Sunday, October 5, 2008

Visa Mastercard and Ftc drivers for security investments

| Armando Romeo |
I've always thought that the only way for companies and organization to give some serious interest into security is through law enforcement, compliances and heavy fines on data breaches.

In places where security is still unknown and law enforcements cannot be taken in place, buying online or simply providing personal data is still a risk. I am thinking about those countries in which the internet based services are still not so spread and so green that any laws on this direction would slow down the investments on innovation in the field.

TJX, sure, demonstrated that compliance is not enough. But TJX serves as a case for all the other companies.

A driver for more investments in security. This is what the field needs to increase awareness of the problem, unfortunately.

The difficulty into configuring security investements into a mere ROI plan plays a big role here.
Lack of exact figures of both incidents and cost for insecurity makes things worse.
Convincing companies into spending on security involves now showing figures of fines and cost of insecurity.
And cases like TJX is just the most visible example.

Mastercard and Visa have published schedules of fines for merchants who are non-compliant and a further set of penalties for merchants who experience a compromise of Credit Card Data
In most cases credit cards theft costs $25 (€ equivalent) per card number disclosed
and the cost of the forensic investigation will also be levied.

This easily becomes hundreds thousand dollars for small merchants up to million dollars for bigger ones.

Moreover FTC, Federal Trade Commission, in the US, plays another driver role for security investments.

The fines applied on data breach, being it SSN disclosure or privacy policy violation, are extremely tough.
Companies that have experienced information security breaches are required to notify not only the individuals whose personal information was impacted but also numerous state regulators that will, in most of the cases, open an investigation that may take up to 2 years.

If the company is found to be in violation of the federal laws on privacy and data security retention has to face fines and obligation for the 20 years following the incidents. 20 years yes.
FTC enforces independent biennal security assessments, compliance papers and data retention policies revised periodically.

The cost of such incidents is a sum of legal expenses (that in many cases fall in class actions category), compliance cost, bureaucracy costs (not to be understimated here since it's a long process) and fines.

ChoicePoint Inc, agreed to pay $10 Million in federal fines for identity theft of 160,000 people
plus $5 Million to compensate people who suffered as a result of the breach.
These numbers talk on them selves without the need for further FUD (Fear Uncertainty Doubt).
FTC is only in the US. I'm not aware of anything similar in Europe.
US are serious about your privacy

Free Security Magazines