Lax policies, not bad auditors responsible for stolen data

By Shamus McGillicuddy, News Writer 14 Sep 2006 | SearchCIO.com

IT news and analysis for CIOs Digg This!     StumbleUpon     Del.icio.us

Customers should be burning mad, say experts. Companies that hand personal information over to third parties, such as public accounting firms, are responsible for preventing that data from getting into the wrong hands. Unfortunately, too many of them are lousy at it.

Security troubles According to the San Diego-based Privacy Rights Clearinghouse, a nonprofit consumer information and advocacy organization that tracks instances of major data security breaches, a number of breaches were disclosed in the past several months. Aug. 26: Wells Fargo, the San Francisco-based bank, disclosed that a laptop containing employee Social Security and healthcare information was stolen from the locked trunk of a vehicle belonging to an employee of an undisclosed third-party auditor. Aug. 5: Oil giant Chevron Corp. said an undisclosed public accounting firm auditing Chevron's benefits plan lost a laptop with personal information on 59,000 employees. Feb. 23: Security vendor McAfee Inc. revealed that a Deloitte & Touche LLP employee left a CD containing data on 9,290 McAfee employees in a seatback pocket on an airplane. July 25: Deloitte & Touche revealed an employee lost a laptop containing information about 12,000 employees of Armstrong World Industries Inc., a Lancaster, Pa.-based  floor, ceiling and cabinet company. May 23: Buffalo, N.Y.-based M&T Bank Corp. announced that a laptop computer owned by PFPC Worldwide Inc., a Wilmington, Del.-based company that provides the bank with record-keeping services, was stolen with account information for an undisclosed number of customers.

Although experts say it's the exception rather than the rule, the number of recently disclosed incidents makes the problem hard to deny. Wells Fargo & Co., the San Francisco-based bank, became the latest victim of allegedly shoddy data protection by an outside auditor. Last month, a laptop containing employee Social Security and healthcare information was stolen from the locked trunk of a vehicle belonging to an employee of an undisclosed third-party auditor.

Richard Stiennon, chief research analyst at IT-Harvest LLC, a Birmingham, Mich.-based security research firm, said such a breach implies that Wells Fargo has been lax in dictating best practices on data protection to its auditors.

"But it tells me more about the auditor, really. The auditor is following sloppy practices. When I was an auditor and a Gartner analyst, you wouldn't believe what I had on my laptop," said Stiennon, a former manager in PriceWaterhouseCoopers LLC's Technical Risk Services group. Stiennon said it was his own personal policy never to let his laptop out of his site when it had sensitive data on it.

Handing over sensitive data to outside auditors is common practice -- it's required by law -- and nothing new. Neither is data theft. But the rules have definitely changed.

Banks have been the target of data theft for years. "But 20 years ago there wasn't anything you could do with that data other than demonstrate that [the bank] couldn't protect it," Stiennon said. "But things changed. Regulations changed, the environment changed, and business practices that hadn't been looked at in a while had to change."

Stiennon said years ago, some financial services companies would often ship backup data tapes that contained customer records with baggage on passenger planes. Boxes containing the tapes would show up on a baggage carousel in an airport where a company employee would pick it up and take it to the office. Sometimes, those boxes would disappear. Thieves would ransom the data back to the victims, who would pay in order to protect their reputations.

In addition, with the rise of identify theft and the advent of laws requiring disclosure of data breaches and notification to those affected by breaches, the necessity of protecting data has become obvious and essential. California's security breach notification law, for instance, took effect in July 2003.

In most organizations, the CIO isn't the one hiring the auditor, but he or she could be culpable if data is breached. CIOs are tasked with protecting all data, regardless of whether it's within the company confines or not. A company can have the best security practices in place, but one careless auditor and you're front-page headlines.

Companies can point the finger at outside auditors. In fact, legal experts say there will be a wave of litigation over who is ultimately responsible in this kind of data breach.

Best to lower your risk from the get-go and spell out liability in a contract, said Edward McNicholas, a partner with Sidley Austin LLP, a Washington, D.C.-based law firm. "You want it to be clear who's going to bear the loss." Work with your firm's legal counsel on the details and wording.

In addition, insist third parties share your security standards and policies before letting go of any data, Stiennon said.

"Doing things on a data protection level is made much more difficult because the standards don't exist yet," he said. "Enterprises have to make sure their own standards are adhered to. Your auditor will say, 'We don't do that.' You say they must. Then they charge you extra."

Get it in writing, said Avivah Litan, vice president and research director at Stamford, Conn.-based research firm Gartner Inc. CIOs should insist on writing strict data security standards into contracts. For instance, auditors should never leave unencrypted data on an unattended laptop.

"Establish all these rules that they have to abide by. Then you audit it and take their business away if they fail," Litan said.

Stiennon said, "My sense is that very few test those rules. But there are a large number that have those rules, which is a first step. Once an auditor is aware that they've signed something, they take those rules very seriously."

More on security CIOs take heat for security snafus CIO Decisions 2006: 100% security just an illusion

Litan said companies should set up compliance offices to hold third parties to their security standards. "Dedicate at least two or three people to establish policy. It's not a full-time thing. But you will need one or two people auditing on a full-time basis, depending on the size of the customer base," she said.

Ultimately, the best method of protecting shared data is to prevent third parties from taking the data outside the company.

"One way [to protect data] is to keep things internal and not allow the data out," Stiennon said. "It's a very simple step. When the auditors come in, allow them to bring software but make them use your computer. That's a direction I highly recommend. It's fairly straightforward."

But this approach is not always possible, especially with auditors from government agencies that have no contractual relationship with the company. In other cases, regulations require outside auditors to retain data on their clients for a certain period of time. Stiennon said companies should address this issue in the contract by requiring the auditor to hold the data in a secure manner.

With business partners, the issue of shared data should be more straightforward, Stiennon said.

"When you're setting up a business relationship, that's when an internal policy has to be compared to the business partner's, and you have to find some common ground that satisfies both organizations," he said.

Let us know what you think about the story; email: Shamus McGillicuddy, News Writer

Tags: Enterprise data security and privacy,  Enterprise information security management,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Enterprise data security and privacy Healthcare IT standards still not clear Avoiding gotchas of security tools and global data privacy laws CIO turns to identity and access management to solve business problem Data protection quiz for enterprise CIOs Seven tips to improving enterprise data protection Employee layoffs pose security risk if systems access not disabled Health care CIO tackles complex security, privacy mandates PCI compliance a good start, but not enough IT risk moves higher on security radar, report finds Top 10 reasons to give thanks you're in IT Enterprise information security management Enterprise risk management solutions for CIOs Gartner: Future IT security jobs to focus on risk management strategy Avoiding gotchas of security tools and global data privacy laws Security standards to help manage compliance for those federal funds Information security and IT governance guides for CIOs CIO turns to identity and access management to solve business problem Log management tool, SIM boxes combine to form security architecture Mobile data protection options for enterprise CIOs For network access control, this shop chose Microsoft NAP; here's why Network access control case studies show varied options

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary