www.esecurityplanet.com/best_practices/article.php/3661386
By Andy Lark February 23, 2007 Ignoring data security mandates could cost your company a bundle this year. As high profile breaches make headlines and consumers get nervous about privacy, enforcing data security is taking center stage. From the halls of Congress to the European Commission (EC), new laws are being proposed at federal and local levels whereby firms across the globe would have to inform regulators and customers of all security violations. As a consumer, we demand our information remain private and stay safe. So what happens if your data is breeched? You’d expect that credit card companies would hold the source of a breach financially liable, especially if a retailer was storing card data in violation of the Payment Card Industry Data Security Standard (PCI DSS). But are retailers really being held to that standard? What are the consequences of non compliance? While much of the industry now watches the TJ Maxx (TJX) case in the wake of the retailer’s security breach by hackers, consumers nationwide feel the impact. Not only are the number of consumers affected staggering, but the fact that the company says that the breach “may” have occurred as far back as 2003 underscores the data security dilemma that retailers face. The risk of not protecting consumer data is one that certainly affects reputation, a lesson TJX is learning on Wall Street as their stock has declined since they admitted the theft on January 17. Beyond the violation of the public’s trust in the retailer, at least three class action suits have been brought by financial institutions and we are still waiting on a response from the credit card companies related to the PCI mandate. Ironically, consumers learned about the TJX issue just as state laws in Massachusetts created to protect customers from identity thefts were about to take effect. Spurred by a 2004 computer hacking incident at another retailer based in the Bay state, BJ's Wholesale Club, the laws were meant to address consumer privacy in the wake of stolen credit card information from thousands of customers. In that case, stolen names, addresses and account numbers were used to make duplicate credit cards and buy millions of dollars worth of goods in other people's names. To ensure accountability, the bill required retailers targeted by data breaches to pay banks in the state the cost of recovering from the data losses. Should legislation, retailers or the banking industry step up and assume responsibility for determining data security rules? It is an interesting question that will continue to draw debate in the wake of this latest high profile case. With over five million retailers taking credit cards and potentially subject to comply with PCI, retailers are finding that thanks to high profile thefts like TJX, efforts are underway to ensure enforcement. Companies not only risk the cost of reputation – restitution and fines are imposed on those who fail to comply. As of October, VISA stated that they are focusing on 334 of the largest US merchants, who in aggregate represent nearly 50% of Visa's annual US volume. The fines, should you be out of compliance, are $500,000 per breach from Visa and $100,000 per incident from MasterCard. It can be expensive. The consequences of not complying with PCI are quite costly to retailers, so it must be difficult to meet the mandate, right? It shouldn’t be. It’s in the Logs Virtually every computer-based transaction results in a log data file that is a fingerprint of user and computer systems activity. Log management and intelligence (LMI) is one way to gain instant insight into those billions of log messages generated by retailers and merchants using credit cards available for enforcing, auditing and automating the requirements and controls related to the Payment Card Industry (PCI) data security standard. Taking a proactive approach to compliance ensures data is available across a business for that business need, while at the same time proving data is protected. Log Management and Intelligence automates compliance and mitigates risk, offering companies a strategy to continuously comply with ever-changing laws – and be able to prove it should your network be breached. Numerous factors have contributed to the emergence of log data management and intelligence as an industry, including the need for IT controls across the enterprise to manage risk and meet regulatory requirements. Compliance mandates like PCI, SOX, HIPAA, and others are forcing companies to examine business processes while inspiring the push for technologies that increase the ability to inspect those processes. With LMI, companies have the opportunity to improve the way they do business and achieve a new level of operational efficiency. The key to harnessing the power of infrastructure data lies in intelligent log management. With an effective log management solution, CIOs gain the visibility required to properly monitor their networks and effectively respond to security, availability, and performance issues. Home-grown scripts and SIEM/SIM products of the past are completely inadequate to handle today’s compliance-related tasks, mainly because they force companies to be reactive rather than proactive in managing risk. Only with automated collection, aggregation, storage and management of logs from all applications and systems within the corporate network will companies truly protect their information assets and satisfy today’s risk mitigation and compliance requirements. Log management and intelligence could help keep you from being the next TJX. Andy Lark is the chief marketing officer for LogLogic. Prior to joining LogLogic, he was an executive for Sun Microsystems. Read his blog here. |
