Misguided Government Mandates Lead to Massive Data Breaches

Misguided Government Mandates Lead to Massive Data Breaches

The state of California is the first state to mandate anti-theft security measures for smartphones. All smartphones will be required to have a default “Kill Switch”, which allows an owner to lock down the device if it is stolen. Minnesota passed a similar law, but it is optional and not mandated as a default. There is a greater problem to look at and that is the fact that smart phones will be the chief cash fixtures for purchasing goods, transferring money, and most any activity associated with our financial well being. While many will laud the government legislation for implementing stricter security measures, they are missing the bar big time. Instead of focusing on hardware, they need to focus on the information itself and all of the hazards that storing toxic data brings government agencies and businesses. These misguided government mandates lead to massive data breaches without answering the central question of properly securing sensitive information.

Government Hypocrisy in Data Security

While the Federal government continues to push data security controls, maybe it should clean up its’ own house before enacting laws in other sectors.  For example, a data breach at US Investigations Services (USIS) who performs background checks for U.S Government workers exposed PII (Personally Identifiable Information) and PHI (Protected Health Information) for over 25,000 employees. There could be more people involved in the data breach, as the investigation continues. This information extends to classified personal information that foreign governments could manipulate. The U.S. government has yet to reveal the cause of the attack or the type of attack it was. The 2013 Verizon Annual Report on data breaches reported that the main cause of government breaches was a Miscellaneous error or OOPS. So, both federal and state governments are calling for stricter guidelines when they have a hard time securing themselves.

The GAO (Government Accountability Office) reported that data breach incidents increased from 10,481 in 2009 to 25,556 in 2013. These are not numbers for records breached, but individual breach accounts. That should turn your stomach.

Breaking Down Breaches by Cost

**Statistics provided by Bloomberg.com

As you can see the largest data breach was Court Ventures. They are a company owned by US Info Search, which helps manage risk and fight fraud by providing quality data to U.S. Companies, Government Agencies, and Legal Industry Professionals.

Government Mismanagement Led to 1st and 7th Largest Breaches in History

Hieu Minh Ngo, a Vietnamese National, posed as a private investigator operating out of Singapore. He wired cash on a regular basis from a bank in Singapore to Court Ventures. He purchased access to these records and used them in a variety of fraudulent schemes. The first question would be, why would a US firm contracted by our federal government be selling social security numbers and a bevy of other sensitive data to the highest bidder? Another OOPS moment.

According to Krebson Security, Ngo’s ID theft business attracted more than 1,300 customers who paid at least $1.9 million between 2007 and Feb. 2013 to look up Social Security numbers, dates of birth, addresses, previous addresses, phone numbers, email addresses and other sensitive data.

Inconsistent Government Mandated Reporting Laws

Government mandated reporting is designed to offer full transparency of the root of a breach and more specifically, the types of information breached. Every state has different reporting laws for data breaches, which are maintained by the National Conference of State Legislatures. The Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy, Security and Breach Notification Rules set forth Federal reporting guidelines for data breaches involving health information. However, there are not security guidelines as to how the information is stored. To get to the point, awareness of a breach does not set guidelines on how to secure information. Telling me my social security number has been compromised does nothing to eliminate what cyber thieves can do with my information. If government wants stricter laws for data security, than they should put into practice what they are mandating. Standardization in data security is crucial to curbing the massive outbreak of data breaches. However, at the end of the day if you house sensitive data you are at risk. What is the solution?

Cloud Tokenization as a Data Security Solution

By removing sensitive data through tokenization, you are able to remove sensitive data from your environment, while also lowering compliance and scope. If a token is breached, then the cyber thief has a meaningless value, with no access to your sensitive data. Removing toxic data reduces risk with up to a 95% reduction in {PCI,PII,PHI} compliance. The vast majority of TokenEx customers are able to save enough in auditing expenses and other related costs that they are able to pay for our cloud tokenization solution. To learn more about how you can reduce risk, scope, and compliance visit TokenEx.com. Follow us on Twitter and LinkedIn

Topic(s): data security , HIPAA , PCI DSS , tokenization

Keep Up With Our PCI & Privacy Blog