subject: Proper Internet Security Guidelines May Help Avoid Data Breach Lawsuit [print this page] Proper Internet Security Guidelines May Help Avoid Data Breach Lawsuit
Companies have to adequately protect their customer or employee records in order to avoid lawsuit. One way is to provide proper ethical hacking training programs to IT staffs to avoid the time and costs associated with a prolonged legal battle. IT staffs who properly equipped with ethical hacking skills will be able to defend computer network from being hacked.
The Briar Group, which operates several restaurants in the Boston area, had to pay $110,000 for failing to take reasonable steps to protect credit card data belonging to thousands of customers.
In April 2009 hackers broke into a Briar Group computer and installed malware designed to steal credit and debit card data. However, the malicious software wasn't removed in December 2009.
The lawsuit filed was related to the compromise stemmed from The Briar Group's failure to take adequate steps to protect card holder data. The state office noted that The Briar Group used default usernames and passwords on its point-of-sale systems and allowed multiple employees to use common usernames and passwords.
Under terms of the settlement, the Briar Group also agreed to implement a strong password management system at each of its restaurants and to comply with the Payment Card Industry Data Security Standard. The complaint also alleged that The Briar Group failed to properly secure its wireless network and remote access to its systems.
Early this year, the Online Trust Alliance (OTA) released its 2011 Data Breach Incident Readiness Guide. The guide addresses emerging security and privacy threats, providing prescriptive guidance and questions every executive should ask to help businesses in breach prevention and incident management.
According to Craig Spiezle, Executive Director and President of the Online Trust Alliance, "In the past 5 years, over 525 million records containing sensitive personal information have been compromised, significantly undermining the foundation of consumer trust," said. "With the onslaught of criminal and deceptive business activities, we are calling on business leaders to develop a readiness plan. Those failing to act may be faced with increased public scrutiny, regulatory pressures and a tarnished brand reputation."
Last year, over 400 incidents were reported impacting over 26 million records for a cost to U.S. businesses of over $5.3 billion dollars. Of these, 98% were a result of a server exploit.
OTA indicates a great majority of breaches continue to occur undetected or unreported and the data reported is just the tip of the iceberg.
In a separate incident, the personal information of 13,000 individuals who had filed compensation claims with BP after last year's disastrous oil spill may have been potentially compromised after a laptop containing the data was lost by a BP employee.
The information, which had been stored in an unencrypted fashion on the missing computer, included the names, Social Security numbers, addresses, phone numbers, and dates of birth of those who filed claims related to the Deepwater Horizon accident.
BP said in a statement that the personal information had been stored in a spreadsheet maintained by the company for the purposes of tracking claims arising from the accident. "The lost laptop was immediately reported to law enforcement authorities and BP security, but has not been located despite a thorough search," BP said on Tuesday.
BP has sent written notices to victims informing them about the potential compromise of their personal information and to offer them free credit monitoring services, the statement noted.
The BP compromise is only the latest in a very long list of similar breaches involving the loss of unencrypted personal data stored on laptops, and mobile storage devices.
Data breaches are very common these days, and many companies are keeping mum about it. One way to mitigate internet security risks is with technical security training. EC-Council's brand new TakeDownCon information security conference series, offers training sessions of one of the world's most comprehensive ethical hacking training program, the Certified Ethical Hacker (CEH).
