GovInfoSecurity.com has a timeline of data breaches affecting US Financial Institutions in 2009. “Stolen or Missing Hardware” was cited in a number of the incidents, along with “Insider Theft”.
These data breaches could lead to penalties under a number of state laws. The FTC could also impose fines under the Gramm Leach Bliley Act (GLBA), which requires financial institutions to protect consumer data.
HSBC has been fined over £3 million ($5 million) for data security procedures that fail to meet Financial Services Authority (FSA) requirements.
The FSA said that, in April 2007, HSBC Acutaries lost a floppy disk in the post that contained 1,917 pension numbers and addresses. And, in February 2008, HSBC Life lost an unencrypted disk holding data on 180,000 policy holders – also in the post.
Costly data breaches can be avoided by remotely managing portable data. Not only is the data encrypted, but the device can be programmed to remotely delete the next time it is plugged in. The company has a log file to show the date, time and location where the data was destroyed.
Last month the FTC cracked down on a mortgage company for violating the privacy rules in the Gramm Leach Bliley Act (GLBA). A lack of information security measures is going to cost the company 10 years of audits.
Agent Genius has a good rundown on how GLBA affects financial institutions like banks, insurance companies, brokers, lenders and so on. As the author notes, “financial institution” can be broadly interpreted.
Data encryption with the ability to log and audit should be a key part of any GLBA compliance plan. Regulators want to see clear proof that information security policies are in place and are being enforced.
Nate Cote, VP of Product Management, chats with BankInfoSecurity.com at RSA Conference 2009. Nate discusses how Kanguru’s encryption and management solutions fit into the broader security and compliance architecture.
Direct link to audio.
Government entities are leading the way in data breaches so far this year.
According to ITRC, a nonprofit organization whose work is supported by a Justice Department grant, the government and military sector were the chief offenders, accounting for 78 percent of all exposed records with just 22 breaches.
To be fair, the bulk of those records were lost in a single incident at the Arkansas Dept of Information Services. Among other sectors, banking and financial companies did the least amount of damage, with 12 breaches and 288 records exposed.
GCN’s William Jackson discusses the ethical aspects of the breach at credit card-processor Heartland Payment Systems.
The Privacy Watch blog at PC World points out that the public notification was probably due to state data breach notification laws. Similar laws now exist in 44 states. Associate Editor Erik Larkin does not believe these laws are effective enough and would like tougher penalties:
No matter how careful we are in protecting our identities, the vast majority of our sensitive data is held by companies over which we have no control. Those companies need the right incentive–or threat–to care about our data as much as we do.
On the other hand, a class-action lawsuit was filed just one week after the public notification – probably only the beginning of Heartland’s legal troubles.
Follow us on Twitter