Backup Anytime

Data loss is only one component of data breach.

In years gone by, the main (even sole) concern which business had regarding data was the direct consequences to themselves of losing data. The questions they asked themselves centred around an inward looking theme.

What data do we need to retain to ensure survival?
How will data loss affect us?
How long will it take us to get backup and running should we lose data which is backed up?
Will we be able to get back up and running if we lose data which is not backed up?

These are all valid questions but every one of them miss the main concern which has always existed but has come to the fore in the past few years.

How will if affect other people and organisations?

Just to bring some clarity to inward looking people, the above question also equates to the following.

Will we be sued, prosecuted or shown in the media to have compromised client data?

This changes the perspective and adds a whole new required functionality to the issue. We are now moving up from basic backup to actual data protection.

So, a manual drag and drop of files to an external pen drive or hard drive which is bandied about in a directors car at night may to a small degree offer an element of simple backup. It does on the other hand however very likely significantly increase the risk of data loss. This is not recognised by companies and individuals who are only interested in retaining a copy of data for themselves. If they look beyond this blinkeed and recklessly narrow focus they will see that the net effect is to place copies of client data in dangerous situations.

Ask yourself this.
Would I be satisfied if every company I have ever dealt with had personal and identifiable information pertaining to me being driven about in staff cars overnight?

Absolutely not. All this does is increase the number of potentially available copies of this information for the companies involved and also increase the risk of breach to those about whom the data relates.

So, simple backup is too narrow a focus. Offsite only helps if it does not as a consequence of being offsite increase data protection risk factors.

The next time you consider the importance of a file, don’t just consider how much you need that file. Also consider how much others need that file (and any other versions of it applicable to you) protected from public release.

Bank of Ireland stolen USB key

Subscribers and regular readers will recall the Bank Of Ireland stolen laptops story. Whatever preventative measures were put in place at the time appear to have had limited effect on protecting USB keys. The use of USB keys in itself is questionable practice outside of circumstances in which data in encrypted and the key is for convenience only and not a singular or critical copy.

Even small enterprises are moving away from the use of micro devices for unencrypted data. The affordability and convenience offered by USB keys did for a time make them a data storage solution for individuals. The extent and obviousness of the risks coupled with the scale of reported incidents have removed USB key usage from the allowed list of many responsible companies.

This particular incident relates to account numbers, names and addresses (not full address but if the wrong people have a name and a partial address they can surly work out the rest in many cases) for just under 900 clients. Financial information was not breached but this will offer little comfort to the victims (customers) of this breach.

The bank have said they have no reason to believe the information has fallen in to the wrong hands. Given that the device is lost, it could fall in to anyone’s hands. Additionally, given that USB keys have a physical value (despite this being nominal) it is likely therefore that it will not be ignored when spotted.

Given the absence of adamant and repeated claims of the data being encrypted it would appear it is possible that it was not. We do not know for sure yet. If it was not encrypted this will not instill great general confidence given previous incidents and opportunities to resolve the basic but essential tenet of encrypting confidential client and third party information. If it was encrypted, there is little to worry about from the viewpoint of data privacy and  the focus can move to asset protection.

So, the question remaining is; was the data encrypted. If so, Bank Of Ireland should speak up as they have protected their clients from inevitable circumstances as device loss or theft will take place even if security and individual responsibility is managed well.

If the data was not ensrypted, B.O.I. have much explaining to do this time round.

Your date with data breach.

If you read the papers, watch the TV news, listen to radio reports, browse the Internet or simply go around with your ears open you will be aware that data breach is more than common. The Internet has brought many advantages to business. It has however changed information security from a task to an ongoing process. The continual data breach instances you hear about are just a drop in the ocean. The data loss incidents you hear about in the media are generally those of great significance to small business or any significance to big business. Every breach which makes the headlines is likely representative of thousands which don’t or may in the future.

If you do want to follow data breaches in far greater numbers then a good starting point would be to sign up for breach reports from The Breach Blog. This excellent resource is owned and managed by FRSecure. It’s focus is very much American but this does not limit it’s ability to paint a picture of what is happening worldwide.

The breach blog is regularly updated and is well presented in snippet format so you can browse through the basic stats of a wide number of data protection issues affecting numerous organisations and then focus on any specific entry which interests you. You may then see extended information regarding the breach you want to read about.

So impressed are we with this blog that we are inviting the Breach blog administrator to participate in our Who’s who in data interview series.

We await the reply eagerly and will update you on the response.

Data loss is something you may read about frequently. You may have had your own details breached or likely know someone who was affected. It is far less likely that you know someone you was compensated due to data loss. When was the last time you heard of data loss compensation? It is quite possible that data about you has been lost and you were not informed. It is much less likely that you will ever be compensated for any data loss incident.

