A Government Clearinghouse for Reporting Breach Info?

Breaches and bots share much in common including the damage they do to consumers and the US economy but also the need for government action. At the October 2011 Online Trust Alliance Forum meeting I attended two sessions on breaches. The panelists included lawyers and CSO’s who have been engaged on multiple breaches. I wrote and regularly tested AOL’s breach plan. The discussions and my experience indicate that breaches get reported (unfortunately not all are reported) to multiple groups from the local police department to the FBI, Secret Service, and other Federal/state agencies. This hodgepodge of reporting results in an incomplete view of essential statistics. Data on breaches becomes widely-varied guesses. There needs to be a central government clearinghouse where all breaches are reported. 1-800-DATABREACH. This clearinghouse then collects statistics and parses the cases to the appropriate agency for investigation.

More importantly the hodgepodge of reporting results in the inability to collect information on the cause and the cures which is essential to share with other companies. My experience with Internet crime shows that the bad guys continually exploit the same techniques. The clearinghouse should be sharing data on the exploit and recommendations to prevent the problem from reoccurring.

The clearinghouse also needs to be sharing data about the individuals who were breached so that other sites where the same user authentication data is used can be shut down. In other words it is very common for sites to use an email address as the user ID. Sites have the terrible habit of using email addresses as the user ID for convenience purposes. Consumers have the terrible habit of using the same password on multiple sites. The bad guys know this and once user names are compromised at one site the bad guys are using the same info to compromise individual accounts at financial institutions, ISPs, etc. In fact there is a website in which you can check to see if your email address has been compromised. The clearinghouse should make available to vetted companies the compromised email addresses and passwords so that sites can test the combination and temporarily shut off access before additional accounts get compromised.

How NOT to Publicize Your Privacy Policy – Spotify.Com

I like the idea of giving users easy access to your privacy policy and terms of use. I wish more sites would not hide their policies. On the other hand when you put the policy in the face of your users (i.e.,when they log in), it should be concise, not written in legalese, and use proper English (or whatever language your site uses). I logged into Spotify.Com, the hot free music streaming service. Immediately the new privacy policy is in the users face.  First line: Spotify Terms and Conditions of Use. OK. Next sentence: Effective as from 14 October 2011. I guess this means effective as of October 14. Next sentence is absolute legalese. 62 words long and four lines of text. The next sentence is eight lines long. I continue reading. The entire agreement takes 26 mouse clicks to read. I defy anyone to read it in less than 15 minutes. My mom is very smart but she would have no idea what the words mean nor would she have the patience to read this. It doesn’t pass the “mom test.”

We privacy professionals have got to do better.

 

 

You Can Encyrpt All Your Data – Blue Cross of Tennessee Did It

Sometimes I hear “we can’t encrypt our data” followed by, “it’s too expensive,” “it’s too hard,” its too ___.” Blue Cross/Blue Shield of Tennessee completed a $6million project (it’s not cheap) to encrypt all of its “at-rest” data. 5,000 man years, 885TB of data. It took over a year. They are now encrypting all data on 1,000 server drives, 6,000 workstation hard drives, 136,000 tape backup volumes, and 25,0000 daily voice-call recordings.

Bravo! It can be done.

Oh yeah, this project was a result of 57 hard drives being stolen. Do you want to wait until your data is stolen?