High-profile breaches, such as the loss of mountains of consumer data from TJX last year and Hannaford Brothers this year, show that, at least to some extent, that those screaming for companies to take better care of their data are wasting their breath.
The idea that such sloppiness will lead to lost customers is intuitive. But just how high is the price for the loss of data?
According to the Ponemon Institute, it's pretty high. The organization, in research sponsored by ID Experts, says that almost one-third of customers notified of a breach walk away from the company.
The survey, which quizzed 1, 795 people, said that 63 percent said that they received no direction on what they should do to protect their assets in the letters informing them of the breach. The reality is that losses are occurring at a rapid pace: 83 percent of respondents received one notification in the past two years and 47 percent more than one. More than half said that the notification came more than a month after the breach. Seventy-one percent said it should come within a week.
The chronic nature of the problems go way beyond Hannaford and TJX. There are many incidents that don't generate headlines. Indeed, the troubling issue is that losses are so common that they attract almost no attention outside the communities in which they occur.
Since colleges are dedicated to learning, it would seem that they would be more likely than other organizations to learn from the past. Apparently, this isn't. Dark Reading says that two schools -- the University of Miami and the University of Virginia -- were victims of data loss. UM said last week that it lost backup tapes with medical data and Social Security Numbers for more than 47,000 people. At UV, theft of a laptop with information on more than 7,000 staff, students and faculty was made known last week. The school was hacked last year and information on 5,735 people was compromised, the story says.
Another security meltdown occurred in Indianapolis, where data on 700,000 people was stolen from a collection agency. The theft happened in late March. A representative of the company from whom the data was stolen said that machines were password-protected. He said nothing about encryption, however, so it is a good bet that the information was in the open.
Insurance companies also would figure to be careful. Again, the reality sometimes doesn't track. WellPoint, which this piece says is the largest health insurer by membership in the United States, lost Social Security Numbers and pharmacy or medical data for 128,000 customers during the past year, the company said.
The bottom line is that most people still are not paying attention. That makes this piece -- a reveiw of nine steps that can be taken to protect internal data -- worthwhile. The writer suggests up-to-date antivirus software; firewalls; intrusion detection systems; backing up data; wireless security; application security; biometric security; updating software and guarding against social engineering attacks. There is nothing new in the list. What would be new -- and extremely welcome -- is people actually taking these steps in a consistent fashion.
Companies should think proactively about their reaction to a data breach. This very informative article at the Wisconsin Technology Network discusses the preparation for a breach. This includes having a set communications strategy, an existing relationship with media, and a plan for how much information to release. Withholding too much can cast the company in an unnecessarily poor light, but releasing too much is dangerous, especially if the vulnerability still exists.