Blog Posts: Data Privacy & Security
In data-breach class-action lawsuits, plaintiffs' biggest problem often is convincing the court that the unauthorized disclosure of their personal information caused some type of injury. Often they cannot and this leads the court to dismiss their case on the ground that plaintiffs lack standing to sue.
A recent study by ThreatTrack Security found malware analysts are better equipped to protect against cyber-attacks but continue to face internal challenges to network defense. Additionally, many organizations are not disclosing data breaches to the customers, partners and others who entrusted their data to them.
The Payment Card Industry Security Standards Council (PCI Council) issues new versions of the PCI Data Security Standard (PCI-DSS) and the Payment Application Data Security Standard (PA-DSS) every three years based on input from credit card companies, merchants and others that handle consumer credit-card data. This month, the PCI Council issued version 3.0 of the standards. They take effect January 1, 2014, and businesses have until the end of 2014 to come into compliance.
The seventh edition of the Kroll Global Fraud Report found that corporate corruption is again on the rise after seeing lower numbers in its previous survey in 2012. The report found that 70% of responding companies were affected by fraud in the past 12 months, up from 61% in 2012. Researchers believe these statistics may be more connected to perception, however, than any true increase in fraud, pointing to a heightened awareness of the issue.
For the second consecutive year, survey results show that companies are ignoring the risks to company data posed by employee use of mobile devices. Coalfire, an independent information technology governance, risk and compliance firm, surveyed individuals in a cross-section of industries across North America; survey participants did not work in their company's IT departments. The survey responses indicate that companies are not educating employees on the necessary security measures for mobile devices in connection with work-related activities.
The Payment Card Industry Data Security Standard (PCI-DSS) was adopted in 2004 by five major credit-card companies. It promotes consistent global security standards and protects cardholder data from fraud and security breaches. PCI-DSS applies to all merchants or service providers who store, process or transmit payment-card account numbers. Since the standard applies to anyone who processes credit-card information, even non-technical employees such as cashiers need to comply with it.
Managing documents has become a significant part of running an organization. Documents may be formal, such as contracts or business plans, or informal, such as e-mails and instant messages (IMs). A document-retention policy governs the period for which organizations retain their documents and may specify the media on which the organization may store different types of documents.
In July 2013, the U.S. Department of Justice (DOJ) indicted five men in the largest data breach conspiracy ever. The DOJ accused the men — four Russians and a Ukrainian — of targeting payment processors, retailers and financial institutions around the world. The men allegedly stole 160 million credit- and debit-card numbers at a cost of more than $300 million to just three of the 16 corporate victims. Those victims included NASDAQ, 7-Eleven, JetBlue and Dow Jones.
Most U.S. organizations know that state and federal laws require them to protect personal data stored on employees' personal mobile devices (also known as "BYODs"), but few do anything about it, according to "The Risk of Regulated Data on Mobile Devices & in the Cloud," a June 2013 Ponemon Institute survey.
A recent study by the Ponemon Institute revealed glaring weaknesses in the data-security practices of many U.S. companies. The participants — consisting of 471 privacy and compliance professionals — each answered a series of questions about their company’s preparedness for a data breach. The responses led to some shocking results, among which was a lack of security protocols for mobile devices. Approximately 58% of respondents either admitted that devices were not tested before connecting to company networks or were unsure if this was a requirement, even though 78% indicated that their employer permits personal mobile devices in the workplace.