Idaho Business Review: Data breaches and customer information
Issues of information security have been hard to ignore lately, with Target’s announcement in December that hackers had accessed data from 40 million of its shoppers’ credit cards and the whirlwind in April around the Heartbleed bug, which exposed account information for some of the Internet’s most popular sites.
These and other recent breaches have raised questions among individuals and businesses about how to keep private information safe in a world where matters of increasing importance are being conducted in a digital sphere.
One June 3, Idaho Business Review assembled a panel of Internet security professionals to discuss what the risks are and how businesses can minimize those risks both for their clients and for their own security. Panelists included:
- Joy Rogers, E-Services banking manager, Mountain West Bank
- Don Bush, vice president of marketing, Kount
- CeCe Gassner, counsel, Perkins Coie
- Terry Grogan, security consultant, Fisher’s Technology
- Mark Wennstrom, Regional director of information technology, Saint Alphonsus Health System
Breaches often arise from within
In my experience, I haven’t seen a lot of external data breaches of patient information. What I tend to see more of in the industry is internal—either disclosures of information that’s inappropriate or inadvertent. An example of that would be we’re faxing information to a health care provider, but we get the wrong fax number. It goes somewhere, but we don’t know where it went—so how do you track that down? We’ve got to have policies and procedures to take care of that.
Another thing you see quite often is from colleagues in the health care industry who have good intentions, but they have a friend or a neighbor or even a relative who is in the hospital and they want to find out how they’re doing, so they might go into the system and try and look around, and again—well intentioned, but those are the kinds of things we have to have policies around. Those are the kinds of things we spend a lot of time every year educating our staff about, that that’s really a privacy violation. So we have mandatory education every year to make sure staff understand what they can and can’t do.
The difficult thing is that where a lot of the breaches are happening today. We hear about a lot of the big retailers, because those affect us and we feel like we’re vulnerable there, but about 40 percent of the breaches this year have been at universities. Why a university? Why would someone steal information from a university? Think about the regulation. Every new student entering a university has FAFSA information which has mom’s and dad’s financial information, their tax information, their Social Security numbers, the student’s Social Security information, their financial well-being, their student loans – all that information is available at the university, but for the university, their No. 1 priority may not be data security. Often times it’s an internal job. Someone goes, “Hey, I’ll pay you 1,000 bucks for that database.” It’s not a very difficult thing to do, and yet hundreds of thousands of those things are out there.
What we’re also seeing… is that once that data is out there, the most prevalent thing that’s happening to that data is account takeover. I can act and look just like you, and I can go into your bank account and say, “You know what, I need to add another user to this account. I need a new debit card, but I need it sent to my other address, and can you put this other name on it?” And because I’ve gotten into your account using your password and your data, it’s legitimate, right? You may not know for 60 to 90 days that somebody else has access to your account, they’ve done things with your credit card. It’s all legitimate—why would anybody ask you any questions, because they got into your account using the right type of information?
There have always been different laws that talk about privacy. HIPAA [the Health Insurance Portability and Accountability Act of 1996] came about in an age where the Internet was going mainstream and people were using computers on a much bigger basis, but there have always been different kinds of laws about what kind of information a company had and how they should safeguard it—it just wasn’t quite as out there, and it wasn’t as visible to people. I think HIPAA was just a little controversial when it was implemented, and that’s why people started to hear more about it and started to understand that, wow, this Internet is really fun and I can go to Yahoo and play these games, but oh my gosh there’s someone out there trying to steal my information.
I think what a number of different regulators are looking at with HIPAA is HIPAA actually has some information in there about what kind of security is supposed to be in place to back up privacy pieces of it, so it actually talks about if you’ve encrypted your data in certain ways, then you might fall into a safe harbor should someone steal the laptop or the thumb drive or break into your system. You’re seeing more and more regulators start to look at HIPAA and say this is how we should go in and investigate businesses. But you’re still seeing, because you have all these different offices that are overseeing all these different kinds of privacy laws, I don’t think we’re seeing people calling up HHS and saying, “Hey, how did this work for you? Can we do this over at the FTC?” I think there’s still a lot of evolution and a lot of growing by the companies and the regulators that are overseeing this area.
