When speaking about this subject outside the US, it is common that the topic is dismissed as an American-only problem when in fact, it is not. Although data compromise on the rise in the US but it is occurring internationally as well. Any private sector fraud investigator will tell you that these situations occur almost as frequently outside the US as they do within the country's borders. So why does one only hear or read about security breaches in the US?

Situations involving the compromise of sensitive information, particularly those resulting from computer-based intrusions, have become a very real concern for organisations in a number of different industries. In 2003 and 2004 reports of businesses suffering a security breach or data compromise event were seldom heard yet by February 2005 there were as many as one per week involving companies like ChoicePoint and Bank of America.

In 2005, more than 90 organisations internationally either reported a compromise of sensitive information, or alternately, had someone else disclose on their behalf. A simple Internet search on the subject will quickly shed light on familiar names like Polo RalphLauren, DSW Shoes, Time Warner, and Card Systems Solutions. These reports are obviously not exclusive to small-to-medium enterprises; they include the names of very large organisations as well - the type of organisations that one would expect to have plenty of expertise and money budgeted for the purposes of data security.

When speaking about this subject outside the US, it is common that the topic is dismissed as an American-only problem when in fact, it is not. Although data compromise on the rise in the US but it is occurring internationally as well. Any private sector fraud investigator will tell you that these situations occur almost as frequently outside the US as they do within the country's borders. So why does one only hear or read about security breaches in the US? The answer involves a number of factors, but perhaps the best explanation lies in the US disclosure legislation. In 2002 the California Senate Bill 1386 (SB1386) was passed mandating that any organisation handling identity or consumer-related information pertaining to Californian residents had an obligation to disclose if and when that organisation suspected that sensitive information may have fallen into the wrong hands. The disclosure trend kicked off by SB1386 has now spread to a number of US states and is pushing more and more organisations to escalate these incidents outside the usual internal channels. US businesses under the umbrella of similar privacy legislation will often prepare an official Incident Report when they become the victim of a data compromise and publish it on the organisation's website. In addition, they may issue a press-release or some form of public statement regarding the nature and scale of the incident and follow up with a notification letter sent to each of the affected consumers.

It is important to note that this type of sensitive information privacy legislation is uncommon outside the US. Because of the negative impacts typically incurred by the business after such a disclosure, such as impacts to the brand, stock price, and consumer confidence, it is commonly seen as advantageous to avoid any public announcement of data compromise unless a specific obligation to disclose exists. When responding to a potential data compromise situation in parts of Europe it is quite common that the victimised organisation has prepared a similar collection of public disclosure materials to be used if in the event that the situation results in frequent reports of counterfeit, identity-fraud, or even identity-theft.

For example, in March 2005 Cybertrust was retained by an international retailer for the purposes of investigating the source and full extent of a suspected data compromise. That retailer had store locations in Japan, Canada, the US, France, the UK, and a number of other countries in Western Europe. The investigation uncovered a total of 14 store locations (seven in the US, two in Canada, two in France, and three in the UK) that had been the victim of a security breach resulting in the theft of consumer information sufficient enough to lead to counterfeit fraud. Interestingly, despite the investigation's findings, that organisation made a public disclosure only in the US. Disclosure materials, including a press-release, notification letters for each affected consumer, and an official online Incident report were prepared and printed for the other affected markets, however that organisation made the conscious decision to withhold any such notification unless it became absolutely necessary to do so. To date, no public announcement has been made in Europe.

One can be sure that all of the organisations that have suffered data compromise events this year, whether they have chosen to disclose the event publicly or not, have learned some very hard lessons as a result. Having been involved in as many as one-third of all the publicly disclosed incidents this year Cybertrust has had a great deal of insight into those hard lessons learned by the organisations victimised. These hard lessons commonly involve shortcomings in the organisations’ IT security programs that will never be overlooked again. These individual shortcomings are rarely in the incident reports or public disclosures made notifying customers that their sensitive personal data may be in jeopardy. Instead, the details are hidden inside the results of forensics analysis performed to quantify the source and full extent of the exposure. The majority of the organisations that Cybertrust has assisted in responding to potential compromises are medium to large in size. These organisations tend to have suitable budgeting for the purposes of data security, very skilled personnel, and many of the best technologies available deployed for the purposes of risk mitigation. In light of the challenges we face internationally in terms of data security, effective risk mitigation is not just a function of the right people and technologies – but also of process.

The proactively-minded processes in and around ensuring optimum levels of sensitive data security are the typically overlooked elements in these organisations’ IT security programs. Cybertrust would almost never have been involved in a data compromise investigation unless the organisation being investigated wasn’t storing some type of sensitive data they should not have been storing in the first place. In laying the groundwork for an effective IT security program, an organisation must first have a firm handle on what they consider to be sensitive data and establish a suitable Data Retention Policy. What information cannot leak out? On what systems does this information reside? What are the business and legal requirements for the retention of this information? How do I destroy the information when no longer needed? The answers to these questions must be clearly defined in the organisation’s Data Retention Plan.

When the possibility exists that an organisation has become the victim of data compromise, perhaps the first question that a forensics investigator will ask is, “Where on the network does that data reside?” The second question will then be, “How does the organisation ensure access to that information only based on business need to know?”

What they are after is a firm understanding of the security and access controls in place and, of course, the availability of forensics data sources. The term ‘forensics data’ refers to accountability information, like system, event, and activity logs, relative to sensitive data accesses occurring within the environment. Forensics data is often the only evidence available to sufficiently prove or disprove that a given organisation has been the victim of data compromise. Without sufficient quantities of forensics data available to the investigators, it may be difficult to impossible to establish any concrete conclusions either way. The control measures deployed to mediate access to sensitive data based on business need to know, as well as the handling of accountability information produced by these measures, must be clearly defined inside an organisation’s Data Control Policy. It is interesting to note that Cybertrust has never responded to a data compromise event for an organisation that has had a Data Control Policy in place.

Solidifying a position on Data Retention and Data Control will help set any organisation up for success in terms of mitigating the risks of data compromise. Unfortunately though, no one builds bomb shelters until someone starts dropping bombs. Those who are best prepared to handle data compromise recognise the implications of being victimised and at the same time, the reality that it can occur to them. To stay ahead of the game, organisations have to be set up for success in terms of response. Creating an Incident Response Plan is the first step in this direction. An effective Incident Response Plan establishes a vehicle for categorising systems-based threats into incidents of varying severity.

The different categories of severity defined in the plan correspond with a level of response. This may include, for example, who responds to the incident, how quickly, how to escalate within the organisation, how to maintain the crime scene, how to acquire evidence, when to notify the outside world, and how to document each step along the way. Often the highest severity incidents are those that might impact the sensitive data inventories defined in the Data Retention Policy. The next category of severity may be defined as any violation of policy with regard to Data Control. The point being that an organisation cannot build an effective Incident Response Plan unless you first gain a firm handle on the concepts of Data Retention and Data Control within the organisation.