Tuesday, June 27, 2006

The Security Gap

In the past 16 months, over 88 million people in the United States alone have had their identity compromised as a result of database breaches. Banks, credit unions, universities, healthcare providers, retailers, data aggregators, government agencies, and others have been hit. Some of them, even multiple times.

Security breaches of personal identifying information are accelerating and putting all Americans at HIGH risk for identity theft. If you want to view the national “how and who” list of data breaches, visit www.privacyrights.org.

The growing epidemic of identity theft and the trend of database breaches are causing giant waves of security changes in the way business is managed. Employers must comply with increasing identity theft and privacy laws at the state and national levels. These laws dictate security guidelines.

Personnel files, benefits data, payroll and tax data are all vulnerable, often to insider theft according to the Federal Trade Commission. Does your company have a written data security plan to protect the data of employees, customers, and vendors? Has it been implemented? Is there on-going maintenance of the plan? Does it meet the ever-changing environment, personnel, and computer security needs?

ComputerWorld.com advocates that even though data security is your IT Department’s job, it isn’t a problem that IT can completely solve. The solution, however, will help close the security gap. It takes non-IT employees to make security a priority so IT employees can make it a reality.

In addition, if identity theft (not just a data breach) is traced back to your company, how would this be handled and what affirmative defense solution does your company have in place that would hold up in court?

By the way, did you know that Arizona, Nevada, and California lead the nation for identity theft?

Lois Hale, M.S.


At 11:41 PM, Anonymous J. Larson Colorado said...

How can we get accountability from these corporations that just do not seem to care. I believe corporations around the world, not just in the U.S. (ie. ING data breach)think it is easier and cheaper to turn a blind eye rather then pay for the training of employees or implementing true security measures. What do you suggest we do?

At 2:30 AM, Blogger Lois Hale said...

You make a very good point. The Federal Bureau of Investigation in a Congressional Report stated that because companies (1) fear a loss of business from reduced consumer confidence in their security measures or (2) from a fear of lawsuits, many intrusions (hackings) are never reported.

The identity theft and privacy laws put the burden of proof on the employer/business owner to show due diligence to comply. Negligent and non-compliant violators of FACTA will find themselves facing hefty state and federal fines (per identity theft case), class action lawsuits, and responsibility for all attorney fees. In addition, some laws (like HIPAA and GLBA) require a prison term for responsible decision makers, (like officers and Directors) who also will be held personally liable for a civil penalty. Sometimes it takes a financial crisis that hits a company before its decision makers will change business practices. The penalties of identity theft laws can bankrupt small business owners.

Thanks to the media and Internet, public awareness to the complexity of identity theft is growing. Education by means of facts and actual case stories about identity theft and IT security is key. There is a cost-to-business formula for identity theft cases and the fines and fees of FACTA. The formula disproves the myth that “turning the blind eye is cheaper.” Also on record within the IT community, are facts proving that investing in appropriate security protocols is cheaper than the cost of “cleaning up” after a data breach or identity theft.

Any company/business owner who neglects to establish safe business protocols for employees, customer service, handling of data records/files, and managing facilities is inefficient and vulnerable. Employees have a responsibility to themselves and their employer to speak up—tactfully identify security challenges and offer suggestions and solutions. They may need to provide documentation from credible guidance resources such as the Better Business Bureau, www.privacyrights.org, or www.ftc.gov. Employees who seek professional development in knowledge and skills regarding security and identity theft will increase their value to the company.

If employee efforts to create security improvements fall on deaf management ears, then I would seek employment with a company that does care.

Lois Hale
Reno, Nevada

At 10:55 AM, Blogger Web2earn said...

Excellent blog and thanks for the opportunity to share my thoughts here. I am very interested in the development of the paper shredder revolution, both for my masters degree and for my website. I’ve just begun to gather data on ID theft and similar crime and it seems this is truly a plague of modern society.

If you are interested I have some interesting FACTA law resources on my website and I plan to add more info on topics such as purchasing used paper shredders, guides on the necessary security protection and resources on paper shredder types.

Enjoy your day!

Mike R.

At 6:14 PM, Anonymous Anonymous said...

Mike, Try not to get too warm and fuzzy because of your paper shredder... I think we all wish it were that easy


Post a Comment

Links to this post:

Create a Link

<< Home

  • All Material is Copyright © 2009 Michael McCoy and SEAS, L.L.C
  • Deter. Detect. Defend. Avoid ID Theft - www.ftc.gov/idtheft