At a point when data security and fraud protection are becoming more important issues for retailers after a recent spat of high profile data breaches and new hearings on the issue in Washington, FBI investigators have discovered that over 90 percent of the data breaches reported to the agency were entirely avoidable had businesses taken adequate steps to protect sensitive information.
At the Online Trust Alliance’s Data Privacy and Protection Town Hall in New York City FBI Special Agent George Schultzel revealed that companies had “little to no security whatsoever” in 90 to 95 percent of the breaches that the agency handled, and that they were the victims of hackers striking out of “convenience.” At the meeting, Schultzel made recommendations that companies begin to draft and implement security plans to prevent easy hacking in the future, and to feel comfortable coming to regulators with questions or concerns regarding implementation.
One suggested method is to use educational programs to warn about different ways hackers can access data, specifically spearfishing campaigns that enable hackers to access data through encrypted emails containing malware. Other methods include increasing usages of data encryption as well as minimizing the amount of data a company has stored on file. One example, cited by panelist Clark Russell, deputy chief of the Internet Bureau at the office of the New York attorney general, was of a hacked company that reported a breach involving hundreds of Social Security numbers that the company had not needed in more than a year.
Most panelists, including Schultzel and Russell, also see regulatory reform as a possible means to ensuring that companies report breaches and security concerns in a timely manner. One bill in New York would include “safe harbor” protection for companies to report hacks, which would emphasize the point that the FBI doesn’t treat “victims like anything other than victims,” according to Schultzel. Additional incentives could also be used to emphasize the importance of security as a priority among businesses handling large amounts of sensitive data.