30 Gen Data Privacy Day a time to end personal security complacency
WTN News, WI, By Joe Campana, January 28, 2009
Madison, Wis. – On January 28, 2009, the United States, Canada, and 27 European countries will celebrate Data Privacy Day together for the second time. The purpose this annual event is to raise awareness and generate discussion about data privacy practices and rights. In recognition of Data Privacy Day, I have produced two videos and have written special feature blogs for the week. Yesterday I posted my first video on this blog to demonstrate how easily Social Security numbers can be accessed on the Web-especially on public sector Websites. Data Privacy Day promotes privacy awareness and education among teens, especially about online privacy. On Wednesday, Data Privacy Day, I will be posting tips about “Teen Privacy Online.” Data Privacy Day also promotes general awareness education among the public and business community on allied topics such as identity theft, national security, social networking, information security, data destruction and data transfers. On Thursday, I plan to post a video demonstrating why data encryption is such an important security safeguard for laptop users. Data Privacy Day activities in the United States include corporations, government officials and representatives, academics, and students. Privacy and information security is required of all sectors—private, public and volunteer under numerous state and federal laws. Consumers expect all sectors to safeguard sensitive information they entrust with them. Local governments desire to create a “privacy-friendly” economic climate, where consumers can live, play and conduct business safely with a minimal risk of identity theft and having their right to privacy violated. Data Privacy Day serves the important purpose of furthering international collaboration and cooperation around privacy issues. I intend to do my part in recognizing this important day this year and throughout the future, what about you? Your Social Security Number and birth date may be available to anyone on the web or by visiting your local city or county clerk’s office. If they are, it makes it easy for identity thieves to use your information for financial fraud, to commit crimes in your name, to gain employment illegally, to get medical treatment under your name or many other types of identity fraud. I produced the aforementioned video on Social Security to give one example of a county Website that allows access to sensitive information without much ethical or legal concern about the consequences to taxpayers. Identity theft has been estimated to a strike 10 million or more Americans each year, and some local governments seem to have little concern. Identity theft can take years to resolve and cost you thousands of dollars. As a taxpayer you should also be concerned because our local government and officials could face expensive lawsuits and penalties, which will be paid with our tax dollars. If your business or organization (non-profit, school, local government) accepts credits cards, you are subject to the Payment Card Industry’s Data Security Standard (PCI-DSS). I write for the small organizations, and from my viewpoint as a security consultant, the PCI-DSS is extremely onerous on small enterprises. There is a positive aspect of PCI-DSS compliance. First, merchants are exonerated from liability with the credit card companies if they comply. Second, compliance will lower your risks of a data breach and thus help foster consumer trust and confidence. Most small merchants never heard of PCI-DSS. Sometimes I describe it as a closely guarded secret. If merchants realized the risks and liabilities that they have by accepting credit cards, they would look for third-party alternatives to directly accepting credit cards or they may choose not to accept credit cards at all. If a merchant is 100 percent e-commerce, it can skirt PCI-DSS by using a payment card solution like PayPal. Once credit cards are accepted in person, by phone or e-mail, excruciating security requirements must be implemented to comply or otherwise be subject to significant risks. The average cost to merchants is $300 to $600 including fraudulent purchases, fees and legal costs for each compromised credit card according to Forrester Research. The cost to a small merchant with 100 compromised credit card records is $30,000 to $60,000; a thousand will cost $300,000 to $600,000, any of which can drive a small merchant into financial crisis if not out of business. However, the financial liability is the least of the problems. Customers will be coming after you too. Inauguration Day marked the announcement of potentially the largest credit card data breach in history. Journalist Brian Krebs runs a Security Blog at the Washington Post. Read the comments on his Security Fix Blog concerning the mega-breach by Heartland Payment Systems to gain a sense on how the public and, more importantly, your customers will react to a security breach announced by your organization. Some of the descriptive language used by consumer bloggers against Heartland Payment Systems includes: deceptive, cover up, shut down, criminal negligence, idiots, do business elsewhere, bankruptcy, irresponsible, jail, and class action lawsuit. One law firm blogged a promotion to solicit potential victims to join a class action lawsuit against Heartland Payment Systems. Now close your eyes and imagine that your organization compromised just 10 or 100 accounts. Listen; do you hear 10 customers at your door shouting those same disapprovals?