Sam Dekay

An Analysis of the Privacy Rights Clearinghouse “Chronology of Data Breaches” and Implications for Information Security Professionals (pt. 2)

Issues concerning validity cannot be dismissed as mere pedantry.  However, it seems that sufficient data are available, from innumerable sources, to warrant the formulation of hypotheses, if not iron-clad inferences.  In addition, the extant information, culled from divergent sources, demonstrate a degree of internal consistency that lend credibility to the validity of the Clearinghouse data-at least for purposes of analysis.  For example, the above-cited article mentions that the following sectors were responsible, in order of frequency, for data breaches in 2007:  Educational Institutions, Government/Military Agencies and General Businesses, Health Care Facilities, and Financial Services.  This is virtually the same ordering of sectors as reported in my analysis of the Clearinghouse database.  Jaikumar Vijayan, reporting in a 2006 article in Computerworld , cites a former director of the Federal Trade Commission that “only about 2% of breach victims actually become victims of fraud and ID theft.”  Analysis of the Clearinghouse database for 2007 incidents concurs with this conclusion.

Thus, although the thoroughness and validity of the Clearinghouse data are open to dispute, the material seems sufficiently complete and valid to warrant the proposing of several hypotheses.

1.  The majority of data breaches are preventable by physical security measures; traditional information security controls may prevent only 1/3 of all reported breaches.

Fifty-four percent of breach incidents reported in 2007 involved (1) lost/stolen equipment or (2) careless disposal of paper records.  Organizations seeking to reduce the frequency of these occurrences are advised to develop and implement policies and procedures concerning the secure transport, storage, and disposal of physical media.  These policies would include provisions pertaining, for example, to controls for which employees and third-party service providers are responsible (e.g., use of tamper-proof containers for shipped items, at least two employees accompanying items in transit, cross-cut shredding of all documents containing personally identifiable information).  The use of encryption for magnetic tapes and laptops would also reduce the frequency of reported breach incidents, although some states require reporting of breaches even if personally identifiable information reside on encrypted media.

However, the implementation of programs to secure the transport, storage, and destruction of media is not traditionally a focus of the information security function.  Although information security professionals may be involved with the establishment of these programs, significant participation is also required by the Compliance, Privacy Office, Legal, Corporate (or Physical) Security, Records Management, and other functions. The resources provided by information security alone will not prevent the majority of breach incidents.

Post a Comment

Your email is never published nor shared. Required fields are marked *