This report analyzes the phenomenon of data breaches, defines their types and reasons why they still exist, looks at their consequences, analyzes data breach chronology, and describes solutions for this problem that exist within the industry. The paper also proposes problem-solving strategies for mid-sized institutions (community banks) that help to prevent unauthorized data exposure, and/or react adequately in case it takes place. The report is designed for executive management team of the mid-sized community bank looking for strategies to minimize risks of data breach within their organization.
During the past thirty years computers took their place in most contemporary businesses, becoming a place to store info, a means of communication, and, for many institutions, the most important and versatile working instrument in the office. This is especially true for banks. All of the information about checking accounts, loans, transactions, their personal identification data, their investments and more are stored on the hard drives and media devices used by the bank. It has changed banks' functioning, allowing reductions in paper workload, but, at the same time, creating numerous possibilities for data loss, and, as a result, financial breakdowns.
In today’s high-tech and criminally motivated times, banks have to deal with constant threat of exposure of sensitive financial data, and their customers' personal information. Costs, associated with data breaches are enormous. Data breaches bring financial and reputational losses, triggering loss of market capitalization, loss of customer confidence, and, of course loss of potential and existing customers. The problem of data breach is a big concern for millions of companies worldwide. Numerous strategies are designed and implemented, thousands of security protecting software and hardware devices are designed and implemented, but still the costs of losing personal and financial data are becoming greater with each passing year.
The purpose of this report is to analyze existing information about data breaches, their effect on banks, existing problem-solving strategies, their prevalence and fallacies, and create a strategy that is usable for preventing data breaches in mid-sized institutions. This report is written to highlight the existing state of things considering this problem, look over data breach types, and existing measures for dealing with them, and introduce a solution to protect mid-sized community banks. The paper is designed for the executive management team of community banks who are looking to protect their organizations from problems associated with data breaches.
This report describes a complex program of preventive measures to elude data breach as a solution for mid-sized institutions, describing physical, hardware and software security measures crucial for preventing unauthorized data exposure.
Data breach is a huge and costly problem that thousands of companies worldwide encounter. Banks, credit unions, merchants and other organizations suffer this “unauthorized acquisition of computerized data that endangers the security, confidentiality, or integrity of personal information maintained by the person or business” as defined by California notification laws. In fact, according to this definition, data breach is a compromise in systems or a theft that results in the loss or misuse of personal information, which is protected by the state statutes.
According to these statutes, notification must be provided to the individuals impacted by the breach including company owners, company personnel and/or customers in addition the individual consumers. According to California Civil Codex, shared by most states, personal information includes these types of data:
“any information that identifies, relates to, describes, or is capable of being associated with, a particular individual, including, but not limited to, his or her name, signature, social security number, physical characteristics or description, address, telephone number, passport number, driver's license or state identification card number, insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, or any other financial information.”
Stolen by wrongdoer, personal information fetch a hefty profit, and reward the victim with a huge amount of problems related with identity theft. It is estimated that to repair the damage, caused by identity theft, an average victim has to forego $25,000, and about 175 hours of time to deal with the fallout. U.S companies and consumers spent about $50 billion a year to deal with the consequences including restitution in some cases. Identity theft involves about 10 million U.S citizens annually, exposing them to numerous financial, reputational and even criminal risks.
Data breach is one of the most widespread, and at the same time, damaging cyber crimes. Cyber crimes are divided into three categories where a computer is:
The tool of the crime;
It is interesting to note that the computer is the target of a hacker and, at the same time, the tool of the hacker to breach the data and commit the theft.
There are different purposes for which personal information can be stolen. In most cases data breach results in using the victims’ credit cards and accounts, but it is also possible that the stolen information can be used for identity fraud – committing crimes under a false identity, and/or fraudulent documents. Stolen data allows criminals to create false identifiers, which allows them to spawn other documents which are then used for creating a totally credible identity that has access to all the data and facilities a normal U.S. citizen has.
This is one of the ways contemporary terrorists facilitate their activities. In addition, there is always a risk that stolen identity data will be used for creating false documents which can be sold to anyone willing to pay including illegal immigrants. Modern technology makes the forgery of these documents one of the easier tasks in this diabolical plot. 
Terrorism is inextricably connected to identity theft, as terrorists rarely use their real names for their activities. It is known that in the case of 9/11 several terrorists used false and/or stolen passports, credit cards, driver licenses etc.  In fact, stealing even a small piece of personal data can help a criminal to build a whole new, but credible identity, with a clear credit and criminal record.
