Isn’t All Sensitive Data Encrypted?

Data Breach Survey Reveals that a Majority did not Encrypt Data

In November and December 2011, Experian Data Breach Resolution, a division of Experian, and Ponemon Institute conducted an online survey of more than 500 information technology (IT) professionals who had experienced recent data breaches in their companies. The purpose was to determine the causes, reactions and solutions. A surprising 60 percent of the companies did not encrypt their customer data.

Responders

The responders had 10.5 years or more of information technology experience.  Approximately 73 percent reported directly or indirectly to the chief information officer (CIO) or the chief information security officer (CISO).  For this survey, the responders were asked to refer to only one data breach that had the greatest financial or reputational impact to their companies.

How it occurred and the cause

A majority of the responders (60 percent) said the breach occurred because the lost or stolen customer data was not encrypted. According to the responders, the types of data the companies lost were: email (70 percent), credit card or bank payment information (45 percent), and Social Security numbers (33 percent).

The key causes of the breaches:

34 percent said it was someone negligent inside the company.

19 percent said it was the outsourcing of data to a third party.

16 percent said a malicious insider was the main cause.

They were asked about response time and 50 percent of responders felt their company made the best possible effort to protect customer and consumer information.  The top two reasons given to reduce the negative consequences of the data breaches were (1) retaining outside legal counsel (56 percent) and (2) carefully assessing the harm to victims (50 percent).

Assistance to customers

Assistance to customers was very limited and 64 percent of responders stated that their companies did not offer credit monitoring services. In addition, 73 percent of the companies represented don’t offer identity protection products or services, such as credit monitoring and other identity theft protection measures, including fraud resolution, scans and alerts.

Prevention and results

According to 66 percent of the responders, investigating the causes of the breach will help prevent it in the future. A majority of the responders (66 percent) said negligent insiders and third parties are the main reasons their companies could be subject to future breaches. Most (61 percent) of the responders said their organizations increased the security budget after the breach; and 28 percent hired additional information technology security staff.

The responders felt the four best solutions to avoid future threats were the following:

1. Educate employees including temporary and contractors about security policies and make them aware of the cause of breaches.
2. Receive support from senior leadership, so that security budgets can be increased.
3. Hire legal counsel to assess the harm to victims.
4. Learn from the data breach, limit the personal data collected and stored, and limit the data shared with third parties.

This survey shows that companies are not protecting consumer information. The top reasons for breaches were due to negligent or malicious insiders or outsourced third parties. Also, most of the companies did not offer credit monitoring services after the fact.  Was the lack of regard for consumers, the key reason for the security breaches?

Credit Expert Witness, John Ulzheimer, is the President of Consumer Education at SmartCredit.com, the credit blogger for Mint.com, and a Contributor for the National Foundation for Credit Counseling.  He is an expert on credit reporting, credit scoring and identity theft. Formerly of FICO, Equifax and Credit.com, John is the only recognized credit expert who actually comes from the credit industry.  Follow him on Twitter here.

Categorised in: Credit Cards, Credit Monitoring, Credit Report, Identity Theft, Money & Identity

This post was written by John Ulzheimer