One of the things I like about working for a faith-based organization is that we … feel strongly about making sure our patients can trust us to keep their data secure. We were doing lots of things like that before HIPAA, but HIPAA has really caused us to tighten up our policies and procedures. …
HIPAA calls for things like minimum necessary access, so we make sure that based on your role in the organization, you only have access to the data that you need to do your job and nothing more.
Within the applications that we have we have the ability to limit the areas that a colleague can get into based on their role. Let’s say for example that you’re a nurse, and as part of your role, you have the ability to go in and look at patient data. I can’t keep you from looking at someone else’s data that you’re not taking care of. We have to have reporting. … We have an integrity hotline so if someone notices someone doing something inappropriate, they can call the hotline and report it. It’s all about education and having the right policies in place to take care of an incident if it does occur.
We have an obligation to secure the information we have from all of our customers. We are bound by a lot of these same rules, and now the government has pretty much put us on the spot to be educators to our businesses in regards to how you’re going to protect your information and what is the bank doing to protect your information. So again, we’ve got these firewalls, we’ve got these other layers of security that we’re using throughout our system, and we have to actually do all these checks and balances to ensure that we don’t see any discrepancies. If something were to occur, there are a lot of red flags that can arise, and that’s where we have to take that measure to notify appropriately.
A couple years ago, the Do Not Track legislation started going through several states and the federal government. It was based on the Do Not Call list – they figured Do Not Track was the same thing. You don’t want Big Brother tracking your computer, right? The best way to manage fraud is to be able to determine the device it’s coming from. If Congress would have passed Do Not Track legislation, you would have seen mayhem, and I’m not underestimating that. Criminals can say don’t track me, either, and all of a sudden people come into the bank, people come into the store, and you have no idea who they are. You can’t track them legally. So we’ve got to be very careful with regulation. Most businesses want to protect themselves and the consumer. They don’t like having bad things said about them, a la Target and Michaels and eBay. They want to protect you and themselves. Sometimes regulation goes overboard. It costs us an awful lot of money to maintain that, and it still doesn’t do that much for us except give us a bit of a warm fuzzy.
We come in with the approach that we want to educate you before you start using online banking. We enforce a couple security measures that we just require no matter what, and the education to your staff is probably the most important. And that comes back to this internal threat that can potentially happen. If you haven’t educated your employees, whether it’s inadvertent or advertent – and typically it’s inadvertent, they didn’t realize that they did something that potentially puts your business at harm. We come in and we talk about some of these things. We talk firewalls, we talk about the other pieces you need to do internally before you move to an online channel.
Crooks are always going to be out there. Our approach is to come in and really explain to a business customer that you can still be efficient and manage your day-to-day operations in an online world, but understand and know the security efforts that need to be put in place. The more things that you put into place to deter someone from trying to hijack your account, is probably the best way. If they can’t get in with the first couple things they try, they’re done and moving on to the next one where they know there’s going to be a vulnerability.
It’s very easy for a user to find … something that they perceive as an inappropriate barrier to them doing their job. That can happen a lot. One of the biggest issues I have with people that do what I do is they have the propensity to say no to everything—no, you can’t do that, and no, you can’t do that. Well, that’s not the right approach. The right approach is to find out why you need to do it. If there is a legitimate business reason to have port 21 open on the firewall, then find a way to make that happen, but saying, “Okay, if you do this, this is what the risk is, and this is what we can do to mitigate the risk.” It’s really important to me to be able to identify as much of the risk as possible so that person, that individual at the company who is ultimately responsible, whether it’s the CSO or the CEO or the board of directors in general, they need to have that information in order to make informed decisions. It’s just like any other business transaction. If someone goes into a bank and wants a loan, well, what are you going to use the money for and what does your credit history look like? They want to get some idea of what their risk is before they say yes. So in my opinion it is unethical to misrepresent the risk to a CEO or decision maker, even if it’s misrepresentation through a lack of information where I didn’t really do as thorough a job as I should have at identifying what the risks are. The decisions can only be as good as the information they have. …
Everyone’s talking about Target now, and Michaels was also big, and eBay and others. In one regard, from a business perspective, it’s great in that we have this thing that we can point at that just happened. Before Target, we were looking back at T.J.Maxx, and that happened several years ago. When you have a major event that happens like that, and here and now it’s very important to you and everyone’s aware of it, all of a sudden everyone gets serious about taking care of this stuff. But then the longer that goes, people think, well, that was a fluke. The longer it ages, the less of an impact it has. So having these high profile events is doing a lot for awareness.
