Protecting the confidentiality of information

Nevada's No. 1!

No, I'm not referring to the big Nevada Wolf Pack win over California. I'm referring to the Federal Trade Commissions report that Nevada is number one in the nation for identity theft as a result of payment card fraud!

As Nevada's identity theft expert I read dozens of stories on successful attacks against organizations everyday. Often when these attacks hit small or mid-sized organizations it's a death blow resulting in bankruptcy and employee layoffs.

These attacks are known as Information Security Breaches. ISBs are internal or external, caused by rogue employees, improper disposal, and cyber attacks.

Let's look at this in simple terms: Consider your organization as the City of Troy from history. To protect the city, stone walls were built to keep out thieves and armies wanting to steal gold. Troy placed lookouts atop the walls to observe not only the outside, but what's happening inside. The roles of citizens inside were two-fold: By profession they're blacksmiths and butchers. However, for security purposes they're trained to identify rogue bandits inside and defend Troy from armies outside. Communications with outside villages providing goods and services consisted of messenger and carrier pigeons.

Marauding armies would attack villages to obtain valuable information on Troy's defenses. Because Troy was impenetrable by physical force, they resorted to catapults launching diseased animal carcasses over the walls to spread viruses inside the city. The Greeks utilized the first "spear phishing" attack by building the Trojan horse. Although some warned against allowing the Trojan horse into Troy, we're all aware of the outcome.

Since 1200 B.C. the tools have changed, but the methods used have remained. Large armies are replaced by a single identity thief. Messengers and carrier pigeons are replaced by telephone and Internet susceptible to interception. Villages are now outsourced service providers such as IT, payment card processors, accountants, tax preparers, etc. that you are required to ensure by contract they protect information you grant them access to. Rogue bandits have been replaced by rogue employees.

Attacks are no longer done by antiquated catapults, but by launching denial of service attacks, social engineering, dumpster diving, and emails containing phishing attempts or viruses. Protective walls surrounding the kingdom have been replaced by firewalls, anti-virus and spyware and malware programs.

Citizens who were trained as lookouts and protectors are now human firewalls. Human firewalls help identify and defend against internal and external threats to your organization and are your first and last line of defense against an attack.

The gold thieves now seek banking credentials, payment card information, and sensitive customer and employee information maintained by your organization.

The most common method of attack is from rogue employees. Eighty-seven percent of identity crimes are a direct result of organizations failing to use reasonable security measures to protect information. Of that, almost 70 percent of identity crimes are intentionally committed by a trusted employee, says a Michigan State University study.

Just ask the doctor whose clerk stole patient information. During sentencing, the doctor told the judge his clerk affected credit scores of patients and almost destroyed a practice of 35 years. It placed a huge financial burden on his business because he was required to repay $110,000 to credit card companies for his employee's actions.

The owner of a deli was informed his customers had become victims of identity theft. Identity thieves accessed his credit card system intercepting payment transactions. The deli owner said that as soon as information about the breach was made public as law requires daily sales fell over 50 percent.

The owners of a marketing firm are facing bankruptcy after thieves stole their online banking credentials and $164,000. Unknown thieves made five wire transfers from their account.

The cost to organizations responding to data breaches continues to rise. According to the Ponemon Institute, the average cost of data breaches to businesses surveyed increased from $6.65 million in 2008 to $6.75 million in 2009. The most expensive data breach in the 2009 survey was nearly $31 million; the least expensive was $750,000.

Nevada's new identity theft prevention law NRS-603A holds your organization responsible for the information you process or allow outsourced service providers to process. Reasonable security measures require an information security program and ongoing employee security training from your Information Protection Manger.

Organizations meeting the requirements of NRS-603A greatly reduce their exposure to attacks and are provided safe harbor in the event a breach occurs. Organizations not compliant may face loss of monetary assets to thieves, loss of clients, business license, severe fines, sanctions and liabilities for damages. Speak to your Information Protection Manager about your compliance with NRS-603A.

Organizations failing to build protective walls and train staff will become history like Troy.

Tom Considine, a Certified Information Privacy Professional and member of the Nevada Fight Fraud Taskforce, is president of Considine & Associates in Fallon. Contact him through www.TCIPP.com.