Personally Identifiable Information (PII) Blowing In the Wind
On October 1, 2005, confidential health records originating from the Toronto Clinic dating back to 1992 were purposefully blown and scattered about the streets of Toronto, Ontario. The Clinic had given the Paper Disposal Company, which provided their shredding services, boxes containing health records. Reportedly due to a misunderstanding, the records were then given to a recycling company that subsequently sold the intact records to a film company that then used the records as props for a film about the immediate aftermath of the September 11, 2001, terrorist attacks on the World Trade Center. On October 31, 2005 Ontario’s privacy commissioner found both the clinic and disposal company at fault and liable.
Who Has Access to Your PII?
Do you know who is peeking at the PII for which your organization is responsible? Do you know if that vendor to whom you’ve outsourced the processing of your PII has allowed your PII to get into the hands of a competitor or criminal without even knowing it? Do you know if they may have donated your un-shredded confidential papers to the local public kindergarten to use as scrap paper? Do you have alarms and processes in place to notify you when PII is inappropriately used or accessed? Have you even thought about these issues? Or, do you think someone else in your company is already taking care of all these pesky possibilities? Or perhaps you think that such an incident is very unlikely and would have very little impact on your organization?
You need to look into the protection capabilities of your PII and how your organization would be impacted by a privacy breach. Or, perhaps your organization has already experienced one of the hundreds, perhaps thousands, of incidents that have already occurred and needs to re-examine…or create… your privacy breach preparedness plan.
Information Security Incidents Continue to Grow
Privacy Rights Clearinghouse started keeping track of reported PII breaches within the United States a few months ago, and between February 15, 2005 starting with the ChoicePoint incident, and April 28, 2006 they logged 162 breaches that had been reported in the news. These breaches cumulatively involved the information of at least 55 MILLION people. The types of breaches varied greatly and included such incidents as:
- Stolen or lost computing devices, such as laptops, PDAs, and so on
- Insiders inappropriately using PII
- Hackers gaining unauthorized access to the information
- Fraud activities perpetrated by outsiders, insiders, and combinations of both
- Password compromise
- Lost backup tapes
- Paper documents not being shredded and given to people outside the organization
- Email messages with confidential information sent or forwarded inappropriately
- Information exposed online because of inadequate controls
Keep in mind these are just the reported incidents. The author is aware of at least four other organizations that experienced and addressed significant breaches in 2005 that did not get publicized or included within these accumulated statistics. And, yes, they contacted all their customers quickly. Undoubtedly many more organizations have quietly addressed breach incidents while working diligently to keep the incident from being reported.
Increasing Numbers of Breach Notification Laws
In 2005 breach notification legislation was introduced in at least 35 states. As of April 7, 2006, at least 24 states had passed security breach notification laws. All organizations must now effectively notify all affected U.S. residents for PII breaches. Trying to notify only those within the states that have notification laws would not only be impossible to manage, it would also be a very bad business decision from a public relations perspective, not to mention the fact that the number of states with such laws is increasing rapidly, and that doing so would still leave you wide open for civil suits.
Privacy Breaches = Lost Customers
A Ponemon Lost Customer Information study released November 2005 sponsored by PGP Corporation revealed that businesses suffer greater breach incident impact from lost customer confidence and business than what the actual breach itself costs. The survey revealed:
- Close to 12% of people had been notified about a data breach by companies with whom they did business.
- 20% of people said they immediately closed their accounts or stopped doing business with the company.
- Companies reported the percentages of all customers lost following incidents ranged from 2.5% to 11%. There is clearly a disparity between what customers and companies report.
Another study released in December 2005, conducted in Canada by Leger Marketing and sponsored by Sun Microsystems of Canada, showed 58% of consumers said they would immediately stop doing business with a company that experienced a breach that put their personal information in jeopardy.
The loss of customers will depend greatly on the type of breach, the service or product the company provides, how quickly the company contacts customers following a breach, the history the customer has had with the company, along with the general reputation. The Leger Marketing survey reported 55% of companies indicate that the customer information for which they are responsible is not safe or secure. The study also indicated 14% of Canadian consumers believe they have already been identity theft victims.
Privacy Breaches = Big $$ Losses
Another Ponemon PGP Corporation-sponsored Consumer Breach study, also released in November 2005, revealed the average impact to each of the 14 companies studied following a security breach was $14 million. Actual costs included internal investigations, external legal fees, notification and call center costs, investor relations, promotions such as discounted services and products, lost personnel productivity, and the cost of the lost customers. The costs to the organizations following a breach were more than the immediate costs of addressing a breach.
Breaches Have Significant Business Impact
In addition to the costs identified within the Ponemon report, there are additional costs involved with breaches, such as when an organization’s customers are other organizations. For example, if you have customers who are companies that distribute your services or products to their employees or customers (such as if you provide group health insurance policies), then you will not only need to notify the individuals, but also demonstrate to the companies who are your customers what you are willing to do to keep their business. This can be pricey. You may need to fly representatives from the companies to your site to meet with your executives to discuss the situation, all on your dime.
Additional breach response costs are also involved for notifications to individuals who are located outside your country, such as the costs for resources to work with the applicable country privacy commissioners, costs for translation services and call centers with multi-lingual capabilities, and so on. And, depending upon your industry, locations, services and products, there could be many other areas a breach could financially impact. It is worth taking an afternoon to brainstorm the possible impacts to help you better prepare to respond to a breach.
The author created a privacy impact “calculator” that organizations have used to demonstrate to their business leaders just how much a breach could cost when considering multiple possibilities and factors. (See an abbreviated version at www.informationshield.com/privacybreachcalc.html). Such an exercise truly is an eye-opener and gets the attention of the leaders who can relate best to information presented as profits and losses. It really helps to get the resources to do the activities necessary to create a breach response plan and implement the associated tools and procedures.
Do Not Delay Breach Notifications
The Ponemon Consumer Breach study highlights the importance of having an effective breach response plan in place to quickly notify customers. Companies that took longer to notify customers of a breach were four times as likely to lose customers than if the customers were notified quickly and consistently. A significant consideration determining customer retention was also the method of breach notification; the companies surveyed indicated they were three times more likely to lose customers if they notified them using a form letter or email instead of calling them on the phone or sending them a personalized letter.
One Of Many Potential Impacts is Identity Theft
Just one of the impacts to customers for privacy breaches is identity theft. The likelihood for such fraud is dependent upon the type of breach. Knowing how identity theft occurs will help organizations with implementing appropriate security, in addition to creating more effective breach response plans.
 |
In December, 2005, ID Analytics released a study of identity theft resulting from four specific security breaches that occurred during the year. While this certainly is a small number of incidents to examine, the findings are useful in considering security controls and breach response activities. The findings included, among other things, that:
Be Prepared to Respond to Breaches, Or Be Prepared For Bad Business Impact |
Leave A Comment
You must be logged in to post a comment.