The best service I can supply to clients is talking with them about what are their own protocols, what are the processes that they go through, making sure they’re in compliance with regulations, and also to take a look at their contracts and their business relationships.
I try not to get involved in recommending certain vendors, that’s really not my place to be, but there have been times where I can just kind of tell from looking at the documentation and contracts that my client gives me that the other side wants them to sign, where I can just say, “Let’s talk about this. What was your due diligence in choosing this vendor? What process did you go through?” Sometimes you can just tell that there’s a lack of sophistication there, and if it’s something that’s mission critical, maybe they should go with a different vendor or someone who’s had more experience in that area.
And sometimes it’s just as simple as reminding my client that you really should have your own security policy for your business. It’s not just at the payment processing stage, it’s also do you issue laptops? Do you allow your personnel to bring their own device and use that to access your websites and your email systems with? And let’s really talk about what kinds of practices you need to implement in your company just to try to minimize any risk that through your employee, someone’s going to get access to your system.
That’s one of the easiest ways for criminals to get into the system. … That’s a big problem when you look at HIPAA breaches, for example. At least 50 percent of the breaches that are reviewed are because someone inadvertently left their laptop somewhere, or maybe their tablet was stolen out of their car. It’s doesn’t have to be that a criminal is looking for data—they just want a fence to go buy drugs, maybe. But you now have a HIPAA breach that you’re dealing with because they didn’t lock the door.
Layers of protection
More [protection] is not always better. Sometimes more is self-defeating. Chances are, in probably 95 percent of organizations, more than what you currently have is probably better. But yes, there is a point. There is always a balance. Just as in your ability to do your job and to do make your business profitable and work, if you have too much security then it starts to impede your business process, and that’s not a good thing. …
One of the first things that any organization should do, regardless of their industry, is identify what types of data they have and what types they need to do business, and where that data is in the organization, whether it’s hard copy or soft copy. … So once you identify that, then you know where to put security controls. And the same concept applies of the least privilege role-based access: segmenting your network, applying layers to the different segments.
Everyone knows you need a firewall, but if you look at the way castles were built, they didn’t just have an outer wall. They also had inner walls, and within the inner wall was the most defended part. So when you know what data you have and how that data impacts your business processes, that gives you the criticality of that data. The more critical the data is, the more important it is to you and your business, the more protections you should have around it. The best thing you can do is to architect your network and your infrastructure to the point where you can put the really, really important stuff in a place where you can have lots of protection around it, rather than try to put all of this protection around the entire network.
Our financial institution has put layers in place that’s just not going to allow [an imposter] immediate access. While the client can still have the ability to be efficient and create [an additional] user, it still puts them in what we call a “held” status. We, then, the bank, make that phone call back to them – we originate it – to verify legitimacy — did you really set up this user?– before a transaction can even occur.
We recommend that you change your password frequently. For any of our customers that transact business outside of their account, not just internally, we have an additional token, and a lot of banks do this. It’s a little device that prompts another security code. … So that’s one, and that’s just how we authenticate you a little bit, and that’s what the system looks for, but then we’ve added all these other things. Let’s generate an alert [so] every time you perform a transaction, you’re going to get this email or this text message—well, if you didn’t do it and get this text message, you’ve at least been alerted with enough time to contact your financial institution. And there’s several other factors.
