We spend a lot of time talking about what to do to prevent a breach of networks or computer systems.  This discussion has been, and continues to be, very valuable.  It is discussions like this that have allowed the payments industry to develop solutions like ProtectPay, ProPay’s secure payment solution.  ProtectPay, for instance, allows merchants to accept payment card transactions without storing, processing, or transmitting payment card data.  The benefit of such a system is tremendous.  Not only does it allow companies to significantly reduce the costs and resources necessary to achieve PCI DSS compliance, but it also reduces the risk associated with a breach.  If a merchant using a properly configured tokenization solution is breached, there is no data there to be stolen.  The merchant has only value-less tokens, not valuable cardholder data.  Unfortunately, tokenization isn’t yet universally employed.  That means that there are quite a few merchants operating today that still have cardholder data in their systems.  And while the conversation about preventing a data compromise is important, an important question still remains: What happens after the breach?

Experian and the Ponemon Institute teamed to answer that question.  The results can be found in “The Aftermath of a Data Breach.” (Registration is required to download the study.)  Of the companies studied, 45% indicated that the company lost bank or credit card information, and 60% of respondents indicated that the data that was stolen was unencrypted.  Additionally, the study found that 34% of breaches studies were the result of a “negligent insider.” This seems to support the notion of using a tokenization solution.    It should be noted that 19% of responding companies suggested that “outsourcing data” was the cause of their breach.  Most tokenization solutions do require the outsourcing of data, so how can these two findings be reconciled?  There are two important concepts that readers should keep in mind.  The first are the statistics and the second is due diligence.

The statistics are interesting.  The findings tell us that 60% of respondents lost unencrypted data.  That likely means that at least some of the outsourced providers that were cited as a cause of the breach were not securely storing the data.  Another interesting finding is that a full 50% of breaches were caused by insiders (negligent insiders 34% and malicious insiders 16%).  The other concept that one should keep in mind when reading the study is the concept of due diligence.  Outsourcing data is a big decision for any company.  It is advisable to do a significant amount of research into the potential vendor.  For example in the payments industry, companies that store, process or transmit cardholder data on behalf of a merchant is called a service provider or a data storage entity.  Regardless of the terminology, the company must be compliant with the PCI DSS and be registered with the card brands.  Ensuring that potential partners meet these requirements can substantially mitigate potential risk on behalf of the merchant.

The study is a very interesting read and has important lessons for those companies that store sensitive data.  Perhaps the most important lesson is this: If you don’t need the data, don’t store it!

Dr. Heather Mark, PhD; Sr. Vice President Market Strategy

We often think that our personal computers or laptops are not targets of hackers.  “There is little data of value to a thief,” we might rationalize.  “They are going to be better served going after a big target – like a bank or other financial institution.”  This assumes that the only reason a computer would be hacked is for the value contained on that computer.  On the contrary, sometimes hackers or data thieves seek out computers that they can use as a launching pad for other attacks.  Of course, as long as the criminal has accessed your computer, they are likely to make use of whatever personal data may reside there, as well.  That means that creating a complex password for all of your computers – not just those that are used for business – is important.

SplashData, a company that provides mobile productivity applications, recently released a study of some of the worst passwords to use.   These passwords are the ones that are most frequently cracked.  Not surprisingly, the most frequently compromised password, is “password.”    The top 5 on the list from SplashData  is:

1. password

2. 123456

3. 12345678

4. qwerty

5. abc123

The complete list can be found here.

On this blog, we frequently discuss the importance of complex passwords – including alphanumeric characters, upper case and lower case, punctuation, and other symbols.   We also suggest that the password be changed at least every 90 days.  This will help to prevent hackers from making an easy target of your computer.

Dr. Heather Mark, PhD; SVP Market Strategy

Last week, an article was published on CNN that indicated that online security was a bit (okay – more than a bit) of a misnomer.  In fact, the article said that the notion of cybersecurity was a myth.  The article states that “attackers will find a way in one way or another even if you integrate security in a product from the outset.”  The news of the past several months seems only to reinforce this notion.  Organized groups of ideological hackers, sometimes referred to as “hacktivists,”  have taken aim at some very high profile targets.  (A list of recent high-profile breaches can be found here.)

Not to be a scaremonger, but data thefts have become a fact of business over the past several years.   So how does a company, and a small company at that, operate in this threat environment while balancing the potential for data theft?  I’ve long told anyone that would listen,  “if  you don’ t need the data, don’t store it.”   This is especially true of businesses that use sensitive payment data in their daily operations.  There is a tendency to fall into the “just in case” trap – the idea that while I may not need the data right now, I might one day so it’s a good idea to just hang onto it.  Fortunately, there is a way to 1) protect your business from data theft while 2) hanging on to that data “just in case.”  Then answer – tokenization.

