New laws target data security problem

Retailer TJX's breach presents a chilling lesson on the dangers of shortchanging data security

As more details emerge about the recently disclosed security breach at TJX Companies, lawmakers in Massachusetts are considering new laws that would put the onus for paying for such breaches on retailers and merchants, rather than banks and credit unions, the Wall Street Journal reported Thursday.

In Massachusetts, Attorney General Martha Coakley is hoping to force significant changes to the manner in which companies are allowed to collect, store, and protect sensitive consumer data.

"[Coakley] is looking at a number of issues and working with the legislature to see what types of measures we can implement to better protect consumers," said Melissa Sherman, Coakley's press secretary.

But security and privacy experts agree that new laws, in themselves, won't prevent a repeat of the data breach experienced by TJX, which continues to increase in scope. And that the hack of that retailer's network should provide a chilling lesson to businesses that are failing to adequately safeguard their sensitive information.

As illustrated by the retailer's continued discovery of new incidents of IT systems intrusion, enterprises that don't have sufficient security tools in place will have a hard time simply piecing together the details of what has happened when their data is attacked, industry watchers observed.

On Feb. 21, Framingham, Mass.-based TJX announced that it had discovered a new set of IT systems intrusions that exposed the personally identifiable information of an undetermined number of its customers.

Company officials said that in addition to the IT systems break-ins TJX detailed in January 2007 -- which occurred during 2003 and between May and December 2006 -- it now believes that intruders also infiltrated its databases repeatedly during 2005.

TJX offered no further details regarding the nature or volume of the information that was accessed by outsiders during the newly reported intrusions, and said that the firm only recently discovered the additional incidents, which started in July 2005 and continued over a period of time that the company classified only as "subsequent dates," in a statement.

The fact that TJX -- which has already been publicly chided by MasterCard International, among others, for failing to meet established data security standards -- is still unraveling the exact details of the attack serves as testament to the notion that ill-prepared businesses will struggle just to understand how and when they've been penetrated, experts said.

"The scary thing is that we are learning that this type of situation is not uncommon. It's like someone broke into your house by picking the lock and only took items you wouldn't notice were missing," said Richard Mogull, an analyst with Gartner, in Stamford, Conn.

"Companies such as retailers are collecting tons of information and not securing it properly, and if they don't have sufficient monitoring technology in place, which most firms do not, it's surprising that they can figure out what has happened at all," he said.

Makers of security software designed to help companies fight such data loss contend that IT executives, when they first try out one of the programs, are typically shocked to find out where all their sensitive data is located and how it is being handled by employees and business partners.

"Most people are really surprised by what they see. We were even shocked when we turned on the ILP technology for the first time," said Devin Redmond, director of security products at San Diego-based Websense, which acquired information leakage prevention (ILP) specialist PortAuthority Technologies for $90 million in December 2006.

"It is amazing to see how much data is moving around the network and being used in ways that existing security policies don't cover," Redmond said. "For companies who haven't addressed the problem that are attacked, the biggest challenge is simply figuring out where your sensitive data might reside to begin with, and what was done to it."

Privacy watchdogs said that many businesses, specifically retailers such as TJX, have been aggregating vast amounts of sensitive consumer data for years with little regard for its security.

Because businesses struggle just to understand the parameters of such an attack, there is little hope that large companies will soon be able or willing to more intelligently defend their data, said Lillie Coney, associate director at the Electronic Privacy Information Center (EPIC) in Washington, DC. -- even when faced with glaring examples of what can go wrong.

"Incidents like the one experienced by TJX provide the best argument for not holding onto large amounts of sensitive information, but there's no evidence yet that these events have pushed other companies to improve their own data security efforts," Coney said. "This is exactly the situation that the criminals want; they can move in and steal the data and it's hard to tell what they made off with, which lets them keep doing business longer."

One of the major problems in convincing companies to invest in technologies to defend information from internal and external threats, experts said, is that security workers still have a hard time justifying the cost of expensive new tools to senior executives, who want to know why the systems they've already installed aren't enough.

Making a case for how a data breach could affect a company's bottom line should be simple, but many business leaders are unwilling to dip into their coffers for new IT defense systems, EPIC's Coney contends.

"If you consider the problem in terms of risk analysis and the potential cost of an incident that exposes sensitive information, including the damage to a company's reputation, it shouldn't be a hard case to make," Coney said. "But getting companies to think like that is still a challenge, as the IT workers don't have a way to position the issue from a bottom-line standpoint; eventually someone will make a case for liability with one of these breaches, and that's when people will really get it."

Research company, Ponemon Institute, based in Elk Rapids, Mich., estimates that information losses cost U.S. companies an average of $182 per compromised record in 2006. However, other industry watchers, including Gartner's Mogull said there's no real way to quantify the long-term damage done to a firm's reputation by a TJX-like event.

The analyst said that such incidents are causing many enterprises to reconsider their data protection policies and look into new security technologies, but few companies are taking a comprehensive approach to addressing the problem of information security and are instead focused on potential return on investment (ROI) -- a serious mistake, he said.

"Companies are trying to do ROI analysis to decide what they need to spend or what they'll lose in an incident, but that's a silly way to do it. The estimates that are out there for the cost of a breach are mostly worthless because they can't take into account the long-term effect," Mogull said.

"What they really need to do is find where the data is and how it is being used in their business and try to create smarter policies," he said. "Trying to piece things together after an attack has already happened clearly isn't going to cut it."

Copyright © 2007 IDG Communications, Inc.

How to choose a low-code development platform