What Kount does — let’s run down a scenario real quickly. You go online, you want to buy shoes, a laptop—it doesn’t really matter. …You go online, let’s say to Staples, you click on the computer you want to buy, you go to shopping cart, you go to checkout, and when you go “buy,” “purchase,” “submit,” whatever, that’s when Kount’s software comes into play. We look at literally hundreds of pieces of data. The interesting thing is I know more about you when you shop online than when you stand in front of me and present a credit card at the store. I can tell more about you – whether it is you or someone pretending to be you. What Kount does is look at all these pieces of data and recommend to that retailer, Staples in this case, … whether we believe it’s a fraudulent transaction or a legitimate transaction. With that data, we can make lots of determinations. We’re in a very unique position where we get to see things happen before they affect you. What we look at is once that data is out in the ecosphere, and once it is starting to be used – we call that “weaponized” – once that data is starting to be used, we look at it and with all of our technologies and patents, we determine whether it’s legitimate or not.
The least privilege [access control] concept is essentially that if I have a particular job in an organization, then I should have access to the information that I need, but not access to information that I don’t. That can take extremes on either side. I’ve seen some organizations lock down their work stations to the point that you almost can’t use them and they become very frustrating for the user, and on the other side, you hear the term “role-based access control.” That’s a lot of, as Mark said, you have a nurse, and she’s in a particular role, so you have to be able to give nurses access to certain information. That particular nurse might not need information about patients on this wing or that wing, but they do need to know this aspect. So it can be challenging to narrow it down to the point where we don’t really have to worry about it—and I say that tongue in cheek. You always have to worry about it. But you have a little more assurance of the limits you’ve put on. When you can’t implement a particular security control to the level that you wish you could, the next best thing is monitoring. That’s where you’re looking at the access control logs, the audit logs, on a regular basis, and flagging the fact that Nurse Jones accessed information on a patient that really is not in her purview. That would kind of lead the security folks to elevate that to a point that they would start logging what Nurse Jones is doing and maybe go back and see if Nurse Jones has been exhibiting inappropriate behavior electronically in the past.
What we’re starting to see is the large card brands, the large issuing banks are starting to shift the responsibility back to the consumer. It’s already taking place in different countries in Europe and around the world in different regions, where right now if somebody stole your credit card and bought something, you could call your bank and go, “That wasn’t me,” and they say, “All right, sign this affidavit, great, you’re liable for $50” or whatever that minimum is, but you get your money back. Who loses? The bank loses money. They go back to the merchant and pull the money out of the merchant’s account, so the product is gone, the money is gone, and then the bank will fine the merchant – that’s called a chargeback. The merchant can’t live very long with that type of a process. Criminals are getting to be very, very good at that. What’s happening is new regulation is starting to shift the liability and make you, the consumer, more responsible for what you do. … As a consumer, there’s some very simple things that you can do. As Americans, and I’m an American so I can say this, we’re pretty darn lazy. Simple things like changing your passwords on a regular basis. This Heartbleed thing that happened—change your password. Ninety-eight percent of the time it takes care of the problem, but we don’t. We have the same passwords on 14 different accounts so when somebody gets one, they get them all.
Working with vendors
Certainly we take a lot of internal measures, but when we submit claims, for example, for payment, we have to rely on a third-party claims administrator and third-party payers to have all the security in place that they need as well. That’s why we have business associate agreements that talk about what the responsibility of each party is and what the liability is if something happens and so forth. We do risk assessments before we enter into an agreement to do business with anyone. We do a very thorough security and risk assessment to make sure that they’ve got all the security in place that we need.
What we are seeing is criminals are going after big companies less and less because they have more money, resources, time, expertise – they can hire data analysts, they can hire fraud analysts and so forth. But if you’re outside of that top 1,000 or 5,000 and you’ve got three flower shops here in Boise and Meridian, you don’t have that expertise, and criminals know that. They’re moving down the food chain because it’s less protected. They can turn things into cash quicker. …
People go into business online because they have a passion and a love for ski equipment, [for example]. They are not fraud experts, they are not payment experts, they are not IT experts. And yet, people try to grow their own, they try to do their own thing, and it’s not until they get into trouble that they say, my goodness, I’m in way over my head. … Most people need to step back and say, can I provide the expert information to do this, or should I bring in a trusted partner? … It’s going to cost them generally more upfront, and they usually are surprised at what it costs to do it right.
Source: Idaho Business Review