By DAN REYNOLDS, senior editor
From a statistical standpoint, if your company hasn't yet had a technology security breach or had at least one employee or client victimized by identity theft, you can rest assured that you are going to face one event or the other and probably sooner rather than later.
According to the San Diego-based nonprofit Identity Theft Resource Center, the number of data breaches reported by U.S.-based companies as of Aug. 22, 2008, at 449, had already outrun those reported in 2007, a tally which at year-end stood at 446.
In reporting its statistics, the center says it does not want to place an inordinate amount of weight on the number of records that businesses are saying have been exposed in each incident. Nor does it want to represent the late August total of 449 as being a scientific representation of the scope of the problem.
There is a good reason for this, according to the center. In more than 40 percent of the breach cases that the center is aware of, the number of records exposed appears to be either underreported or not reported at all.
Many states require that businesses report data breaches, but not all of them do, and there is no federal reporting requirement yet anyway.
But regardless of the competency of governmental oversight, the exposures from identity theft or data breaches are serious. Sensitive medical records or financial data in the wrong hands can lead to losses both material and reputational.
The Identity Theft Resource Center list is compiled from media reports, state agencies that monitor breaches and a small army of Web-based efforts that are reporting on this plague.
And now for some really bad news, according to a Baltimore-based insurance industry and risk management veteran.
Peter Teuten, the president and chief technology officer of Keane Business Risk Management Solutions, says according to anti-virus technology providers Panda Security Internacional, based in Madrid, the number of malware samples the company uncovered in 2006 and 2007 numbered 300,000, but as of the late third quarter of 2008, that number had ballooned to 2.5 million.
"They have seen incidents where 500,000 malware samples were created overnight," said Teuten, a former managing director with Teuten Butcher Jones Ltd.
So, the threat to data is growing and growing rapidly.
Companies that want to be proactive have plenty to do, according to Teuten. But none of it is so complicated that any company will have a good excuse not to have done it.
The three steps of measurement, management and monitoring provide a straightforward way to look at the challenge, according to Teuten.
"Those three components indicate in a mature business environment that data needs to be retained for those purposes, and the creation of significant amounts of data need to be properly orchestrated so that the security surrounding those data allows them to be utilized for the reasons that they were retained in the first place other than destructive or malicious intent," said Teuten.
And as individual states and the federal government become more aggressive in asking businesses to report data breaches, a clear, companywide policy concerning transparency is in order, he said.
"Transparency involves not only reporting but it is the evidentiary angle to make a business defensible in best practices. The best practice is if things go wrong you need to be overt and communicative within the parameters of your risk tolerance to your regulators, to your boards of directors, your partners, your shareholders and your customers," said Teuten.
And that means support from the top down for a system where there is a core group of communicators in the event of a breach caused by hacking or some other act that could compromise data.
That also means being able to articulate not only that a breach has occurred but that a company is able to show stakeholders the measures it took control its data.
November 1, 2008
Copyright 2008© LRP Publications