Thefts and Threats

By Stephanie Jordan
in

The recent news of New York Police Department’s loss of personal data for 80,000 current and retired officers is one more reminder that sensitive stored data should be protected. "The sad fact about this case, which centers on a rogue employee stealing eight tapes from the NYPD’s pension’s division, is that it could have been avoided if the data on the current and retired officers had been encrypted," comments Michael Callahan, senior vice president of Credant Technologies, developers of military grade encryption. "Presumably the tapes were part of a backup storage system, which the thief was hoping nobody would miss. If the data had been encrypted, then the audit procedures that seem to have discovered this theft would not have had to be as rigorous."

According to Callahan, especially because the employee that stole the data—which includes the Social Security information and banking information of the employees—was a civilian and not subject to police vetting procedures, the police department should have implemented better security policies. "Eight backup tapes with heavily encrypted data on them have a resale value measured in tens of dollars, whereas, with 80,000 identity theft kits on them in readable format, the value starts to skyrocket into hundreds of thousands if not millions of dollars category," he estimates.

According to the March issue of Encryption Matters 2.0 published by PGP Corporation, most data breaches are a result of negligence. Writes Dr. Larry Ponemon of the Ponemon Institute, “One of the most frightening statistics that emerged from our study, whose participants were 43 companies from 17 industry sectors, is that 88 percent of the breaches involved incidents resulting from negligence, which in my view is entirely preventable.”

The study to which Ponemon refers is the Institute’s fourth annual U.S. Cost of a Data Breach Study, which found that the cost of a breach continues to rise—averaging $202 USD per record lost, an increase of 11 percent in two years. Ponemon goes on to note that the biggest consequence of a data breach is lost business, “Our study showed that the cost of lost business averaged $4.59 million (USD) per incident, or $132 (USD) per record. Lost business now accounts for 69 percent of the total average cost.

Other highlights from the report include:

  • Third party breaches increased and cost more. Outsourcers, contractors, consultants, and business partners were responsible for breaches in 44 percent of respondent incidents in 2008, up from 40 percent in 2007, 29 percent in 2006, and 21 percent in 2005.
  • The first breach has a higher cost, with a per-victim cost of $243 (USD) compared to $192 (USD) in companies who have suffered previous breaches. More than 84 percent of all cases in the study involved organizations that had more than one major data breach.
  • Training and awareness programs lead efforts to prevent future breaches, according to 53 percent of respondents, while 44 percent of respondents have expanded their use of encryption technologies to prevent future breaches.

“Let’s face it: breaches are going to happen. Laptops are stolen, USB sticks can be lost, sniffers capture email messages, and insiders penetrate file servers,” writes Ponemon. “The most effective way to stop data loss from becoming a breach is to encrypt the data itself.”

Published March 8, 2009