With all the coverage data loss stories get in the newspaper, television, radio and  indeed blogs is remarkable that most people will never have heard of a data loss compensation case let alone know someone who was compensated. This is not specific to Europe but given the existence of a Euro comissioner and data comissioners in every member state, Europe is a good place to start.

Data loss is on an upward climb. Data loss awareness has certainly not been left behind. The medias continued coverage of data loss stories is a good indication not necessarily of the dangers presented by data loss (which are very real) but more so of the keen interest the public have in data loss news stories.

Some may believe that a data loss news story about a bank or corporation is near punishment enough for that institution. This may have been the case some time ago when the number of data loss news stories was minimal compared to now. Today however, a single data loss story will struggle to stand out.

Large businesses appear to continue without great difficulty after a data breach. The situation has become so common that some people may consider the occasional data loss event as normal! How come?

Here are some of the reasons.

Sanction.

Some of the possible sanctions which exist for data loss may appear quite serious to the individual or the small business but given that sanctions are on a per incident basis and not on a per person affected basis they dont actually have much effect on the bottom line and therefore planning of a bank or large corporation. What effect will a fine of one or two million Euros have on a major financial institution?

Breach procedure.

The existence of data protection legislation and data commissioners is intended to provide a level of protection for the public. The number of cases has now got to such a level that an organisation can take the procedures adopted and outcomes of prior cases as a learning curve in how do deal with a breach from the organisations viewpoint. A basic example is that simply reporting an incident on time (no matter how serious the incident is) removes that incident from the worst case scenario list. Organisations will use this and spokespersons will repeatedly say things like “The incident was reported within an appropriate time frame”, giving credence to an organisation which has compromised individuals due to its own failure to implement safeguards.

Compensation.

Data loss compensation is the most important issue here. You are not entitled to compensation because an organisation lost your data. If you need to read that last line again, go ahead. This applies even if the company lost your name, address and bank account number. The data loss has to result in a specific problem such as a crime against you and you need to be able to clearly demonstrate the link. This is rare and unusual compared to the amount of people about whom data is lost.

Number of events.

The number of data loss events reduces the significance of any one story and therefore the impact on the organisation involved. The apparent across the board inability of large numbers of organisations to protect data is actually to a degree legitimising their inaction.

Compensation requirement.

Large fines for corporation are not working. Prosecution at CEO level is always difficult and could be unfair. It’s all too easy to say a CEO is responsible for the business but most moderate people would agree that a line must be drawn somewhere.

A small standardised data loss compensation amount per individual could change everything. This would result in large corporations increasing protection as one mass data loss could hurt. It would also provide recognition that to loose someones data in a manner which puts it in the wild is wrong and is a wrong against that person.

By all means if people were significantly affected by a data loss the door would be open for greater compensation at individual case level but one thing (of many) that is needed to greatly increase protection and data respect is a small per person per case standard amount.

This would not be difficult to implement in Europe (if the will is there) as we have a broadly common framework and this area is in its infancy (one hopes given the apparent lack of control) and clearly needs broad, common action.

The specifics of the amount are not important if it is small enough to be accepted by industry and large enough to make data loss prevention a serious issue.

You may recall the facebook data breach (not the most recent one) in March. This involved users photos becoming visible to logged on user. face book resolved this issue resulting in a “now you see me, now you don’t” scenario. The global coverage of the issue seems to have been taken with a pinch of salt by users who may en masse have decided that the coverage of the breach related more to the size of facebook than it did the severity of the breach.

This may have therefore passed as a “data outage blip” had not a more recent and arguably more serious breach occurred towards the end of July. This involved the data of birth of users being visible to anyone on line until the problem was resolved.

Given that many people use a number of social networking sites, partial data breaches on an individual membership basis are very serious. Lets say for example if your facebook membership provides fraudsters with a picture of you and your date of birth (coupled with any information you willingly provide) and this relates to facebook breaches to date so remember more may come. That information may or may not be enough to make you a victim of fraud. If it is not, it will surely make you an attractive option to fraudsters as they have some personal information pertaining to you in their possible victim database.

Add to this any other breaches at other social networking sites of which you are a member and you can see the cumulative effect of “data protection blips” can be very serious indeed. As a consequence of all of this, many users are providing false personal information (partially at least) when they join social networking sites. One knock on effect of this is the inaccuracies in social networking site data bases as to the advertising focus of membership. This reduces the validity of the advertising base and therefore the value to the social networking site.

In effect, data breaches always hurt the site responsible but often innocent parties suffer with them. In this case, facebook suffer credibility problems, potential sanction, the possibility of being sued and reduced future membership data accuracy resulting in reduced advertising value.

Other social networking sites however are tarred with the same brush and despite lesser consequences will suffer because of the concern another facebook breach brings to the industry.

The end users suffer from having to amend details, provide inaccurate details, remember the inaccurate details and potential being the victim of fraud or actual identity theft.

So, facebook suffer a loss of face, your face has been unwillingly found and everyone in the industry faces the consequences.