Using false documents, an identity can appear and disappear, making it harder to find out about the true personality of the wrongdoer. Investigations started by the U.S. government after 9/11 revealed that identity theft was an “integral part” of many crimes, committed by the global groups of criminals, like cyber criminals, drug traffickers, gun runners and others. 
Until recently data breaches were not such a debatable issue, and companies had much less motivation to enhance their security measures, as their reputation was not so badly tarnished because of them. Before the recent legal requirements were placed on businesses, companies were not required to publicize data breaches. Even a courteous notification depended on a company’s good will. This made it very difficult for citizens to take security measures to ensure the safety of their credit accounts, and other financial information.
But after notification laws were enacted in California, and other states, companies became obliged to notify customers about the threat of their personal data usage, in order to let them protect their financial wellbeing and reputation. . According to the 2003 FTC survey, half of the identity theft victims did not even know that their personal data had been stolen, and they were under the threat. In 2002 California enacted S.B. 1386, the first legislation requiring organizations to inform people in case of unauthorized exposure of their personal records. 
Moreover, there were some other imperfections in the U.S. laws that made it easier for the wrongdoers to collect personal data of unsuspecting citizens. The thing was that when there was no disclosure agreement, between company, and customer, there were no obligations to protect personal data from the third parties disclosure imposed on companies. Of course such obligations existed for doctors, lawyers and some other categories, but online stores, pay-to-use sites and other organizations were not obliged to enhance security measures to ensure that their customers’ personal data would not be stolen and used by the third parties. 
The number of records containing sensitive personal information involved in security breaches in the U.S. since January 2005 was 218,621,856 as of February 26, 2008. . Here is the shortened chronology of the most notorious data breaches since that last three years:
Number of Affected Records
Feb. 25, 2005.
Bank of America (Charlotte, NC)
Lost backup tape
April 28, 2005.
Wachovia, Bank of America, PNC Financial Services Group and Commerce Bancorp
June 6, 2005.
Lost backup tapes.
June 16, 2005
April 28, 2006.
Ohio's Secretary of State (Cleveland, OH)
The names, addresses, and Social Security numbers of potentially millions of registered voters in Ohio were included on CD-ROMs distributed to 20 political campaign operations for spring primary election races. The records of about 7.7 million registered voters are listed on the CDs, but it's unknown how many records contained SSNs, which were not supposed to have been included on the CDs. .
“potentially millions of registered voters”;
May 22, 2006
U.S. Dept. of Veteran's Affairs (Washington, DC)
On May 3, data of all American veterans who were discharged since 1975 including names, Social Security numbers, dates of birth and in many cases phone numbers and addresses, were stolen from a VA employee's home.
28.6 million veterans.
May 30, 2006.
Texas Guaranteed Student Loan Corp. (Round Rock, TX) via subcontractor, Hummingbird (Toronto, Canada)
Texas Guaranteed (TG) was notified by subcontractor Hummingbird that on May 24, an employee had lost a piece of equipment containing names and Social Security numbers of TG borrowers.
June 14, 2006.
American Insurance Group (AIG), Indiana Office of Medical Excess, LLC (New York, NY)
The computer server was stolen on March 31 containing personal information including names, Social Security numbers, birth dates, and some medical and disability information
Sept. 7, 2006.
Circuit City and Chase Card Services, a division of JP Morgan Chase ; Co. (Wilmington, DE)
Chase Card Services mistakenly discarded 5 computer data tapes in July containing Circuit City cardholders' personal information.
Nov. 2, 2006.
Colorado Dept. of Human Services via Affiliated Computer Services (ACS) (Dallas, TX)
On Oct. 14, a desktop computer was stolen from a state contractor who processes Colorado child support payments for the Dept. of Human Services. Computer also contained the state's Directory of New Hires.
up to 1.4 million
Jan. 17, 2007
TJ stores (TJX) - The TJX Companies Inc.
TJX experienced an "unauthorized intrusion" into its computer systems that process and store customer transactions including credit card, debit card, check, and merchandise return transactions. It discovered the intrusion mid-December 2006. Transaction data from 2003 as well as mid-May through December 2006 may have been accessed.
estimated 100 millions;
Jan. 22, 2007.
Chicago Board of Elections (Chicago, IL)
About 100 computer discs (CDs) with 1.3 million Chicago voters' SSNs were mistakenly distributed to aldermen and ward committeemen. CDs also contain birth dates and addresses.
