02/ 22/ 2008
by Pamela Mills-Senn
The article appearing in the Feb. 16 edition of the Los Angeles Times newspaper undoubtedly instilled panic, or at least severe unease, into employees of that city's Department of Water and Power. A laptop computer containing the private financial data of every DWP employee—such as social security numbers, employee identification numbers, and deferred compensation balance—had been stolen from a private contractor hired by the department to provide benefits statements. The computer also contained information on retired employees. Now, even though the data was reportedly encrypted, the utility company has agreed to pay for credit monitoring services for its 8,275 employees.
That's expensive, no doubt, and has severely undermined the trust factor between employees and the department (and raised the ire of the union representing the workers) but it's small stuff compared to what happened when national retailer TJ Maxx experienced a data breach, says Oliver Brew, vice president of technology media and telecommunications underwriting for Hiscox Inc., a specialty insurer offering privacy protection policies, based in Armonk, N.Y.
"The origin of this data breach was a wireless network that had been compromised," he says. "This breach went undetected for 18 months. Customer credit card information was stolen and sold, there were transactions taking place as far away as China.
"Now there are 21 different class action suits against the company, which has set aside $21 million of funds for remedial work,” Brew says.
If TJ Maxx learned a hard and surprising lesson about the costs of a data breach, they're not alone. Most business owners don't fully appreciate the impact of this event, says Jon McDowall, partner with the Fraud Resource Group, an investigation, consulting and expert witness firm located in Davenport, Iowa.
"Most business owners fail to grasp the scope, costs and risks of these frauds when it comes to their businesses," McDowall says. "The US Department of Treasury concluded over a year ago that online fraud was as profitable as the global illegal narcotics trade—estimated in the hundreds of billions to low trillions of dollars annually. A recent FBI study concluded that 90 percent of all businesses are vulnerable to identity-related frauds and the overwhelming majority of these result in significant non-budgeted expenses."
Business owners are legally required to protect customer and employee personal information and can face significant state and/or Federal fines if they're found to be non-compliant and privacy is compromised, says Brew.
He mentions one bill—the 1798 Data Breach Notification Legislation—which started in California and has now spread to 35 states. Broadly, this requires companies who do business in those states to notify all customers who may have been victims of a breach, although there are differences between the states.
The second bill, which at the time of this writing is working its way through Congress, seeks to make the state laws uniform and to expand notification to include various agencies. This Federal bill also imposes fines and penalties on companies.
There is also FACTA (Fair and Accurate Credit Transactions Act), says McDowall.
"Many business owners don't know that under FACTA all businesses in the U.S. are required to shred or thoroughly destroy anything of a sensitive nature," he explains. "Others may know the various laws addressing these issues but don't make compliance a priority, as demonstrated by having shredders easily accessible for employees' use."
This can be a very costly error, McDowall continues.
"More and more customers are filing suits against businesses as a result of these issues and many are voting with their pocketbooks, if you will, taking their business elsewhere and refusing to patronize that business as a result," he says.
So what can small business owners do to ward off a data breach, especially since the highly mobile (and therefore very vulnerable to theft) laptop computers are now reportedly outselling desktop computers? Experts suggest:
Establishing secure policies. Require that data contained in laptop computers must always, without fail, be encrypted (full-disk rather than just file) and the laptops password protected. This goes for desktop computers also.
Require that all sensitive documents be shredded and hold these in locked containers until they are, says Brew. Assign specific employees to handle the destruction and verify and record that this has taken place. Establish appropriate checks and balances like assigning employees to oversee those who have access to, or who handle, sensitive information.
Look at areas where your business is vulnerable and create policies or procedures to address these weaknesses (for example, do your employees unfailingly check credit card signatures, or look to see if the driver's license photo matches the person standing in front of them?). And then train and monitor your employees on these routines.
Staying current with technology. Know the technologies that can make you vulnerable to a breach. For example, says McDowall, desktop computers, even those loaded up with firewalls, antivirus programs and spyware, can still be at risk, in particular from keylogger programs. These programs, designed to read keystrokes, are secretly deposited on computers and the information transmitted back to the hackers. According to McDowall, 85% or more of these programs are getting past antivirus software. And it's easy to be infected. You can pick up a keylogger program by visiting legitimate Web sites, accessing links or even by downloading MP3s.
Keylogger programs affect even those who encrypt their stored and transmitted data, says George Waller, executive vice president of StrikeForce Technologies, Inc. The company, based in Edison, N.J., develops products for preventing identity theft.
"One reason why identity theft is the fastest-growing crime is that even though sites may be secure and they might encrypt their information, the keyloggers have found a way to record keystrokes coming from the keyboard to the browsers. These keystrokes are not encrypted and this is what the keyloggers are picking up," explains Waller, whose company offers technology that will encrypt keystrokes from the keyboard to the browser.
Getting smart about hiring. Do criminal background checks on all would-be hires. Make it a policy to drug test. Employees represent a huge vulnerability to business owners and their customers, says Johnny May, president of Security Resources Unlimited, an identity theft prevention company located in Bloomfield Hills, Mich. He says that ID theft occurring in the workplace due to disgruntled, exiting or plain old dishonest employees is "spiraling out of control," and currently represents a greater threat than outside hackers.
"People tend to focus on external threats like hackers, spyware or stolen credit cards, but what's so scary about internal threats is that they can go on for a long time without being detected," says May, also sounding the alarm about temporary workers who come in for the sole purpose of stealing personal information.
And it's not just intentional employee theft that small business owners need to guard against; poorly-trained, unaccountable employees who consequently mishandle data pose a risk as well, says McDowall.
The most important, and perhaps most effective, thing small business owners can do is to take the risk of ID theft seriously and to remain vigilant.
"Remember," says Brew, "Just because you have a lock on the door, doesn't mean your information is secure."
