Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

2/22/2007
02:51 PM
50%
50%

Making Up For A Data Breach

Do companies really care about the security of their customers' data? Quite frankly, not as much as they should, based on what's in the news.

Do companies really care about the security of their customers' data? Quite frankly, not as much as they should, based on what's in the news.Lately, it seems, we've been hearing about all types of data breaches: retailer TJX, the state of Connecticut, Stop & Shop, and the Department of Veterans Affairs. It's an epidemic, but don't turn to Johns Hopkins; an outside contractor to that health facility lost nine backup tapes that held sensitive personal information on 52,000 workers and 83,000 patients. The data is "thought" to have been destroyed. That's not really very comforting if you are one of those 135,000 people. And that's a pretty big number.

One big problem is that executives give data protection a lot of lip service these days. But if you think about it, what choice do companies have? Shareholders aren't going to be really happy with "Part of our cost-cutting measures includes neglecting our customer data." In fact, these companies probably invested quite a bit in some type of business intelligence product. Data mining is all the rage, and for good reason. There are plenty of lucrative marketing opportunities out there, if you can make sense out of all that data collected. Identifying repeat customers, buying trends, and other information that can better your business justifies collecting some types of data in the first place.

But some of what's collected seems odd: For example, TJX stored the license numbers of people who returned items without a receipt. Now, what is done with that information? How often does a retailer track someone down using the driver's license number? Seems to me companies could simply refuse to take a return without a receipt (like Toys "R" Us has recently done). The point is, how much information is necessary, and how much is overkill? Companies are opening themselves to more exposure by collecting too much information. It's all the more to worry about if there's a breach.

So, here are my Common Sense Rules.

  • First, companies ought to only hang on to information that is absolutely necessary. That way, if it's stolen (TJX), lost (Johns Hopkins), or otherwise compromised (Stop & Shop), there's less to worry about, plain and simple.

  • Second, companies should have possession of that data for only a specified period of time -- something that is currently mandated for credit card information but apparently was ignored by some of the parties involved.
  • Finally, there should be a Customer's Bill of Rights regarding what happens if your data goes astray. The JetBlue debacle of last week in which airline passengers were stranded on the tarmac for hours -- and the resultant Passenger Bill of Rights -- could act as a model for this. If companies must make reparations for lax data security, it's more likely that they will pay attention to keeping it locked up to begin with.
  • Massachusetts is taking note: A bill in the Legislature would make businesses pay for poor data security. Companies would be mandated to pay to cancel or reissue cards, stop payments, or block transactions. That may be too complicated; all that might be needed is a financial penalty, payable to the victim. For example, $100 would be payable to the person whose data has been breached. It's then up to that person if he or she even wants the credit card reissued. This system is straightforward and can be easily calculated. But whatever remedy is chosen, the time has come for some "incentive" to be invoked.

    Comment  | 
    Print  | 
    More Insights
    Comments
    Newest First  |  Oldest First  |  Threaded View
    When It Comes To Security Tools, More Isn't More
    Lamont Orange, Chief Information Security Officer at Netskope,  1/11/2021
    US Capitol Attack a Wake-up Call for the Integration of Physical & IT Security
    Seth Rosenblatt, Contributing Writer,  1/11/2021
    IoT Vendor Ubiquiti Suffers Data Breach
    Dark Reading Staff 1/11/2021
    Register for Dark Reading Newsletters
    White Papers
    Video
    Cartoon
    Current Issue
    2020: The Year in Security
    Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
    Flash Poll
    Assessing Cybersecurity Risk in Today's Enterprises
    Assessing Cybersecurity Risk in Today's Enterprises
    COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    CVE-2020-25533
    PUBLISHED: 2021-01-15
    An issue was discovered in Malwarebytes before 4.0 on macOS. A malicious application was able to perform a privileged action within the Malwarebytes launch daemon. The privileged service improperly validated XPC connections by relying on the PID instead of the audit token. An attacker can construct ...
    CVE-2021-3162
    PUBLISHED: 2021-01-15
    Docker Desktop Community before 2.5.0.0 on macOS mishandles certificate checking, leading to local privilege escalation.
    CVE-2021-21242
    PUBLISHED: 2021-01-15
    OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, there is a critical vulnerability which can lead to pre-auth remote code execution. AttachmentUploadServlet deserializes untrusted data from the `Attachment-Support` header. This Servlet does not enforce any authentication or a...
    CVE-2021-21245
    PUBLISHED: 2021-01-15
    OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, AttachmentUploadServlet also saves user controlled data (`request.getInputStream()`) to a user specified location (`request.getHeader("File-Name")`). This issue may lead to arbitrary file upload which can be used to u...
    CVE-2021-21246
    PUBLISHED: 2021-01-15
    OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, the REST UserResource endpoint performs a security check to make sure that only administrators can list user details. However for the `/users/` endpoint there are no security checks enforced so it is possible to retrieve ar...