1.3 million voters
Apr. 10, 2007.
Georgia Dept. of Community Health (Atlanta, GA)
A computer disk containing personal information including addresses, birthdates, dates of eligibility, full names, Medicaid or children's health care recipient identification numbers, and Social Security numbers went missing from a private vendor, Affiliated Computer Services (ACS), contracted to handle health care claims for the state.
July 3, 2007
Fidelity National Information Services; Certegy Check Services Inc. (Jacksonville, FL)
A worker at one of the company's subsidiaries (Certegy Check Services, Inc.) stole customer records containing credit card, bank account and other personal information.
Sept. 28, 2007.
Gap Inc. (San Francisco, CA)
A laptop containing the personal information of certain job applicants was recently stolen from the offices of an experienced third-party vendor that manages job applicant data for Gap Inc. Personal data for approximately 800,000 people who applied online or by phone for store positions at one of Gap Inc.'s brands between July 2006 and June 2007 was contained on the stolen laptop.
Source: Privacy rights clearing house. A Chronology of Data Breaches.
Those are only the greatest incidents of data breech. In fact personal information is being stolen every day, by hundreds and thousands of records. For example on February 25, 2008, a County employee's car was stolen, and in that car was a printout of bank draft transactions within the Park and Recreation Department. Bank account information of an unknown number of people in Mecklenburg County has been stolen.. In this information age, every American citizen lives under the threat of identity theft.
The danger of personal data theft is stipulated by the system of personal identification existing in USA, and other countries.. Since 1943, when Roosevelt directed federal agencies to use the social security number (SSN) as a personal identification system, SSN has been widely used commercially, the combination of it with mother maiden’s name, birth date, and address to gain access to finances, get a credit etc.  In fact this information is enough for creating false identity, committing fraud identity crimes, creating fraudulent personal identification documents and other outlaw activities.
Since computers became widely used in almost all spheres of business, companies began collecting information for creating marketing databases to better know their existing customers and to more effectively target potential customers. These databases often include phone numbers, addresses, and information about the orders made, sometimes even SSNs, health records, credit card numbers, and other data.
In addition lots of agencies exist that offer their customers background checks, reviewing criminal records, employment information, data about property ownership, credit worthiness and other information, which is collected in the databases, and can be easily purchased from Web-based services like www.backgroundcheckgateway.com/, www.usa-people-search.com/ etc. Both marketing and background databases are relatively easily accessible, which makes them a great target for identity thieves and other cyber-criminals.
In the same time only a part of data breech crimes is perpetrated through the Web, or other networks. There are different types of data breach. Classified by the cause of incident they are:
Performed by outside hackers;
Caused by insider malfeasance
Drawn by human/software incompetence
Explained by equipment theft (laptop and non-laptop)
Data Breaches – Existing Problem Solutions
Law enforcement and public and private industry invent measures and mechanism in order to prevent data breach. Government and states enact bills designed to protect citizens’ private information, software and hardware vendors design and advertize utilities and devices to provide information safety, quality assurance companies invent information safety assessment programs, and offer assessment services.
To ensure that sensitive data is protected companies invent and enact policies of data usage and protection. Insurance companies design policies that allow companies means to protect themselves from financial risks resulting from data loss. Nevertheless data breach becomes more and more widespread with every passing year, affecting thousands of organizations and institutions, and millions of people worldwide.
In 1999 the Financial Modernization Act, also known as the "Gramm-Leach-Bliley Act" was enacted, which regulates collection, disclosure and protection of customer private records by banks, insurance companies, and other companies providing financial services to their customers, like financial counseling, lending, money transfers etc. 
This was a significant step towards making personal data more protected, making it much safer to use services that gather consumers’ personal information. Using our bank as an example, computer systems have been modified and policies and procedures have been implemented in virtually every department in a responsive effort to comply with the requirements of such legislation.
In March 2005 federal banking regulators issued Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice (Guidance), which obliged every bank to have a data breach response program, to ensure that third party vendors treat consumers’ data with appropriate security measures, and, in addition, according to this guidance, banks had to notify their customers about the fact that their personal information had been stolen.
Our bank has implemented, but needs to continue refining an incident (data breach) response policy and set of procedures. The policy requires certain actions to be taken including documentation and notification when data involving personal information has been stolen or lost.
