Cyber Eye: Standards are needed to handle personal data
In my last column I referred to the loss of financial data about 3.9 million people as the largest incident of its kind 'as of this writing.'
Before that column got into print, the scope of the problem increased by an order of magnitude with the exposure of records on 40 million credit card accounts. This faux pas on the part of credit card processor CardSystems Solutions Inc. of Atlanta was significant for several reasons besides its size.
First, unlike many recent incidents that involved social engineering or the loss or theft of physical media, the CardSystems breach appears to have been the result of hacking'malicious code apparently was introduced into CardSystems' network. This despite the fact that CardSystems was compliant with the credit card industry's security standards.
Second, CardSystems said it first learned of the breach May 22 but kept mum until MasterCard, one of its compromised customers, announced it nearly a month later. CardSystems said the FBI had told the company to keep its mouth shut. The FBI denies this.
All of which points up a clear lesson: Self-enforced industry standards for data security are inadequate. We need national standards for securing and managing sensitive personal data, no matter who keeps it or why.Why agencies care
The problem is of greater significance given the government's increasing reliance on commercial data brokers in gathering data on individuals.
Because there are no standards for handling this data, there are no assurances that the data the government is using in its investigations is accurate. Have you been put on that terrorist watch list because you are a genuinely shady character, or because a shady character hijacked your credit card account?
A good argument could be made that neither the government nor CardSystems nor ChoicePoint have any business collecting this data. Even as we argue whether feds should gather personal data, we should make sure the data is accurate and protected.William Jackson is a GCN senior writer. E-mail him at email@example.com.
William Jackson is a senior writer of GCN and the author of the CyberEye blog.