Data breach fines can risk more harm than good, experts say

[Jake Kouns <jkouns () opensecurityfoundation org>]

Regulations designed to help guard consumer financial accounts and
privacy may start doing more harm than good if taken too far

April 21, 2011 — CSO —

Are regulatory and security breach fines protecting the consumer, or
beginning to unduly drive security policy? As penalties begin to be
levied against organizations who have been attacked, or employees
violated data policy, some experts now question whether the government
is penalizing one of the victims in a crime, rather than helping to
mitigate the risk of identity theft — as the laws were first intended.

Consider the move by the Massachusetts Attorney General against
restaurant chain owner the Briar Group LLC. A few weeks ago the
attorney general announced that it reached an agreement with Briar
Group to pay $110,000 in penalties. The settlement stems from
allegations that the restaurant chain didn't adequately protect
customer payment data after a malicious application was installed on
its systems. The malware was on its network from April, 2009 through
December, 2009. The allegations against the chain say that the group
didn't change employee login information and continued to take credit
and debit cards after it discovered the breach, this statement from
the Massachusetts Attorney General says. The compliant also alleges
that the chain failed to properly secure its remote access utilities
and wireless network.

Certainly not security practices to applaud. However, experts contend
— because of the lousy inherent insecure state of applications and IT
systems — enterprises can have all of the right security technologies,
policies, and procedures in place and still end up on the wrong end of
a state action. "These database breach notification laws were not
intended to set standards of care," says Mark Rasch, director of
cybersecurity and privacy consulting at Computer Sciences Corporation.
"They were initially intended to help consumers, who had their
information breached, to avoid identity theft," he says

"The fact is that you can do everything well, and be breached; or you
can do nothing and suffer no recognizable breach," he adds.

Mike Wiltermood, chief executive officer at Enloe Medical Center,
based in Chico, California, might agree. Enloe decided to fight a fine
it received last year after it reported that the center had discovered
that on several different instances the medical records of one patient
were inappropriately accessed. The medical center says it discovered
the violations through its own monitoring, investigation, and
self-reporting of the incident to California authorities. The result?
The California Department of Public Health (CDPH) opted to fine Enloe
anyway.

The center didn't think the state's actions were justified.

[..]
_______________________________________________
Dataloss-discuss Mailing List (dataloss-discuss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://datalossdb.org/mailing_list

Learn encryption strategies that manage risk and shore up compliance.
Download Article 1 of CREDANT Technologies' The Essentials Series:
Endpoint Data Encryption That Actually Works
http://credant.com/campaigns/realtime2/gap-LP1/