Customer notification requirements differ from state for state. In some states, like California, they are acquisition-based (thus banks are obliged to send notification when data breach occurred and information has been exposed), in other, like Pennsylvania, they are risk-based (an institution where data leak has happened evaluates the risk customer is exposed to as a result of personal information exposure, and, basing on the results of evaluation, chooses whether to notify a victim).
Being a mid-sized community bank located in a metropolitan area of north Texas does not insulate us from other states laws. The state laws protect the citizens of that state regardless of the state in which data breach occurs. This means that our bank has the legal obligation to follow other state notification requirements when citizens of those states are affected by the loss of personal data from our institution.
Legislation and guidance such as these have become a great step in dealing with data breaches. They obliged companies, who experience data security breach, to publicize the breach, and notify the affected individuals about it. This mandated behavior of responsibility increases the financial accountability, and uses the threat of reputational losses, as a means to motivate companies to take measure to protect sensitive data. Studies show that the notification of a data breach greatly affects the level of trust one has for the company that experienced the breach.
Source: Ponemon Institute. National Survey on Data Security Breach Notification
This fact encourages organizations to develop programs and strategies in order to ensure themselves from data security breaches. There are different types of measures to be taken, depending on the type of organization, its size, and type of activities. The distribution of security measures used looks like this:
Source: Absolute Software. Absolute Software Data Security Survey
Lots of companies nationwide come to the conclusion that developing data security policy is crucial for preventing data breaches. Andrew Burton, director of product management for the Information Foundation Group at Symantec, a Cupertino, California-based provider of security, infrastructure and protection solutions states that data breaches mostly occur if: “Either you're not securing things as well as you should, like laptops for example, or it's someone on the inside who's using information improperly”.
That is why companies are accepting security policies that encourage their personnel to take security measures in order to protect confidential data, and test employees’ loyalty in order to prevent insider malfeasance.
Using security software and hardware that helps protect important data is another popular method to protect sensitive data. There are technologies that allow storing, processing, and sending enormous amounts of data and the contemporary level of technical development also allows doing it securely. Several companies in USA and worldwide create technical solutions – portable devices that allow to store sensitive information and digital credentials all in one device, allowing secure data transportation along with convenient usage.
For example, MXI Security developed a portable device for companies who have mobile employees. It is important for them to have a access to sensitive information at any time, and in any place to do their jobs. Of course they must keep all transactions secure. The device is intended for storing and carrying information and credentials, allowing using it with any computer without software installation. PortAuthority, one of U.S security vendors offers a hardware device used to prevent transmitting of sensitive data via FTP, HTTP, e-mail, and even printers. In the same time it allows to block sensitive data, like SSNs or other personal information. Hardware devices for information protection are also available from Celestix Networks, Network Engines (based on ISA Server 2004), and other vendors.
Many software solutions exist for companies to help protect the safety of their records. There are different types of security software. Some programs, like PGP Whole Disk Encryption which is used by the bank to encrypt laptops and PDAs or Ultimaco Safeguard Easy PC Security allow protecting the device (laptop, PC, or removable device) on which the information is stored.
There are software packages that let users encrypt files, folders or discs Nevertheless there are problems associated with using this type of software, as restoring data in case the password is lost or forgotten is impossible, or very complicated. Therefore this type of software requires very well thought out key rotation and backup strategies. In the case of encryption keys, it is not a matter of calling the vendor or a lock smith to fix the mistake of losing or corrupting the key.
In the same time one can choose software that allows controlling all the processes that take place within the companies net. For example a Websence software Data Security Suit , allows the administrator to find and classify the information stored within the net, monitor all the communications via computer (e-mail, instant messaging, and Web), and follow the information processes in the company. This type of software may include proxy, encryption, firewall and many other security appliances. In addition they usually protect their users from loosing information because of lost or forgotten password. 
Choice of security software depends on the size and type of organization, its profile and special needs, thus different companies may need different software. There are many security software vendors. The most popular consumer and commercial security software provider is Symantec with 56,5% of U.S market share.
