It used to be that industry experts would talk about ways for companies to prevent a data security breach. But by the end of 2007, with the Privacy Rights Clearinghouse tally of exposed records blowing past 217 million, most were instead talking about how to survive one.
Indeed, data breaches have become such a common occurrence that some believe it's futile to even entertain the notion that a company could achieve 100% protection. A lot of the pessimism has centered around the massive breach retail giant TJX first disclosed in January.
The TJX story continued to unravel throughout the year, exposing weaknesses in the company's wireless security, its failure to meet the basic requirements of the Payment Card Industry Data Security Standard (PCI DSS), and what many saw as a shaky PR response on the company's part.
The biggest lesson of the breaches at TJX and elsewhere is that no company is immune from the threat and businesses need to develop better response plans.
"One of the big missing pieces is the plan for external communications in the event of a data breach," Jim Maloney, former global head of information security at Amazon.com and current CEO of Cyber Risk Strategies, said during one panel discussion on the topic in Boston last fall. "When a data breach happens, you don't want to be scrambling and trying to decide who to talk to and how to restore confidence. You can't just try to wing it."
When TJX first disclosed its data breach in January, the retailer came under heavy criticism for what many considered a sloppy response. The company didn't disclose the breach until a month after it was first discovered, and few accepted its explanation that investigators recommended the period of silence. TJX also seemed to have trouble getting an accurate assessment of the damage. For example, the company initially said that attackers had access to its network between May 2006 and January 2007. Later it admitted that thieves were inside the network several other times, beginning in July 2005. The came word that the stolen data covered transactions dating all the way back to December 2002.
One of the first considerations for a company that may have had a data breach is when and if to disclose the incident. Of course, doing so is the law in many states. But at the CSI 2007 security conference in Arlington, Va. the first week of November, experts urged companies not to move too quickly, since a poorly-executed notification can make matters worse.
In a nutshell, Burton Group analyst Eric Maiwald said, the best bet for any IT shop is to store as little data as possible, examine the risk of what the company does need to store; install and use the necessary controls; and "put plans in place so that you know what to do when you have a breach."
Larry Ponemon, founder and chairman of the Ponemon Institute, said each security breach is different but that it all amounts to the loss of confidence and trust, which in turn means a loss of money. Asked about the common failure among data breach victims, he described the "it can't happen here" mentality.
"The attitude is epidemic, but events point clearly to the fact that no company is immune to the threat of data breach," he said. "Failure to take sufficient preventative measures is widespread, and … following a data breach, most companies will invest in the very preventative technologies and programs that might have helped avoid the incident in the first place."
While industry experts agree companies need to start assuming they will someday suffer a breach and must have a plan in place to soften the blow, they note that it's still possible to prevent a breach with some common-sense technological measures. The best example reflects the growing trend of laptops getting stolen or lost. If companies automatically used full-disc encryption on the devices, the loss of one would become a much smaller issue.
"If you allow sensitive information to be stored on mobile computers of any type, encryption is a good idea because it can get you out of having to disclose that the computer was stolen," Maiwald said.