, this information was locked in filing cabinets but today they are
on a server that if not properly secured could be accessible to anyone
with a browser and who knows what they’re doing.”

In most cases breach notification laws are created on the basis of a
major revelation such as the exposure of 145,000 customer records by
hackers at Choicepoint, which cost the company US$6m. He pointed to the
US where 39 states have breach notification laws and said the EU is
actively looking at providing a new directive enforcing more member
state participation.

He said that since January 2005 more than 166 million data records have
been exposed through hackers attacking servers, executives losing
laptops and malicious corporate insiders. “It’s not just hackers and
criminals that are the problem, people in organisations can do stupid
things.”

Roemer continued: "For PR reasons businesses that have experienced
security breaches would have tried to keep them out of the press to
avoid embarrassment. Unfortunately this policy puts consumers at risk."

He said that once a security breach occurs, costs can continue to mount
even after the event. “TJX had some 45.7 million customer records
exposed and took a US$256m charge — this is 10 times the charge they
originally estimated and they are nowhere near done.”

Roemer cited research firm Forrester which estimates that it can cost a
business between US$90 and US$305 per lost record.

He pointed to the California State Bill AB779 which makes retailers
responsible for the cost of the breach. "Previously, if you incurred a
breach, merchant banks ate the cost of that breach. Now retailers have
to pay the cost of lost records. It can take businesses weeks and even
months to rebuild credit and create their automated payments system, and
this could be just after a minor breach."

The movement to support unified international breach notification laws
may still be quite nascent but Roemer believes there is a groundswell of
support for them. "A UK House of Lords committee is calling for it, the
European Commission is recommending a directive for it. The US
government is requiring all Federal agencies to have breach notification
procedures and at overall government level they are requiring breach
notification laws for all states.

"Unified breach notification laws are in everyone’s interest. Businesses
shouldn't fear disclosure. When you take a look at TJX it hasn't
materially affected the company’s continuing performance. But while it
is continuing to grow its business, it is finding executives are
spending a lot of time responding to the fallout of the breach," Roemer
concluded.

__________________________________________________________________
CSI 2007 is the only conference that delivers a business-focused
overview of enterprise security. It will convene 1,500+ delegates,
80 exhibitors and features 100+ sessions/seminars providing a
roadmap for integrating policies and procedures with new tools
and techniques. Register now for savings on conference fees
and/or free exhibits admission. - www.csiannual.com

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]