Yesterday another story emerged that has created some buzz regarding the current threats to our nation’s information security, leading off with a recent case of information and identity theft by a company insider at a major financial institution.
With the number of layoffs on the rise in the financial field, how safe is any one’s personal financial information anymore? What exactly is walking out the door, and who is ultimately liable for the losses?
This from Newsweek yesterday, December 8, 2008:
Rebollo’s case isn’t as unique as banks would like to believe. If the wounded financial industry and its confused customers weren’t suffering enough, add another crisis to the list: Cybersecurity and privacy analysts say American banks and financial services organizations are facing a major spike in data breaches, many of which are caused by company insiders siphoning sensitive data for profit.
According to the reports of FBI officials who arrested him in August, 36-year-old Rene Rebollo spent his Sunday nights last summer copying a total of more than 2 million of Countrywide’s customer records to a flash drive and selling the data to identity thieves.
That one should not be a surprise to anyone familiar with the temptations to human nature, and some peoples failure to overcome them. But what about the wholesale mishandling of sensitive, confidential, and proprietary information in this age of print-and-toss business habits? What are the costs?
What of the dozens of boxes of personal financial information, credit reports, social security numbers and other sensitive information that was found in a dumpster behind an apartment complex in Georgia? It had been in the custody of Ameriquest.
Or how about the Division of Motor Vehicles Colorado, the University of Utah Hospitals and Clinics in Salt Lake, Monster.com, the University of Miami and Fidelity National Information Services, who themselves are responsible for more than 10 million private records being exposed to theft or worse – actually being used by identity thieves?
And do you remember when WaMu, the troubled national lender, was discovered to have shipped sensitive loan documents to Mexico in semi trucks with some 10,000 records lost in transit? Don’t underestimate the threat that shrinking budgets and layoffs pose to your data security. In these heady and uncertain economic times, don’t we want to know where our data is day and night?
Recently I learned an big lesson about the importance of information security and regulated access to systems and data. Unfortunately, it was a painful one, with potentially untold repercussions yet to come. But my experience with unauthorized access is not unique, as literally millions of consumers are threatened with exposure to fraud and identity theft every year.
In this case, it was due to my own carelessness, but for many others the exposure is beyond their control, and are due to lapses in security protocols, inadequate third-party controls, and plain old human error.
Financial companies, banks, government and non-government organizations routinely lose data of the most sensitive nature, exposing hundreds-of-thousands of people to potential financial ruin and personal loss.
More shocking yet is that the black-market value of personal data has produced a healthy trade in people’s personal information, and this is increasing the instances of data theft by employees and staff within these supposedly secure and trusted institutions.
The record unemployment levels in the financial industries, the threat of further bank closures, government sponsored take-overs, and outright buyouts by the competition create an environment rich in the temptation to misuse private information for personal gain.
Aside from the obvious damage to the folks whose data is sold and possibly used for illicit purposes, there is growing concern amongst the corporate executives, boards of directors, and legal departments of these organizations that they also may be exposed to tremendous risk and potential professional liability from these breaches of security.
The threat of criminal liability as well as civil and class-action litigation is greater than ever before.
Then there are also the losses borne by the equity stakeholders in these organizations, the devaluation of their portfolio holdings, the risk of diminished returns, and ultimately insolvency. The losses could begin to reach levels that exceed investors tolerance for risk, and the access to much needed capital may dry up.
I am pleased to announce our new website Information Security Resources, which will examine these issues from both a financial and a technical perspective, examining areas of lax governance and inadequate security protocols, and more importantly we will be offering solutions and best practices advice from some of the leading players in information security and financial analysis in the nation:
Our goal is to help financial industry stakeholders, government regulators, and the public better understand and address the mounting information security threats inherent in the current financial crisis.
Our concern is centered around the failure of organizations to adequately protect regulated systems and data. Our current focus is on the exposure of private info and sensitive systems during the financial meltdown, including identity theft, privacy breach, info stolen, credit card fraud, and other enormous liabilities.
We believe this is the next national security, shareholder derivative, D&O liability, regulatory, consumer product safety, and class-action issue. We teach you how to find this problem, and fix it.
In addition to the obvious threat to market stability, the financial debacle has the added element of national and global security concerns. We believe we are among the very first working to highlight this national security problem.
Our team lead is Kevin M. Nixon a Master Security Architect (MSA); Certified Information Systems Security Professional (CISSP); Certified Information Security Manager (CISM); Certified US Domestic and International Regulatory Professional; and Licensed Private Security Consultant.
Kevin has over 25 years of experience in MIS design and development, Information Security, Business Continuity and Disaster Recovery, US and European Regulatory Compliance, and has testified as an expert witness before the Congressional High Tech Task Force, the Chairman of the Senate Armed Services Committee, and the Chairman of the House Ways and Means Committee.
Kevin has served on infrastructure security boards and committees including:
♦ Disaster Recovery Work group for the Office of Homeland Security (which developed the National Strategy to Secure Cyberspace)
♦ Executive Board of Directors, Internet Security Alliance (ISA)
♦ Chairman, Best Practices Information Security Management Committee, ISA
♦ Executive Board Member of the Accredited Standards Committee, X9, Inc. (the not-for-profit that develops technical standards, certified by the American National Standards Institute, for the financial services industry)
♦ US Voting Delegate to the International Standards Organization (ISO), Financial Data Protection, Privacy and Security Standards TC68-SC2 & US TC68-SC6
♦ Consultant to the Federal Trade Commission (FTC), on the administration and roll out of the Fair and Accurate Credit Transactions Act of 2003 (FACTA) Web Portal, AnnualCreditReport.com.
Kevin’s other contributions include:
♦ Co-Author of a 3-Part Series of “Common Sense Security Guides”, including THE COMMON SENSE GUIDE FOR SENIOR MANAGERS – Top Ten Recommended Information Security Practices, 1st Edition – July 2002, Internet Security Alliance, which is now used by the US Department of Homeland Security, National Association of Manufacturers, American Bankers Association, The National Federation of Independent Businesses, The National Cyber Security Alliance, Financial Services Coordinating Sector, TechNet, and US-India Business Council
♦ Appeared as Cyber-terrorism Expert on CNBC’s Squawk Box with Mark Haines
♦ Appeared as Identity Privacy Protection Expert on KUCI Radio’s Privacy Piracy with Mari Frank
Kevin’s business experience includes serving as the Banking Security Officer of World Financial Network National Bank. Kevin has held positions of oversight of all regulatory compliance, data security, and data privacy issues, compliance with FFIEC Banking Regulations, and direction of OCC and SAS 70 Audits for his clients.