For the better part of the last four years, the payments industry has focused almost laser-like attention on the issues of data security and privacy. These efforts have largely gone unnoticed by the public and by the regulators. The only time the public is made aware of the payments industry is when the media reports another breach. These reports then set off a firestorm of publicity from federal legislators, the Federal Trade Commission, and other agencies and politicians that feel data security is a “hot ticket” for their constituency and that the theft of credit card data leads directly to identity theft. In fact, there have been dozens of bills introduced in Congress over the past year or two directly related to the protection of personal data.
There are two glaring problems here. The first is that the relationship between stolen card data and identity theft is nebulous at best. If the data is stolen in conjunction with other personally
identifiable information, then identity theft becomes more likely.
Lost card numbers, in and of themselves, are not enough to facilitate identity theft. The other problem with the current cycle of media and federal attention is more a matter of principle: The federal government should get their own house in order before casting stones at an industry that has been proactive about data protection for the last several years.
On May 22, 2006 the Veterans Administration announced that a laptop containing almost 27 million personal records, including information about veterans and some active duty personnel, had been stolen from an employee’s home. In examining that one statement, one can identify any number of instances in which following a security standard such as the PCI would have prevented such a loss. For example, there is no reason that an employee, a data analyst, should have been able to take home files containing personal information on every veteran since 1975. By restricting access based on “business
need to know”, the VA could have mitigated a loss such as this.
Similarly, had they encrypted such sensitive information the data would be worthless to whoever stole the computer. Additionally, it appears that, though the VA had policies regarding taking data home and encrypting sensitive information, these policies were either unknown or ignored. With no more than a cursory examination of the incident one can quickly see that the VA was grossly out of compliance with industry best practices, let alone with Federal Information Security Management Act.
In 2005, the General Accounting Office released a report entitled,”
Emerging Cybersecurity Issues Threaten Federal Information Systems.”
This report indicated that federal agencies were not acting to meet the evolving threats in their environment. The report states that,”… most agencies were not applying the information security program requirements of the Federal Information Security Management Act of
2002 (FISMA) to these emerging threats, including performing risk assessments, implementing effective mitigating controls, providing security awareness training, and ensuring that their incident- response plans and procedures addressed these threats”. In addition, federal agencies are not reporting data security incidents as they are required to do. The report concludes that,” Without effective coordination, the federal government is limited in its ability to identify and respond to emerging cybersecurity threats....”
George Opfer, Inspector General for the Veterans Affairs Department said, “Our Federal Information Security Management Act reviews have identified significant information security vulnerabilities since fiscal 2001 that place VA at risk of denial-of-service attacks, disruption of mission-critical systems, and unauthorized access to sensitive data.” Yet, no action was taken on the part of the VA to correct these deficiencies. In contrast, Guess?.com was sued by Federal Trade Commission because its website was vulnerable to SQL
injection, even though no data was lost. In that case, Guess?.com
was ordered to create and maintain an information security program that is to be overseen by the FTC for twenty years. Any violation of that order will result in an $11,000 fine. Yet the VA was made aware of deficiencies in its security program more than five years ago and no action was taken to remediate the identified vulnerabilities. The result here, again in stark contrast to the Guess case, is that 26.5 million veterans, their spouses and active duty National Guard and Naval personnel have been exposed to identity theft. The records lost by the VA contained not credit card information, but date of birth, social security numbers, disability ratings, and information about the veterans’ spouses.
The disparity is further delineated when examining the parties that ultimately bear the responsibility for such a breach. When a credit card breach occurs, the entire payments industry takes a reputational hit, from the card brands to the merchant or processor that was breached. In addition, the card brands assess penalties against the
acquiring bank, which may roll that penalty to the breached party.
In addition, the FTC may also become involved and impose fines and penalties, in addition to requiring oversight of the breached party’s information security program. In many cases, civil liabilities may also apply to a company that loses credit card data. In short, the loss of data can devastate a company. The Veteran’s Administration, however, bears no such responsibility or liability for the loss of data. In fact, it is ultimately the taxpayer that is going to bear the brunt of this loss. Veteran’s Affairs Secretary Jim Nicholson estimated last week that the cost of the data loss may reach as high as $500 million.
In addition to this cost, the federal government is offering a $50,000 reward for the return of the hard drive and laptop containing the data. The idea that simply recovering the stolen equipment will mitigate the exposure of the data is almost as ludicrous as an employee taking home 27 million records in the first place. In this age of technology, the fact that the government believes recovering the stolen equipment will prevent the information from being misused further illustrates their inexperience with the types of theft that the payments industry has taken steps to mitigate.
Strangely enough, the day after the VA breach was made public, the House of Representatives voted to approve the Data Accountability and
Trust Act (DATA) that would require written notice of data breaches.
Certainly the expense associated with such a requirement would be enormous, but of particular note is the fact that the stringent notification requirements laid out for the private sector would not apply to any federal agency. Such a move seems particularly obtuse in light of the massive loss of data that resulted from the flagrant disregard of information security best practice, and even common sense.
The disparity among government entities that lose data and private sector companies that lose data is particularly galling when looked at through the lens of consumer choice. In most cases, the public has no choice but to share data with the government. There is no “opt-out” for paying taxes or for retaining military service records if the consumer does not feel comfortable with the government’s security practices. In contrast, consumers certainly have the ability to choose not to spend their money with a retailer that has previously lost data. Consumers can take an affirmative action in choosing whether or not to share data in the private sector. The same cannot be said of data retained by the government.
This loss of data by the government throws the progress of the Payments Industry into sharp relief. Over the course of the last four years data security has gone from a tangential concern of IT and security professionals, to a company-wide, even industry-wide, initiative. Discussions of data security and ways to minimize the exposure of sensitive data have become almost common-place within the industry. Unfortunately, as data breach notification laws have become more prominent and technology for detecting attacks has improved, the media has given the impression that the state of data security in the industry has actually worsened over the years. Those that have experienced the paradigm shift in the last few years, however, know differently.
This article is not meant to be a rant against the apparent double standard in data security that exists for government entities and the private sector. In fact, it is meant to applaud the payments space for recognizing that a problem exists and taking steps to address that issue.
It has not been an easy transition and the notion of a data security standard was initially met with some skepticism. In fact, the PCI standard often still triggers pained expressions and some disgruntled murmurs. At the end of the day, though, the payments space has stepped up to the plate and taken responsibility for the data in their care. 
|
