BreachExchange mailing list archives
Re: REDUCING THE IMPACT OF PII SECURITY BREACHES
From: George Toft <george () myitaz com>
Date: Tue, 18 Jul 2006 14:38:41 -0700
A quick google for the terms: information security program GLBA shows several universities that realize that they ARE financial institutions per the Federal Government's definition under the Gramm-Leach-Bliley Financial Modernization Act. The GLBA Security Rule has been in effect for over three years now, so those universities that are behind the times need to catch up and comply with already existing laws. See http://www.google.com/search?num=50&hl=en&lr=&safe=off&q=information+security+program+GLBA&btnG=Search George Toft, CISSP, MSIS My IT Department www.myITaz.com 480-544-1067 Confidential data protection experts for the financial industry. henry ojo wrote:
REDUCING THE IMPACT OF PII SECURITY BREACHES The persistent security breaches that occur in so many organisations and institutions are no longer big news. What is worrying is that while it is expected in financial institutions, as obvious targets for their ‘monetary rewards’, it is rather unexpected in that about a third of the reported security breaches in the U.S. occur in educational institutions. Obviously the level of protection afforded the information (mainly Personal Identifiable Information PII) held by these educational institutions is much less than their financial counterparts, yet the data breaches could be just as damaging. What makes the PII so valuable to fraudsters? Loans, mortgages, credit cards, illegal employment could be obtained using this kind of information. This now rests the burden of responsibility at the feet of organisations that use PIIs as the only way to validate the identity of applicants for their services. Fraudsters use this information largely because it is inherently ‘low risk’ with huge returns as the risk of being physically present is eliminated by organisations relying heavily on e-commerce. The question is, do the benefits of cost cutting, easing organisation’s operations by doing substantial amounts of business online outweigh the impact of not providing enough protection to customers PII by not streamlining processes and procedures to aid the security of customers PII at the risk of legislative/regulatory fines etc. A suggestion to revert to the stone ages is not being conceived but the emphasis on using PIIs for validations, verifications and even in some cases authentication by a lot of institutions should be reduced. Biometrics, token password solutions provide alternative authentication mechanisms, which organisations avoid because of costs, but in the long term an ROI might justify the investment against legislative/regulatory fines, litigation, legal fees and loss of goodwill/reputation. Henry Ojo BSc HISP BS7799 Auditor www.efortresses.ie Cell: 00353 874182266 Office:+(0) 7958430094 Fax :+(0) 7092 0950843 ------------------------------------------------------------------------ The all-new Yahoo! Mail <http://us.rd.yahoo.com/mail/uk/taglines/default/nowyoucan/free_from_isp/*http://us.rd.yahoo.com/evt=40565/*http://uk.docs.yahoo.com/nowyoucan.html> goes wherever you go - free your email address from your Internet provider. ------------------------------------------------------------------------ _______________________________________________ Dataloss Mailing List (dataloss () attrition org) http://attrition.org/errata/dataloss/
_______________________________________________ Dataloss Mailing List (dataloss () attrition org) http://attrition.org/errata/dataloss/
Current thread:
- REDUCING THE IMPACT OF PII SECURITY BREACHES henry ojo (Jul 18)
- Re: REDUCING THE IMPACT OF PII SECURITY BREACHES George Toft (Jul 18)