The Irony of Government Solutions to Data Breaches

The U.S. Attorney General, Eric Holder, urged Congress to pass Federal laws to regulate how retail outlets handled data breaches. This was in response to the breach at Target where hackers stole credit card information from customers in December of 2013.

Holder stated that retailers who fail to protect data should be held liable. He also stated that a Federal law would assist law enforcement with prosecution.

At first glance, it may seem like a good idea. After all, we all deserve to have our identities protected when shopping. However, several questions come to mind. As is so often the case with good intentions, the results may not be everything hoped for.

First, there is a problem with where the blame is focused. Too often, we see cases where the victims are held liable for the actions of crooks. By holding the retailer accountable, the focus shifts to punishing the victim organization rather than focusing on the criminals behind a breach. This same mentality is used at local levels, such as when police will patrol neighborhoods on cold mornings looking for “puffers.” These are cars that someone starts to warm up while waiting inside. True, there are suspects who will steal the warming cars. If the police can take the time to stop and write parking tickets to the would-be victims, then wouldn’t that time be better spent looking for suspicious people hanging out in the areas where the cars are being stolen? Education about the risks and ways to protect yourself, rather than blaming victims, is a much better approach. Of course, as with any harmful event, there is the risk of a company being held liable, especially if the data protection measures were negligent or lacking. Assuming appropriate measures were in place, blaming the organization is counter-productive.

From WikiCommons

Second, it is ironic that the government would be in a position to dictate what standards other industries should follow. After all, one of the most famous cases of a data breach is the government’s loss of hundreds of thousands of confidential documents to a contractor in the case of the National Security Agency and Edward Snowden. It hardly instills confidence in a government solution.

Third, I am doubtful that establishing Federal standards would provide any real assistance to local police. Local jurisdictions do not have the legal ability to enforce Federal laws and Federal prosecutors are often swamped and, in my experience, will not even touch smaller cases. There would be benefit with information sharing between local law enforcement to facilitate investigations, but in many computer crimes, the suspects are out of the country and there is no way local police can ever prosecute. I would like to see more of the details about how these cases could be investigated with a successful prosecution before just accepting that another political solution would actually achieve any benefit.

Last, most states already have laws related to how companies need to respond to and address data breaches. A new Federal mandate could override state laws and might not be as effective as the current law. Plus, any time there are legal changes, there will be additional costs and those will ultimately be passed onto the consumer. There are already limits on how much consumers can be liable for in regards to identity theft. New laws or changes could potentially be more costly to the consumer, the very group these laws are designed to protect.

Too often, when there is a real problem to address, the knee-jerk reaction, especially of politicians, is to announce solutions that may or may not work. As always, look at the goals and the consequences of new measures. These decisions should be carefully vetted and reviewed and the best course of action taken for the good of all, not just as a ‘feel good’ idea. Keep the focus on stopping criminals, not finding someone else to blame.

Eric Smith, CPP is the leading authority on organizational self-defense. He has extensive experience in law enforcement as well as security management. Eric is available for staff education and security awareness training as well as business coaching to help organizations provide safe workplaces. To learn more email Eric at businesskarate dot com.

 

If you would like to reprint this post, please contact Eric at Eric at businesskarate dot com.

Corporate Spies and Protecting Proprietary Information

Secret bank accounts in Swiss banks; foreign governments; selling of top secret information and the hint of international intrigue – all combined for what could be a Hollywood thriller, except that it is all based on recent news stories. 

The Wall Street Journal and Bloomberg business news reported on the developing story of corporate espionage at Renault, the French automaker.  Three of the company executives are being charged with corporate espionage after reportedly selling information on Renault’s electric car.  According to one article, Renault has invested over $5 billion in developing electric car technology.

So far, the details are sketchy about what exactly happened.  Reports indicate that a Chinese company may have made payments into the bank accounts of at least two of the executives.  And to add to the damages, the French government is the largest shareholder of Renault bringing this to more of a spy operation between two governments than two competitors looking for an edge.

What lessons can be learned?  And I know what you are thinking…my company doesn’t deal in high-tech products; no one would care about what we do.  Wrong.  Virtually every business and organization has information that, in the wrong hands, could impact their competitiveness or damage their corporate reputation.

Let’s take a look at another big news story this week.  In Arizona, there was the shooting that left 6 people dead and several, including a congresswoman, injured.  In the aftermath, three hospital employees where the victims were being treated were fired for unauthorized access to patient health information (PHI).  It does not appear that anything was actually released, but this is a clear example of another type of proprietary information.  The information may have been accessed out of sheer curiosity or it could be that some news agency might have been willing to pay for a ‘scoop’ on a patient’s condition.  This is a risk anytime a hospital has a VIP patient or even a deceased victim.  Think of all the media attention around Michael Jackson’s death and the money that might have been paid for exclusive photos of his body.

Here are two very different industries and two very real examples of proprietary information and the potential damages.

And what if your business or company provides a service or product that is seen as a commodity…there is no value in any company information at all, right?  In this type of case, your proprietary information may be even more valuable.  As a ‘commodity’ price may be one of your strongest competitive edges, especially when bidding for a contract renewal or for new business.  If you went into a sales presentation and knew exactly what your competitor was going to present and exactly what their price model was, wouldn’t you be able to adjust your bid to guarantee winning the business?  Along these lines, wage information, benefits to employees, training topics and costs, manufacturing techniques and vendor information can all become valuable items to know about competitors.

To prevent the loss of the information, a full risk assessment should be done.  Identifying all critical information is part of that, followed by identifying how that information is exposed and what threats can take advantage of the exposure. 

The easy way to look at risk, is this: risk is what you face when a threat exploits a vulnerability to put a critical asset in jeopardy. 

The real challenge comes with protecting information.  There are so many different ways to access and steal it, as we saw not long ago with the Wikileaks scandal.  The tricky part is that for the information to be of value, the employees of an organization have to have access to it.  The executives in the Renault case were responsible for upper level management positions, including heading up new product development.  This story will be worth watching to learn more about how the theft was uncovered, leading to a five-month long investigation.

In the case of the hospital in Arizona, it is very likely that the hospital’s IT department had some measures in place to see who was accessing electronic medical records.  Since this was a high-profile incident, I imagine that more attention was given to tracking access to any related victims.  As soon as any employee other than those that “needed to know” accessed the information, the IT department quickly checked on whose credentials or log in had been used to close that avenue of potential loss.

So what were those lessons learned?  Spy-proof your business with these four steps:

1.      Identify critical information – think about what your competitors would want to know about you and what you want to know about their business

2.     Review how that information could be vulnerable.  Look at how it is stored, electronically and hard copies.  Is it on a server or specific PC that could be stolen?  Could the data be emailed off your network?

3.     Evaluate the potential threats – usually, in these cases, employees.  Do key employees face regular background checks or screening?  Consider looking at credit issues as well.  Don’t assume that because an employee is higher in the organization that they are more trustworthy.  In the Renault case, the theft occurred at the executive level, not the mail room employee.  Think past criminal intent – employee carelessness with data or falling for social engineering (obtaining info by false pretenses) are other possible threats.

4.     Take action to minimize the risk from the threats.  This sounds obvious, but is probably the biggest mistake that companies make.  A nice risk or security assessment may be done and all the documentation completed, but no follow up action is taken.  It is not in the budget, or no one is given the responsibility or worse, no one cares enough until after an incident happens.

Remember your proprietary information, no matter what form or what industry, will be of value to someone – the only question will be if it stays your valuable information or will you give it to your competitors for free?

_____________________________________________________________
Read a follow up post, "License to Fool: Renault Spy Case Takes Another Twist"