Recently, I have given several presentations about the European Union’s General Data Protection Regulation (GDPR). A common question that arises is whether we should expect a similar data protection regulation in the US.  

This morning, an interesting article on the subject crossed my desk: “No more waiting: it’s time for a federal data breach law in the U.S.”

A few excerpts:

With the recent passage of data breach notification laws in Alabama and North Dakota, all U.S. states and the District of Columbia now require that companies let us know when our personal data are breached. It only took 15 years.

Notably, states overwhelmingly require notification only if some sort of financial data or password information is involved. That’s a problem because data breaches often entail other kinds of harm. A better, more rights-respecting standard — one that could be incorporated into existing state standards and a new federal law — would require companies to notify us of breaches of our personal information tied to other harms.

It is crucial that any new federal standard does not prevent states from adding protections. A federal breach law should create a floor of minimum standards that companies must meet, not a ceiling prohibiting tougher state enforcement.

Members of Congress have already proposed a number of data breach notification laws, but while some proposals are better than others, none have been great for the people these laws are supposed to protect. Even one of the better efforts had provisions to preempt stronger state laws. As we wait for the right bill, ordinary people remain vulnerable and without sufficient redress under many state laws.

It seems to me that demand in the US for privacy protection in general and breach notification in particular has lagged such demand in Europe, probably because of difference in culture and political philosophy.  However, due to the increaser in high-profile data breaches in the last couple of years, I expect we will see federal legislation fairly soon. 

 

In 1726, Daniel Defoe stated, in The Political History of the Devil, “Things as certain as death and taxes, can be more firmly believed.”

Yesterday, 290 years later, I heard an Oracle colleague add a third certainty, “Now three things in life are certain: Death, Taxes and Data Breaches!“

How will you cope?

The new Verizon 2015 Data Breach Investigations Report has been published.

It is interesting to note … 

The year 2014 saw the term “data breach” become part of the broader public vernacular, with The New York Times devoting more than 700 articles related to data breaches, versus fewer than 125 the previous year.

And there are undoubtedly more to come. Consider one of the scariest charts in the report:

[The chart] contrasts how often attackers are able to compromise a victim in days or less (orange line) with how often defenders detect compromises within that same time frame (teal line). Unfortunately, the proportion of breaches discovered within days still falls well below that of time to compromise. Even worse, the two lines are diverging over the last decade, indicating a growing “detection deficit” between attackers and defenders.”

Enjoy the read! We in the information security industry have a lot of work to do.

Pastebin reported this morning that a repository of all credit card PIN codes had been leaked.  Here is a small sample of the leaked data.

The big question is, “To change, or not to change my PIN?”

The recent security breach affecting Sony Corp’s PlayStation network, is receiving high profile attention. As reported by Nick Wingfield in today’s Wall Street Journal:

Two U. S. Congress members are asking Sony Corp. to explain its handling of the recently disclosed data breach involving its PlayStation Network, one of the largest data thefts in history.

 

On Friday, Rep. Mary Bono Mack (R., Calif.) and Rep. G.K. Butterfield (D., N.C.), members of a Congressional subcommittee on commerce, manufacturing and trade, asked Kazuo Hirai, the head of Sony’s videogames division, to address their concerns. The letter asked when Sony first learned of the recent breach, why it waited days to notify its customers, and how Sony intends to prevent further breaches in the future.

Sony has said the breach occurred earlier this month and resulted in the loss of names, addresses and possibly credit card numbers associated with 77 million accounts on its online game network. While Sony and law enforcement officials haven’t addressed whether they have any suspects in the intrusion, one prominent target of a past Sony legal attack over a hacking incident denied any involvement in the data theft.

…

 

Sony hasn’t said what the financial impact from the data intrusion will be. Larry Ponemon, founder of a firm called the Ponemon Institute that analyzes the costs of data breaches, estimated it could run as much as $1.5 billion, including everything from Sony’s own forensic investigation, to the diversion of Sony personnel from their regular responsibilities to the cost of making amends to customers with free offerings.

This little video states a pretty good case for making sure those responsible for database administration shouldn’t have free rein over the information those databases contain.

That, and maybe the guy needs a bit of common sense …

DataLossDB is a research project aimed at documenting known and reported data loss incidents world-wide.

The Open Security Foundation, as well as our volunteers, feel that there is a distinct need for tools that provide unbiased, high quality data regarding data loss. There are no other open, downloadable, machine parse-able resources out there that facilitate research into this subject matter. By providing this sort of resource, we feel we can help accomplish the following:

• Improve awareness of data security and identity theft threats to consumers.
• Provide accurate statistics to CSO’s and CTO’s to assist them in decision making.
• Provide governments with reliable statistics to assist with their consumer protection decisions and initiatives.
• Assist legislators and citizens in measuring the effectiveness of breach notification laws.
• Gain a better understanding of the effects of, and effectiveness of "compliance".

The following column shows the latest Data Loss incidents:

I learned an astounding bit of statistics yesterday in a webcast presentation by Andrew Jaquith, Senior Analyst, Forrester Research.  Using source data from DatalossDB.org, Andrew reported that in 2009, 138 million data records were breached.  By any measure, that’s a lot of data, resulting in large financial losses to corporations and lots of consternation to individuals whose identities may be included in those data breaches.

Did the majority of these losses result from stolen or lost laptops or thumb drives or backup tapes that fell off the truck? 

Surprisingly, NO! Of the 138 million breached records, a full 133 million breached records occurred at the server level.

Reinforcing this concept, the Verizon 2010 Data Breach Investigations Report stated that compromises of database servers comprised 25% of breaches, but 98% of total records.

So, while we may hear about more case of data breaches occurring from edge devices, the real challenge is protecting the core database from threats.

This reminds me of the Henry David Thoreau quote: “There are a thousand hacking at the branches of evil to one who is striking at the root.”

Dave Kearns of Network World posted a thought-provoking article today,  “Data breach demonstrates need for access control policies.”

Highlighting a case where a tax collector in British Columbia, Canada, used government computers to look up “private tax files of hundreds of high-income individuals, apparently in the hopes of hitting them up for a business she ran on the side,” Dave observed:

There are so many things wrong here.

1. Why weren’t controls in place to prevent, or at least raise a flag, when an agent accessed files randomly? Were they at least audited?
2. Why did it take four years for someone to realize that there were shady dealings going on?
3. How did CRA determine the "risk of injury"?
4. Why aren’t the affected parties notified whenever there’s a breach?

In light of increasing government regulations covering data breaches, and hard evidence that the number of data breaches continues to grow, companies can be well-advised to

“review your governance, oversight and access control policies now — before your organization features prominently (and ashamedly) in a newspaper headline!”