How Much is Too Much Data Loss?

Congress returned this week to a burgeoning issue likely to concern the financial health of millions of Americans: What can be done about skyrocketing incidents of identity theft and data loss?

But even before representatives could haul the first Fortune 500
executive in front of a microphone on Thursday, media conglomerate Time
Warner announced the mysterious disappearance of 600,000 names and Social Security numbers of workers dating back to 1986.

And the list of companies reporting breaches reads like a “Who’s Who” of
industry. The most notable of the recent mishaps includes the disappearance
of backup tapes containing the credit card information of 1.2 million
federal workers by Bank of America, the theft of more than 300,000
customers’ personal information at Reed Elsevier, a subsidiary of data broker
LexisNexis, and the loss of transaction data belonging to around 180,000
customers of fashion house Polo Ralph Lauren.

A string of universities also
has fallen victim to breakdowns in the past few months.

At best, these occurrences appear to have increased because of recent ”
full disclosure” laws, security experts say.

At worst, experts believe criminals consider identity theft an
easy mark. A way to make a lot of money by taking advantage of an imperfect
system. One in which no one ever thought there was a problem.

Now, thieves continue to snatch Social Security numbers at will and are becoming more aware of the enticing targets.

“That seems beyond comprehension to me that that happened with one of the
biggest banks in the country,” said Senator Jim Bunning (R-Ky.).

His comments came in mid-March and, as reported by, he was grilling Barbara Desoer, a Bank of America executive vice president, in a Senate Banking Committee hearing.

“Five, maybe 10, but 1.2 million [accounts]?”

Maureen Kelly, director of product marketing at data-loss prevention firm
Vontu, believes a combination of actions have created this perfect
storm, setting forth an unprecedented amount of theft and media coverage and
creating an image of the business community in disarray.

“The black market for this type of information is there and continues
to grow,” she said, “and criminals are realizing what they can do quickly
with the information.”

The breach disclosure bill making its way through the House and Senate
is based on California’s legislation, which requires a business or government agency to notify an individual in writing or by e-mail when it is believed that
unencrypted personal information has been compromised.

And those numbers are huge. Nearly 10 million Americans were victims of
ID theft last year, according to the Better Business Bureau.

Marcie D Terman, director of business development at DataFort, says that
is just the tip of the iceberg, and warns that more SMBs are failing to
cope with this issue. And it isn’t just on a technological level.

The approximately 40 backup tapes lost by Time Warner went missing while
on the back of a truck in transit to a storage facility.

This type of information has a way of going missing in numerous ways,
said Kelly. Either hackers try to steal it, employees pilfer the
information or companies simply don’t have the appropriate standards in
place to deal with the important information.

According to the Gartner Group, 70 percent of security incidents that
occur are inside jobs, making the insider threat arguably the
most critical one facing enterprises.

One out of every 500 e-mail messages contain confidential information,
customer data, employee data, financial information, intellectual property
or competitive information,” said Kelly. She offered another way to look at it:
a company with 50,000 employees, each sending 10 e-mail messages outside the
company per day, would incur nearly 1,000 potential data security violations
per day.

The Ponemon Institute, a private research company, recently released its
2004 Data Security Tracking Study with alarming results. Of the 163
companies participating, 75 percent, or 122 companies, reported a data-security breach within the past 12 months. The majority of the companies were Fortune 1000.

A recent survey by the FBI and Computer Security Institute found that
2000 and 2003, about 40 percent of all companies confronted an attempted
information snatch each year.

News Around the Web