The Now-What of Losing Customer Data

An AmEx director of audit walks InfoSec attendees through the uncertainties associated with customer notification in cases of lost laptops, stolen BlackBerries or hacked databases.

ORLANDO, Fla.—Uh-oh, Sales has lost a laptop. The nightmare that ensues brings a host of uncertainties: Exactly what data was on that thing? How do you define nonpublic, private or confidential information? What constitutes a breach or a mass data compromise? What are your obligations to protect that data, and what are your organizations obligations regarding notifying the potential victims of identity theft?

These are just some of the questions you should answer before the laptop is lost, the BlackBerry is stolen or the database is hacked, said Mark Everist, a director of audit for American Express, during a session titled "Ensuring Customer Notification of Unauthorized Access" here at the InfoSec World Conference & Expo on March 19.

This is true particularly given the widespread prevalence of data loss, he said. "Most adults in the United States and Canada should [by now] have suffered some type of identifying information loss or theft since ChoicePoint," he said. "Since ChoicePoint, 147 million U.S. and Canadian resident records have been reported stolen."

Everist was referring to ChoicePoints 2005 admission that the ID verification services vendor had mishandled the personal financial data of consumers.

ChoicePoints admission was a turning point in notification legislation and privacy law, he said, given the scope and the nature of what ChoicePoint was doing: The consumer data aggregator was found guilty of selling the information of 163,000 U.S. citizens to fraudsters and was subsequently fined a record-setting $15 million. "They were selling the information [pertaining to] who could do what with [personally identifying information and a given credit rating]," he said. "Fraudsters were purchasing personal information records."

Were you to analyze the core fundamental elements to any privacy law that followed the ChoicePoint incident, Everist said, youd find that ChoicePoint "broke just about all of them." After the revelation, "You saw a slew of states pass legislation," he said.

In fact, thats one of the problems organizations face when dealing with a data breach, Everist said. As 33 states passed statutes around notification and data handling, with additional U.S. banking regulatory guidance, the resultant mishmash of legislation lacks consistent definitions of key elements of a data breach.

For example, under Californias trend-setting SB 1386 legislation, the definition of "personal information" is considered to include an individuals first name or first initial and last name, in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted: Social Security number, drivers license or California identification card number, account number, or credit or debit card number, in combination with any required security code, access code or password that would permit access to an individuals financial account.

Everist noted that the requirement of data elements in combination with the required security or access code or password fails to recognize the extent to which an individuals data can be abused without a password. "Even if you didnt have a PIN number—for credit cards, for example—you dont need to have the PIN number to do something with a credit card number. It can be very risky to lose some of this information, but according to California law it doesnt need to be reported."

Still, after California passed SB 1386, other states copied it, adding and changing data elements, data media, qualifications for encryption and so on. For example, New York expanded the name requirement to include any number, mark or personal identifier, in response to the fact that some Native American tribes in the state use a symbol rather than a name.

The timing of notification requirements is also inconsistent. What data is covered varies markedly, as well. Under the Federal Banking Interagency Guidance, effective March 23, 2005, sensitive customer information was defined as a customers name, address or telephone number, in conjunction with the customers Social Security number, drivers license number, account number, credit or debit card number, or a personal identification number or password that would permit access to the customers account. The Guidance also includes any combination of components of customer information that would allow someone to log on to or access the customers account, such as user name and password or password and account number. This is similar to caveats in legislation in Georgia and Maine that recognizes that various combinations of data may allow access to accounts or threats to personal information.

/zimages/6/28571.gifFor advice on how to secure your network and applications, as well as the latest security news, visit Ziff Davis Internets Security IT Hub.

Definitions of "breach" vary, as well, Everist said. Californias SB 1386 doesnt require harm or even potential misuse to trigger its notification requirements. Many states followed suit, but some have followed a variety of definitions. For example, Wisconsin requires notification if the illicit information is acquired by an unauthorized person and creates a material risk of fraud or ID theft. New York requires notification if the information is in the physical control of an unauthorized person or has been downloaded or used.

U.S. banking regulators consider a reportable breach to be an incident of unauthorized access to or use of sensitive customer data, and requires that affected organizations provide notice to customers whenever they become aware of an incident of unauthorized access to customer information and if, at the conclusion of a "reasonable investigation," they determine that misuse of the information has occurred or is reasonably possible to occur. However, without any new federal law, Everist said, U.S. regulators "are using a revised interpretation to protect financial institutions and customers by expanding the interpretation under [the Gramm-Leach-Bliley Act]."

Obligations for notification vary widely from state to state as well. SB 1386 pertains only to California residents and doesnt mention notifying regulators. Many states require notification by telephone; Indiana requires notification by phone or fax, Pennsylvania requires it by phone or e-mail, Utah requires telephone notification or newspaper notification, Illinois does not provide allowance for law enforcement involvement, and a host of states require notification of credit bureaus. And thats only a partial list of states varying notification requirements.

In summary, Everist said the good news is that common elements such as confidential information are evolving. At least one requirement, written notification, is universal.

What organizations should do to prepare for the next breach, he said, is to consider their ability to detect the data compromise. Does the organization know where the data is located, and what safeguards and detection ability surround it? Has the organization assessed its exposure to the variety of threats?

Organizations also should consider their readiness to react, Everist said. For example, can you map the breached data to the state of customer residence? Is there an established, yet flexible, incident response process? Also important is to include input from all the key decision-making groups, he said. That can include customer service, mailroom personnel and physical security. "They know when laptops disappear or boxes of checks disappear," he said. "It can be indicators of fraud."

In addition, Everist recommended that organizations involve leaders in order to drive prompt and correct response to data breaches, and adhere to the process whenever a potential breach is discovered. Finally, he recommended staying abreast of the rapidly evolving legal environment, in which emerging statutes, evolving interpretations and FTC settlements are currently in constant flux.

Here are his list of resources for keeping up on it all:

Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.