News & Commentary

01:09 PM
Deena Coffman, IDT911 Consulting
Deena Coffman, IDT911 Consulting

What Constitutes a Data Breach for Banks?

Many employees, even those who are technically savvy, do not recognize as reportable events the situations that commonly result in a data breach.

When the media reports on data breach events, the conversation usually shifts one of two ways: toward the abstract—the laws, the theories, the consequences—or to the wonkishly technical—the nuts and bolts of SQL injections, DDoS and forensic investigations. The reality is that many data breach events, even the most common, are not evaluated technically or theoretically because they are not initially identified and reported.

Through our work coaching businesses that range in size from small to medium-sized companies to large institutions, we have found that many employees, even those who are technically savvy, do not recognize as reportable events the situations that commonly result in a data breach.

Consider these scenarios:

  • An employee writes sensitive client information on a sticky note and posts it on his or her PC as a reminder. That’s a data breach.
  • A company laptop containing protected information is lost, misplaced or stolen. That’s a data breach
  • An invoice or HR email with personally identifiable information is mailed or sent via email to the wrong person. That’s a data breach.
  • An FTP site containing protected data is accessed by the wrong client. That’s a data breach.
  • Physical documents containing protected information are disposed of in an insecure fashion. That’s a data breach.
  • Your website host—or another outside service provider that stores, transmits or manages your clients’ or employees’ protected information—is hacked. That may be a data breach and should at least be evaluated by legal and/or compliance./li>

These events often are not the sophisticated cyber attacks that make headlines. They usually involve good employees who make honest mistakes because they haven’t been taught to see data as an asset to be protected. So what’s your next move? How do you train employees to be attuned to recognize and avoid events that create exposure to a data breach?

Assess your data breach exposure points

Inventory your environment and processes to find common activities, documents and storage locations that are components of a data breach. For example, if you work with clients or vendors to exchange protected data via FTP, or if employees or contractors are able to send protected information via email, identify those particular activities and data repositories for additional quality control, security, audit and training measures. The processes and data sets that are not high-risk can then be handled with lower priority, and they won't consume valuable investment and attention.

Institute quality control or additional security for high-risk points.

For those functions, documents and data sets identified as sensitive or protected, institute additional procedures to reduce your potential for error or exposure. Provide specific direction on the level of importance, the protocol for avoiding errors and how to identify and respond to an incident that may produce a data breach.

Train in context

Communicate regularly (not just annually) to the employees that work in the areas identified as possessing an inherent risk of a data breach. Provide training not just on theory but on specific observable actions and events. For example, for the employees managing the client SFTP sites, specifically state the importance of accurately managing account permissions and of instituting testing prior to deployment. Also provide and communicate a mechanism to report when one client accesses another client's FTP site. This mechanism should be easy to remember and use. Telling employees that “PII exposure is a data breach” puts the onus on them to define and identify PII, as well as determine individually whether an event constitutes an exposure. Some employees may not translate one client accessing another client’s FTP site with personally identifiable and/or financial information as a PII exposure. Be specific. Instruct employees to make a report to the incident response team if one client accesses another's FTP site. Tell them that the team should evaluate the incident for compliance with mandatory notification laws. These messages are less ambiguous and more effective. While there are many “Data Breach 101” webinars and generic training programs, these are not as effective as data security and privacy training tailored to your organization. The latter gives employees an understanding of the best security practices as they relate directly to daily tasks, and it doesn’t require individual interpretation from employees.

A knowledgeable employee can be a point of defense rather than a point of exposure.

Deena Coffman is Chief Operation Officer for IDT911 Consulting and Information Security Officer for IDentity Theft 911.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
8/13/2013 | 3:41:11 PM
re: What Constitutes a Data Breach for Banks?
It is fitting that the author of this article is an I.S. officer, as all the information is spot-on and relevant to any business exposed to the current threat environment (all of them). One of the most significant points made is that people generally do not process abstract concepts well into practical terms, especially when dealing with technical issues, which pretty much do require specific actions.

GǣData security is of utmost importance to our businessGǥ --/-->
GǣI need to shred this clientGs file copies lying on my desk before I leave the
office,Gǥ or the slightly more technical, GǣWhy is the S missing from the HTTPS
on this website? SomethingGs not right here.Gǥ Any basic course on business
information security teaches that an organizationGs own employees are often the most dangerous threat to the companyGs data (moreso than crackers, foreign governments, etc.). Negligence and ignorance cost companies grossly underreported amounts of money, not to mention the reputation damage when it all becomes public. Staff need to be trained as much as possible, with well-defined security policies and standards.

Since the function of IT is to speed up business operations
and efficiency, it makes sense to invest in software that both emphasizes
security, and promotes smooth automation requiring minimal operator
intervention. This reduces the chance for errors that could then constitute a
data breach. Security, especially for institutions dealing with compliance
pressure, must be implemented and monitored at all levels G back-end programming, front-end, personnel policies, and so on. Data integrity and authenticity are just some of the sub-points of a complete plan to secure data.
User Rank: Author
7/31/2013 | 3:18:22 PM
re: What Constitutes a Data Breach for Banks?
That is true, when someone's financial information gets breached, they don't care or want to hear how it was a vendor's fault, the blame will go towards the financial institution.
Greg MacSweeney
Greg MacSweeney,
User Rank: Author
7/30/2013 | 8:37:46 PM
re: What Constitutes a Data Breach for Banks?
I don't think they are ever reported as "data breaches," since the company often voluntarily handed over the data to the vendor. It is something that financial firms need to watch very closely. It is very easy just to hand over the entire data file and that is often what is done. However, a firm should only be giving a 3rd party the data that is actually needed to complete a specific task (data analysis, let's say).

Firms need to think along these lines because one day a 3rd party vendor's systems will be breached and if the data on those systems comes from a bank, the bank will be held responsible by its clients and by the regulators.
User Rank: Author
7/30/2013 | 6:04:32 PM
re: What Constitutes a Data Breach for Banks?
Interesting perspective, I had never thought of that. I wonder how many of these cases are ever reported as data breaches?
User Rank: Apprentice
7/29/2013 | 5:54:14 PM
re: What Constitutes a Data Breach for Banks?
In addition to all of the above, many companies and government agencies routinely provide sensitive information to their software developers and testers. Is this a breach? Do these individuals absolutely need real data to do their job? The answer is NO and these cases should be reported as data breaches.
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This is a secure windows pc.
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.