Jan-sep’07 Retail Security Software
Source: Wilcox, J. Can Symantec Blame Microsoft?. Microsoft Watch
As it was already mentioned, data security breach happens every day worldwide. While companies invent ways of fighting data breach, fraudsters develop means to fight them, and come up with new ways of stealing sensitive data. It often turns out that carrying out security assessment, or ordering it from vendors, is much cheaper than dealing with the consequences of data breach. That is why regular security assessment is so crucial now. Some companies choose to carry out security assessment by themselves, using security assessment software and guides, while other use vendor services, like that of Security-Assessment.com, Sun Microsystems etc
Losing data because of security breach is most surely quite a costly thing. That is why interest in new National Union Fire Insurance Co. product exists. This company offers a security-risk policy called netAdvantage, which covers company’s expenses in case of data breach. The last version of this product even offers compensation for customer notification expenses, hiring a PR team to restore the banks image after the crisis, Internet-media liability coverage etc.
"It may be a good idea for a smaller company to get that insurance and protect itself against wiping out an entire business in the case of a data breach," says Khalid Kark, a Forrester analyst. Nevertheless experts doubt that demand for this product is going to be high, as most serious data breaches, are attributed to retailers, and they are the ones who accept all the expenditures. Ultimately the destiny of this type of insurance product will be determined by legislation that regulate data breach responsibility and expenditures.
Personal data breach often results in significant financial losses for the victim. To prevent criminals from using the information they have obtained for causing financial damage, Texas Bankers Association has introduced Thumbprint Signature Program that prevents unauthorized usage of other persons’ accounts. The program includes about 120 Texas banks, none of which is ours, and many other institutions who work in order to combat fraud and deal with the consequences of data breach.
These institutions offer customers (non-account holders seeking to cash checks, or just person suspected of fraud attempt) to put a thumb in a small inkless touchpad and leave a thumbprint on the face of the check. Criminals seeking to commit fraud are unlikely to leave their thumbprints, and the ones who are foolish enough to cooperate provide police with data that makes it easy to deal with them.
The products offered under this program include touch pads, window displays and decals to indicate that the institution is participating, and Statement Stuffers - brochures that explain the mechanics of the program. The bank might wish to consider becoming a member of the Thumbprint Signature Program.
Despite of the measures taken by our institution or any other for that matter, data breaches still exist, and become more widespread with every passing year. It proves that these measures are not enough to stop this wholesale fraud. Analyzing statistics of data breach causes below should help to define the most widespread causes of data breach, and define the course of action to deal with them, or at least where to focus priorities first.
Statistics says that in 2006 only 15% of data breech incidents were performed by outside hackers. 10% are explained by insider malfeasance, human/software incompetence is responsible for other 20%, while thefts (40% for laptops theft and 15% for non-laptop) explain the rest 55%. In the public sector this distribution was 13% for outside hackers, 5% for insider malfeasance, 44% of incidents happened because of human/software incompetence, and 38% were explained by laptop and non-laptop thefts. 
Thus it is obvious that in most cases data loss is explained by negligence of security measures and incompetence. Only 13-15% of data breeches were caused by the factors outside of organizations, the ones they could not influence directly, except for enhancing database security measures. In all the other cases data breaches happened because people, who were responsible for them were negligent to the importance of information they had to protect, or just did not now how to use the software/hardware intended for protection of that data.
Data Breach Prevention – Course of Actions for Mid-sized Community Bank
As it was already mentioned, despite of the great number of solutions that exist to prevent data breach, the amount of these crimes does not lessen. And, as the statistics identifies, those are mostly human-concerning issues that cause most of data breach incidents.
Regardless of numerous incidents discussed over the Web and in press every day, lots of companies do not believe in the seriousness of this problem until they have to face it by themselves. The crucial thing for dealing with data breach crimes is to understand they are real and serious problem that does not have a universal solution. In order to prevent data breach a mid-sized company should implement a complex of prevention measures, including awareness campaigns, physical security measures, hardware protection, and proper choice of security software.
The first problem that should be solved in order to secure a mid-sized community bank is to acknowledge the degree of seriousness of the problem on all the executive levels. All the employees should be informed about the meaning and consequences of data breach, and danger of exposing personal information to unauthorized persons. The bulk of breaches can ultimately be tracked to bad business practices, and it is impossible to change the company’s business culture without encouraging all the employees to support these changes.
Changing the ways an organization treats information can not be performed simply by making a decision on the organization’s top-management level. Every employee should be acquainted with the new practices, and, moreover, she should understand the reason changes occur, and how will these new standards affect the level of company’s information safety. Mid-sized institutions have the means of implementing such a plan, as the amount of their employees is not enormous, so that executive management can ensure every member of the staff apprehends modifications implemented and is cooperative.
