Kroll Fraud Solutions Blog – A Dialogue on Data Security

On Monday, MA 201 CMR 17.00, which protects personal information collected from consumers, will take effect in Massachusetts. The new rules are meant to ensure the security and confidentiality of personal information, to protect against anticipated threats to the security or integrity of such information, and to safeguard against unauthorized access to and use of personal information in a manner that creates a substantial risk of identity theft or fraud.

The Federal Trade Commission (FTC) announced yesterday that it notified almost 100 organizations that personal information, including sensitive data about customers and/or employees, has leaked from the organizations’ computer networks and is available on peer-to-peer (P2P) file-sharing networks to any users of those networks.

Notices went to both private and public entities, ranging in size from as few as eight people to those with tens of thousands of employees. The letters state that “at least one computer file containing sensitive personal information . . . has been shared from your computer network, or the network of one of your service providers, to a peer-to-peer file sharing (P2P) network.”

There has been a resurgence of talk lately about the virtues of telecommuting as a business continuity tenet – in the face of brutal snowstorms that have battered the East coast, and in relation to more long-term factors that could put a dent in productivity. Companies hoping to boost green initiatives are also interested in telecommuting as one way to reduce the company’s environmental footprint and cut down on employee gas consumption.

The Ponemon Institute recently released its annual study on data breach for 2009, Cost of a Data Breach: Understanding Financial Impact, Customer Turnover, and Preventive Solutions.* For the fifth straight year, the average cost of a data breach increased – to $204 per compromised record, increasing the average organizational cost of a data breach to $6.75 million. But perhaps the most compelling departure from the average is within the healthcare industry.

Are your employees using weak passwords at work? Worse yet, are they using the same password at work that they use for personal accounts, such as social networking sites? Imperva, a California data security company, recently analyzed the 32 million passwords exposed by a social networking site hacker. The analysis revealed that people still make use of weak passwords, at least on that particular site.  Almost 500,000 people used either “12345,” “123456,” or “123456789.” Another nearly 62,000 people used “password” as their password. It’s not too surprising to learn that this phenomenon is widespread, and has led some sites to block the use of extremely common letter and/or number combinations as passwords.