• About CSIA
  • Mission Statement
  • Committees
  • CSIA Team
  • CSIA Offices
• Board Members
• Events
  • CSIA Events
  • Industry / Gov't Events
  • Member Events
• Member Directory
• Newsletters
  • Current Issue
  • Archive
  • Sign Up
• Testimonials
• Join CSIA

Data Security: Get the Facts

What is a "data breach" and how does it occur?

A data breach occurs when unsecured personally identifying information held by an individual, company or government agency is mishandled, lost or stolen - resulting in confidential information falling into the wrong hands. Personally identifying information is most commonly defined as any data that links an individual's name with his or her Social Security, driver's license, financial account, medical or other confidential personal information.

Data breaches occur in a variety of ways. One common thread is the data lost is in a format easily read by thieves. Some of the most common include: 

• Lost, stolen or misplaced computers, laptops, computer storage (USB) or backup devices
• Tapes containing data backups or transfers that disappear in transit 
• Information inappropriately transferred or sent out via e-mail, Web mail, file transfers or instant messaging
• Data inappropriately removed via USB ports to, as an example, USB drives
• Data stored on network, file or email servers that is remotely accessed by hackers or accessed by employees without authorization
• Hackers exploiting viruses, Trojan horses, weak passwords or security loopholes to harvest information
• Improper destruction of information - both physical (dumpsters) and electronic (laptops)
• Poor business practices - such as sending postcards that include Social Security numbers

Who has been affected by data breaches?

More than 100 million Americans have had their personal information, such as social security numbers, medical records and account information compromised since February 2005.
-Privacy Rights Clearinghouse, December 2006

It is a common misconception that data breaches only affect those who shop or bank online. This is not the case. In fact, victims span every walk of life: college students, blood donors, military personnel, hospital patients, YMCA members and customers of businesses of all sizes have all been affected.

What is the impact of data breaches on the victims?

Personal identifiable information is very valuable to criminals who can use the information to commit fraud for financial gain.

While it is true that a low percentage of data breaches lead directly to identity theft, the burden usually falls on the affected consumer to ensure that their information is not used fraudulently after it is lost. According to the Federal Trade Commission (FTC), consumers should take immediate action after being notified of a breach, including setting up fraud alerts with the credit agencies, closing any financial accounts where specific information was lost, monitoring credit reports every few months, and other actions depending on the type of information lost.

What is identity theft and what kind of impact does it have?

Identity theft is the crime of using an individual's personal identifying information for the purpose of impersonating that person and committing fraud. According to a FTC survey, the most common types of identity theft are credit card fraud, utility fraud, bank fraud, employment-related fraud, government document or benefit fraud, and loan fraud.

What legislation has been proposed to address the problem of data breaches?

Currently data security legislation has only been passed at a state government level. To date, 34 states have passed laws addressing data security. However, very few of these states have provisions that actually aim to prevent data breaches by requiring sensitive personal information to be secured in the first place. The majority of these laws only address the problem after personal data has been compromised, mandating consumer notification when a breach occurs (although, importantly, every single one of these state laws encourages organizations that hold data to protect it by using encryption via a safe harbor provision in each bill). Though well-intentioned, the sheer number of laws will result in an unnecessarily complex and cumbersome web of regulations for businesses to comply with and consumers to understand because business usually crosses state lines.

The 109th Congress held a number of important hearings on information security issues and advanced several bills to address the security of sensitive personal information, but ultimately fell short of passing a comprehensive new law to address the security of such information . However, it did pass a law within the final hours of the session that would improve information security at the Veterans Administration (VA) (S-3421). While the law will certainly lead to improved security at the VA, unfortunately it creates wholly new definitions for "sensitive personal information" and "data breach" and requires the Secretary of the VA to create new regulations to secure sensitive information without recognizing existing standards, such as those established under Gramm-Leach-Bliley.

What does CSIA believe the federal government should do to address data security?

CSIA advocates for a comprehensive national law to both prevent further data breaches and address leaks once they occur. To accomplish these goals, the law must require reasonable security measures, encourage best practices such as encryption, create a consistent and recognizable notification standard, and include effective enforcement capabilities.

A CSIA-sponsored survey showed that 70 percent of likely voters agree that Congress should pass a strong data security law. And nearly half (46 percent) of likely voters who think that Congress should pass such a law report that they would have serious doubts about a candidate that opposes swift action.

Will establishing reasonable security measures be overly burdensome for businesses?

A uniform national law will simplify compliance for businesses, which must now comply with 34 state laws, each with differences. It would create uniform definitions for personal information as well as a standard for the form and content of notification measures.

In addition, we believe preventing breaches will turn out to be less expensive than repeatedly cleaning up after them. From reports we have seen, the cost of reacting to a breach far outweighs the cost of protecting against such a breach in the first place. For instance, encrypting data so that it cannot be easily read if it falls into the wrong hands is one effective method of prevention. Encryption scrambles data in a way that makes it unreadable except by individuals with proper keys and credentials, and thus useless to thieves and unauthorized individuals.

A company with at least 10,000 accounts to protect can spend, in the first year, as little as $6 per customer account for just data encryption, or as much as $16 per customer account for data encryption, host-based intrusion prevention, and strong security audits combined. Compare that with an expenditure of at least $90 per customer account when data is compromised or exposed during a breach.
-Avivah Litan, Gartner, June 2006