The second element crucial for preventing data breach is physical security of the places/ devices where it is stored. Statistic indicates that almost a half of data loss incidents happen because laptops, PCs and other information storages are stolen or lost. No cyber criminals, just usual burglars and butters. That is why data security begins with office security. Here are few tips from Secure IT Systems that may lessen the risk of encountering a data breach incident. They advice to ensure that:
Your site has a well maintained perimeter line with one main entrance/exit. This entrance should be controlled either by electronic means or by a security guard.
Keep bushes and other foliage down to a minimum height. This will help staff to keep a watchful eye on your grounds and cars and reduce any concealment for potential thieves.
Ensure walkways, car parks and other communal areas well illuminated.
Access to buildings should be carefully controlled with all external entrances locked. A common ploy of thieves is to enter a building, scout around, then when challenged, state they are looking for work, make their excuses then leave, by which time they have a good account of the premises and its contents.
The building itself should be physically secure.
A good quality alarm systems is essential, but only if it is connected to a 24 hour monitoring service.
A strong main entrance, controlled via intercom/CCTV, will provide some protection from unwelcome daytime thieves.
Provide a Panic Button facility for reception areas whereby a silent alarm may be raised during working hours
Another important step to ensure information safety is providing physical security to the devices where information is stored. Thus all the PCs, laptops, hard drives, flesh drives and discs containing sensitive information, should be placed in the rooms visitors do not enter. Another great tip is to keep the record of all the inventory, including its models and serial numbers, and mark the equipment with your company’s postcode.
One more important feature that may help to protect hardware from unauthorized access and stealth are computer locks many modern PCs have. Usually computer lock looks like a socket on the front panel, which allows turning a key to locked or unlocked position. PC key may prevent a wrongdoer from stealing a PC, manipulating and/or removing its hardware, and rebooting it from external drive. Of course most of these locks are of low quality, and can be easily broken with locksmithing instruments, but using a screwdriver in a public place will inevitably attract the attention of those, who are around.
Another helpful feature to protect PC or laptop from wrongdoers who are not IT professionals is setting BIOS password. Every time a PC is switched it will ask for password before starting to boot an operation system. Of course it will not constitute a problem for an experienced hacker, as there are means to pass over this protection, but most medium-level PC users will have to spend some time dealing with it.
And, of course, it is crucial for all employees to be informed about the importance of locking their consoles when they leave their working place even for a small amount of time, especially if they work with customers. All of the widespread operation systems, like Windows, Linux or Mac OC have a default program that allows locking console with a password.
Most of the measures listed above may seem too uncomplicated, and even irrelevant to preventing data breach, but they are really effective, as most of the data loss incidents happen because of human factor. These plain and relatively cheap measures can lessen the probability of data breach in times.
Even when all the physical measures of protection are taken, the probability of data lift still remains. Proper choice of security software can reduce it to minimal. The best choice for mid-sized banks will be a software that incorporates all the important security functions, like possibility to control information storage, moving and distribution, employee communications and Web history, and, of course antivirus and firewall.
All the devices, drives and/or folders, containing sensitive information should be encrypted, and passwords should not be written down anywhere. User has to remember them. System and encryption passwords should not be too short, and/or easy. Employees have to remember that their names, addresses, phone numbers or the names of their schools cannot be considered a suitable password for protecting personal records and financial information of thousands of people.
One thing that is essential to remember for keeping company’s confidential information safe is that the less people have access to it, the safer it is. Only those people who really need this information for performing their job have to be given access. Every additional person who knows passwords to the encrypted drives or folders increases the risk of exposing confidential information.
Data breach is a rapidly changing crime, and the system of prevention should also change in order to be effective. Thus it is crucial to review the level of information protection regularly, and implement changes to make the prevention policy more effective in response to the data stealth mechanisms effectiveness.
It might be a good idea to create a persona or fictional character named something like PCI Man, a character that employees can relate to. He can be brought into meetings to lighten the message and to create a memorable moment. He periodically sends e-mails reminding users of the basics like “Don’t share your passwords”, “Send secure e-mails” and many more easy to remember and apply phrases. The basic intent of introducing PCI Man is to have a little fun and an effective means of communicating the importance of security to every employee.
Unfortunately, it is impossible to make 100% sure that sensible information is protected. The facts are that if a cyber criminal is targeting to get some specific information from specific company there is a great chance he will get it in spite of all the security measures. But such a desire is quite rare among computer frauds. It is mostly that they look for data bases with poor protection, or just hope for the company’s employees’ negligence to steal the data.
