They’ve Got Our Data

Over the last couple of weeks, the United States retail chain Target has had to deal with a major data security breach.

Bloomberg summarised it well last week by noting:

Target’s massive data breach in November and December may have been 75 percent larger than earlier estimates indicated, according to a statement from the retailer this morning. The company said personal information was stolen from as many as 70 million customers, compared with its previous estimate of 40 million.

Much of the swiped information was “partial in nature,” though that will be scant comfort for the 30 million people who are realizing today that they might, in fact, have something to worry about. Target said it’s attempting to contact those whose information may have been pilfered. Meanwhile, the company is still helping the U.S. Secret Service hunt for the perpetrator.

The breach, according to Target, spooked would-be customers in the critical sales days just before Christmas. Business was buzzing ahead of expectations until Dec. 19, when the retailer announced the theft, which allegedly occurred from Nov. 27 to Dec. 15. The company now expects to report a 2.5 percent decline in fourth-quarter sales at stores open more than a year, down from a prior estimate of mostly unchanged revenue.

And it is in this context that a recently released Government Accountability Office report is very timely.

The review’s objective was to determine the extent to which selected agencies have developed and implemented policies and procedures for responding to breaches involving personally identifiable information (PII).  Eight agencies were included in the review: the Centers for Medicare & Medicaid Services (CMS), Departments of Army (Army) and Veterans Affairs (VA), Federal Deposit Insurance Corporation (FDIC), Federal Reserve Board (FRB), Federal Retirement Thrift Investment Board (FRTIB), Internal Revenue Service (IRS), and Securities and Exchange Commission (SEC).

In terms of the regime that the agencies were expected to operate under, the report noted that:

The Federal Information Security Management Act of 2002 (FISMA), the primary law governing information security in the federal government, addresses the protection of PII in the context of securing agency information and information systems.

FISMA establishes a risk-based approach to security management and sets requirements for securing information and information systems that support agency operations and assets. Under the act, agencies are required to develop procedures for detecting, reporting, and responding to security incidents, consistent with federal standards and guidelines, including mitigating risks associated with such incidents before substantial damage is done.

Before we get to some of the findings there was an interesting observation made about the cost of data breaches.  The GAO noted:

According to a judgmentally selected survey conducted by the Ponemon Institute, the average per capita cost of a data breach for U.S. companies was $188 per compromised record in fiscal year 2012.

On average, of the 277 companies in nine countries surveyed by Ponemon, the U.S. organizations incurred $5.4 million per breach for costs related to detecting and reporting it and for notifying affected individuals and providing credit monitoring or other services.

The report noted:

  • Overall, the agencies  reviewed had developed policies and procedures for responding to a data breach involving PII.
  • All eight agencies had policies for the two key management practices of establishing a data breach response team and having training requirements for employees.
  • All eight agencies had policies for reporting a suspected data breach to appropriate external entities, but the Army, FRTIB, and IRS did not fully address all the operational practices in their policies. Specifically, the Army did not specify parameters for offering assistance to affected individuals when appropriate in its policy or for analyzing breach response and identifying lessons learned. Further, IRS and FRTIB did not include the number of individuals affected as a factor to assess the likely risk of harm and level of impact of each incident.
  • Further, a review of sample incident cases at seven of the eight agencies indicated that implementation of operational policies and procedures was not always consistent.

The findings are concerning but not surprising for they would most likely be replicated in many organisations.

It was once said to McLeod Governance that this is a new generation risk and control issue because the concept didn’t exist before the widespread advent of computers.

That perhaps ignore that data breaches can be as a result of papers mislaid.

None the less, this report is a timely reminder to get one’s house in order before the moment comes when someone yells “they’ve got our data!”


Download PDF

Subscribe to Receive Our Email Updates

  • This field is for validation purposes and should be left unchanged.