Tokenization is a method of data replacement in which sensitive data is “anonymized.”  For example, payment data may be replaced with a token, or abstract representation of the data in question.  In this way, the merchant can still process payments, conduct reporting and analytics and perform other related functions without replicating sensitive data throughout their environment.  The merchant never stores, processes, or transmits cardholder data thereby reducing the risk attendant with data compromise. The data is instead stored with a trusted third party.  If the merchant is compromised, there is no data for hackers to steal.

In an era when even data security professionals are beginning to express doubts as to the level of protection that can be afforded to sensitive data, businesses are well-served to investigate methods of mitigating their risk.  As  Richard Thieme, speaker at the Black Hat Conference 2011, stated “Only when companies and agencies begin to speak truthfully about their limitations — both internally and externally — can they start to address the real-life challenges that face them.”

Dr. Heather Mark, PhD; SVP Market Strategy

This post may seem familiar to regular readers.  Current events, however,  bring it to mind again and the topic seems to be worth repeating.  The news has been rife with stories of major media outlets hacking the Smartphones of private citizens and government officials alike.  The objective of this hacking was news – voicemails from crime victims, and information on important government representatives.  There have even been stories of journalists hacking into the phones of victims of the terrorist attacks of September 11, 2001.  This begs at least one question.  (Actually, it begs many, many questions, but for the purposes of this post, we’ll stick with one.)  How safe is your Smartphone?

The answer to the first question relies on the individual.  Many smartphone users, while marveling at all of the functionality at their fingertips, forget that it’s actually a miniature computer.  Email, web-browsing, cameras, social networking sites all contain personal information. On our home and work computers we install anti-virus protection, firewalls, and similar protective software.  These types of protections are available for Smartphones, but many users are either unaware or unconcerned about the dangers of Smartphone hacking.

There are some simple things that users can do to help protect themselves and their data.

1)      Be careful when downloading third party applications – the majority of applications are not malicious in nature.  However, at least one major application marketplace did experience an “infestation” of infected applications.  Be sure that you know and trust the developer of the application.

2)      Know how your data is being shared – some free applications sustain themselves by sharing or selling data to partners.  Most applications will disclose this in their terms and conditions.  While it is tempting to just hit “agree” in order to get to the application, users should take the time to read their privacy and data sharing portions of those agreements.

3)      Native Security Features -   Most Smartphones have some security features built-in.  For example, entering a code to unlock the screen helps in the event that the phone is lost or stolen.  Some have the ability to erase all data on the phone if the code is entered incorrectly too many times.

4)      Security Software – many companies are now offering security suites for Smartphones that are very similar to the software available for PCs and Macs.  Top Ten Review has put together a comparison of security software for Smartphones.

Dr. Heather Mark, Ph.D.;  SVP Market Strategy

It is an interesting experience to search the term “data breach” on Google News, then scroll through the first five pages or so.  The number of well-known, well-funded entities reporting data breaches, even at a daily rate, is an impressive sight.  Cyber attacks are quickly earning the status of “all but inevitable” and business owners and other holders of personal data should ensure they are prepared to handle the consequences of such an attack.

One such consequence is the breached party’s responsibility for data breach notification. Forty-six states have adopted breach notification laws that govern an entity’s actions subsequent to a compromise of sensitive personal information.  Achieving compliance with the multitude of states’ data breach notification laws is a bit like arriving on the scene of an accident where dozens of victims require first aid but each has his or her own unique language, accepts help subject to an individual timetable, and requires an exceptional set of measures.  It is a complex process. 

In light of the difficulty in deciphering and complying with the multitude of laws, entity’s concerned with compliance should consider the following steps:

(1)  Develop a Data Breach Notification Plan.  Effective data breach notification plans will dictate internal team members’ responsibilities, contain model notices, and outline when, and under what circumstances, to notify law enforcement, regulators, and customers, since the timing of when customers in a given state should be notified is critical.

(2)  Know State Law Requirements.  Breached entities must be aware of the customer notice requirements on a state-by-state basis, including when and under what circumstances notice to those customers might be required, and whether less costly substitute notice is available.  Consider outsourcing this expertise as the sheer volume of statutes and annual changes in this arena requires almost full-time vigilance.

(3)  Create a Remediation Plan.  An entity’s response to a data breach is extremely important, both from an internal repair perspective, and external, public and customer relations perspectives.  It is advisable to create relationships with forensics, security, public relations, and legal experts in advance of a cyber attack and include those experts in the planning process.

(4)  Stay Current on Pending Federal Legislation.  Bills have been introduced in both the House and Senate over the past several years in an attempt to nationalize and bring some unification to the patchwork of states’ breach notification laws.  At least three have been introduced this session, along with a proposal from the White House.  A federal data breach law would likely preempt state laws and address some of the headaches associated with data breach notification, although consensus on the level of preemption and other issues, like the timing of notification have so far made passage into law a difficult proposition.  Nevertheless, if such legislation passes, and some experts believe this will be the year, entities subject to breach notification laws should be prepared to adjust their plan and notification requirements accordingly.