In addition to all the measures taken in order to prevent data breach it is crucial to have the response plan in case it happens. Stroz Friedberg LTD, a consulting and technical solutions firm advises that the response plan should be targeted to:
Define appropriate lines of authority and responsibility within the team
Set general policy regarding contacts to or from law enforcement – taking into account legal, regulatory, strategic, and public relations considerations
Establish procedures relating to the timely assertion of claims under cyber-crime insurance clauses
Review internal policies and procedures relating to monitoring of employee data flow so that, in the event such monitoring is necessary, it can be done in a lawful and culturally acceptable manner
Review contract language with ASPs, web-hosting services, corporate two-way-paging device providers and other communications providers to permit appropriate access to information and systems that may be required in the event of an incident
In case data breach has happened in your organization there are two objectives to be pursued. The first is to liquidate the security hole, which allowed it to happen, and second should be minimizing the consequences of the breach. Thus the first two things to be done are notifying customers about unauthorized exposure of their personal data in order to prevent fraudulent usage of this information, thus lowering the costs of dealing with it, and finding the source of the information leak.
When the source is detected appropriate measure are to be taken in order to liquidate it. If it is a “hole” in security system, it should be repaired, in case data loss is caused by insider malfeasance a person should be terminated and law enforcements notified. Suppose data is stolen with the device that bore it measures should be taken in order to return it.
Data breach is one of the most widespread and dangerous cyber crimes in our times. It leads to substantial financial and reputational losses of institutions and individuals, enables id fraud, and contributes to organized crimes and terrorism. Various prevention measures are implemented by government, law enforcements, and separate institutions, but data breaches still happen every day. The solution for mid-sized banks is designing and implementing a complex of prevention measures, and having an effective response plan to deal with the consequences of data breach in case it occurs.
Faulkner, B. “Hacking Into Data Breach Notification Laws”. Florida Law Review no.5 (2007). www.floridalawreview.org/dec07/Faulkner_A2.pdf (accessed on February 26, 2008)
California Civil Code 2007, Berkeley: West Group, 2007, § 1798.80
Zinkewicz, P "Identity Theft". Rough Notes, Jun 2007. http://findarticles.com/p/articles/mi_qa3615/is_200706/ai_n19432730 (accessed on February 26, 2008)
Goodman, M. “Why the Police Don’t Care About Computer Crime”, Harvard Journal of Law ; Technology. No.10 (1997): 468–69
Economic Crime Institute. Identity Fraud – a National and Global Threat. A Joint Project of the Economic Crime Institute of the Utica College, and LexisNexis, a Division of Reed Elsevier Inc., 2003, p.4, available from Lexis-Nexis Academic Universe, ;http://www.lexisnexis.com/about/whitepaper/IdentityFraud.pdf; (accessed 26 February 2008)
Smedinghoff, T. “The Challenge of Electronic Data: Corporate Legal Obligations to Provide Information Security,” The Wall Street Lawyer, March 2006.
Privacy rights clearing house. “A Chronology of Data Breaches”, 2008. http://www.privacyrights.org/ar/ChronDataBreaches.htm (accessed 26 February 2008)
ChoicePoint Authentication Solutions. “ProCheck”, 2005 http://www.choicepoint.com/authentication/common/pdfs/ProCheck.pdf (accessed 26 February 2008)
B. “Chronology of Data Breaches 2006: Analysis”. Privacy Rights Clearing House Website, 2007 http://www.privacyrights.org/ar/DataBreaches2006-Analysis.htm (accessed 26 February 2008)
Federal Trade commission. “Privacy Initiatives”. http://www.ftc.gov/privacy/ (accessed 27 February 2008)
American Bankers Association. “Data Security ; Customer Notification Requirements for Banks”, 2008. http://www.aba.com/About+ABA/datasecuritynotification.htm (accessed 27 February 2008)
