Guard Against Identity Theft

Identity theft is on the rise, and it's not just big banks and credit card companies that need to be concerned about protecting customer and employee information. Businesses of every size collect and store data that is attractive to thieves: Social Security numbers, account and transaction records, and other personal information about employees and clients.

Failing to adequately safeguard such information can mean lost business and a damaged reputation, not to mention the monetary losses and other harm to workers, customers and business partners.

Eighteen states have laws that require businesses to make data breaches public. Meanwhile, Congress has several bills pending that would require new privacy policies for handling personal data gathered by companies and other organizations. For instance, one bill would establish a national law requiring that any data breach be made public almost immediately. Another, the Social Security Number Privacy and Identity Theft Prevention Act of 2005, would restrict the use of Social Security numbers as identifiers. Lawmakers have also discussed the need to mandate data protection more broadly.

By establishing a few fairly simple data ground rules, companies can prevent the theft of identifiable personal information—or at least decrease the chances of such attacks occurring, says Sally Hudson, an analyst at research firm International Data Corp. in Framingham, Mass.

A best-practice approach to avoiding identity theft requires a company to make smart use of information technology, establish a data protection policy and take physical security into account.

Preventing identity theft essentially requires the use of multiple layered security and systems policies.

The federal government's National Institute of Standards and Technology suggests the best approach to protecting personal data from tampering is to make access difficult and to use knowledge-based authentication to grant users access on a need-to-know basis.

According to a recent NIST bulletin, an authentication system that requires users to provide something for all three of the following categories offers the highest security:

• something that the user knows, such as a password;

• something that the user has, such as an ID badge or token;

• something that is unique to the user, such as a fingerprint or face.

"Systems that incorporate all three factors are stronger than those that use only one or two factors," the bulletin notes. "Authentication using biometric factors can help to reduce identity theft and the need to remember passwords or to carry documents, which can be counterfeited. When biometric factors are used with one or two other factors, it is possible to achieve new and highly secure identity applications."

Rules of Engagement

But equally crucial is a written privacy policy detailing rules for the handling of data and specifically who has access to what information, Hudson says. The policy needs to state exactly how the company will use any personal data it collects, she adds. Once the policy is done, businesses need to make sure all employees know and understand the rules.

The policy should restrict access to certain data—a systems administrator can then combine the features of its authentication applications in tune with the access control features of its applications and databases, security experts say. In general, users should have authorization to view only the specific data they need to do their jobs because inside threats are a chief source of breaches. In fact, 84 percent of the most costly security incidents occur when insiders send confidential data outside the company, according to the Gartner research firm of Stamford, Conn.

"This is an area that is often overlooked by businesses," says Anil Miglani, senior vice president at Access Markets International Partners, a New York technology research firm and consultant.

To minimize internal vulnerabilities, Applied Medical Services has set strict controls on the access that its 40 employees and 75 contractors have to patient and other personal information. "Sometimes not giving people access to the information is the best way to protect it," says Dan Johnson, information analyst for the Durham, N.C., provider of medical-practice management services.

Software applications commonly allow systems administrators to set access parameters for users. The format for these parameters relies on role-based access controls (RBAC) that require sysadmins to define the access privileges for users by what they do. These privileges can then be handled in bulk, saving time and money, NIST points out. It also means that in a public-key infrastructure environment, for instance, a company can write its RBAC policy in Extensible Markup Language and store the attributes in X.509 certificates.

At Applied Medical Services, for instance, the company sets up its applications—particularly those with sensitive information such as billing records—so that users have access only to the specific data fields they need, Johnson says. Applied Medical keeps audit logs so it can track the identity of users who view, change or print any file containing personal information, he says.

Unless there's a strong business need to keep personal data available online, companies should keep it offline, Miglani recommends. If such data must be accessible online, then businesses must carefully monitor network access, he adds.

Additionally, employees must not be permitted to copy or transfer critical business data in any way, he advises. And businesses should make sure to terminate access immediately after an employee leaves the company.

Under Lock and Key

Protecting personal data is more than just an IT and policy issue. Companies need to think about physical protections for their hardware, particularly portable systems and storage devices that tap into or host files containing personal information.

Miglani suggests, for instance, that companies require employees to lock up or take home notebook computers at night. "If large companies can lose data while in transit, in spite of their vast resources to ensure safety and security of data, then small businesses are even more vulnerable," he notes.

Companies should also encrypt and password-protect all sensitive data. Encryption is especially important for any data that's sent via e-mail or carried on mobile devices.

Applied Medical, which transfers records back and forth among its contract workers, uses encryption on all sensitive data, Johnson says. The company avoids including personally identifying information in e-mail, he adds. Applied Medical also encrypts sensitive data stored on servers and backup systems.

As Congress debates national data theft legislation, one of the hottest areas of contention is whether businesses that encrypt their data should be exempt from requirements to notify consumers of data breaches. Such an exemption is included in the California law that took effect in July 2003, and the makers of security software are lobbying lawmakers to include such an exception in proposed federal legislation.

Meanwhile, although technology budgets and staff might be tight at many small companies, IDC's Hudson and AMI's Miglani say that's not a reason to skimp when it comes to protecting data. Instead, they suggest considering the potential cost of a data breach: Just one could spell doom for many small businesses.