State PIRG Consumer Protection. “State PIRG Summary of State Security Freeze and Security Breach Notification Laws”, 2006. http://www.uspirg.org/financial-privacy-security/identity-theft-protection/summary-of-state-laws (accessed 27 February 2008)
Swann, J. “Business Practices and Policies Key to Stopping Data Breaches”. Community Banker, 2007
“Data Security Breach’ – Don’t let your company be named in the next data security breach headline”, CXO America, 2007.;http://www.cxoamerica.com/pastissue/article.asp?art=270120;issue=202; (accessed 27 February 2008)
Messmer, E. “Hardware helps protect sensitive corporate data”, Network World, 2006
The University of Nottingham. “Encryption ; Backup of data stored on laptops ; other Mobile devices”, 2007. nottingham.ac.uk/is/support/ knowledgebase/guides/IS4012.pdf (accessed 27 February 2008)
“Data Security suite”, 2008. http://www.websense.com/global/en/ProductsServices/DSS/
(accessed 27 February 2008)
“Cyber Security: Data Breach Insurance Gains in Popularity”, Bank Technology News, June 2007
Texas Bankers Association. “Thumbprint”, 2008 http://www.texasbankers.com/products_thumbprint.php (accessed 27 February 2008)
Secure IT Systems. “Security Tips”, 2003. http://www.secureit.co.uk/MenuServices/advice.htm (accessed 27 February 2008)
Fenzi, K., Wreski, D. “Linux Security HOWTO”. Linuxtopia, 2005. http://www.linuxtopia.org/Linux_Security_HOWTO/ (accessed 28 February 2008)
Stroz Friedberg LTD. Cybercrime Response Plans, 2007. http://www.strozllc.com/services/xprServiceDetail1.aspx?xpST=ServiceDetail;service=21 (accessed 28 February 2008)
Ponemon Institute. “National Survey on Data Security Breach Notification”, 2005 rsaconference.com/uploadedFiles/RSA365/ESAF/2006_Archives/Sept2005_Security_Breach_Survey_Ponemon.pdf (accessed 26 February 2008)
Absolute Software. Absolute Software Data Security Survey, 2007 http://blog.absolute.com/absolute-software-data-security-survey/ (accessed 26 February 2008)
 Faulkner, B. “Hacking Into Data Breach Notification Laws”, 1105-1106.
 Cal. Civ. Code, § 1798.80
 Zinkewicz, P "Identity Theft, 2007
 Goodman, M. “Why the Police Don’t Care About Computer Crime”, 468–69
conomic Crime Institute. Identity Fraud – a National and Global Threat, 4.
 Ibid., 5
 Ibid., 8
 Smedinghoff, T. “The Developing U.S. Law: Corporate Legal Obligations to Provide Information
Security”, The Wall Street Lawyer, 2006
 Faulkner, B. “Hacking Into Data Breach Notification Laws”, 1100
 Ibid., 1104
 Ibid, 1101
 Privacy rights clearing house. A Chronology of Data Breaches. http://www.privacyrights.org/ar/ChronDataBreaches.htm
 Faulkner, B. “Hacking Into Data Breach Notification Laws”, 1100
 Ibid., 1102
 ChoicePoint Authentication Solutions “ProCheck”,
 Rosenberg. B. Chronology of Data Breaches 2006: Analysis.
 Federal Trade commission. Privacy Initiatives. http://www.ftc.gov/privacy/
 American Bankers Association. Data Security & Customer Notification Requirements for Banks, 2008. http://www.aba.com/About+ABA/datasecuritynotification.htm
 State PIRG Consumer Protection. State PIRG Summary of State Security Freeze and Security Breach Notification Laws, 2006. http://www.uspirg.org/financial-privacy-security/identity-theft-protection/summary-of-state-laws
 Swann, J. “Business Practices and Policies Key to Stopping Data Breaches”, 2007
 The University of Nottingham. “Encryption & Backup of data stored on laptops & other
Mobile devices”, 2007. www.nottingham.ac.uk/is/support/ knowledgebase/guides/IS4012.pdf
 Websense. “Data Security suite”, 2008. http://www.websense.com/global/en/ProductsServices/DSS/
“Cyber Security: Data Breach Insurance Gains in Popularity”, 2007
 Texas Bankers Association. “Thumbprint”, 2008 http://www.texasbankers.com/products_thumbprint.php
 Goodman, M. “Why the Police Don’t Care About Computer Crime”, 468–69
 Swann, J. “Business Practices and Policies Key to Stopping Data Breaches”, 2007
 Secure IT Systems. “Security Tips”, 2003. http://www.secureit.co.uk/MenuServices/advice.htm
 Fenzi, K., Wreski, D. “Linux Security HOWTO”. Linuxtopia, 2005.
 Stroz Friedberg LTD. Cybercrime Response Plans, 2007. http://www.strozllc.com/services/xprServiceDetail1.aspx?xpST=ServiceDetail&service=21