Data Security: Who is Responsible?

The latest news about Heartland Payment Systems’ 2008 security breach revealed some alarming, yet important, issues about the reporting of breaches and responsibility of the players involved in data security.

Heartland’s 2008 data breach is supposedly the largest breach of that year, but not the only one hit by the same hacker. According to Bob Carr, CEO of Heartland, most of the companies affected did not come forward. However, news articles are blasting Heartland for not reporting the 2008 breach earlier so customers and merchants could take action and precautions. While the Department of Justice has been successful in capturing individuals behind the recent data breaches, this should be a strong sign to any company involved with sensitive data that they should be stepping up efforts in the prevention of data loss.

The delay of notification about data breaches is becoming too common and also a source of contention for those affected. The most recent news involved Radisson Hotels & Resorts, who recently revealed a breach which occurred between November, 2008 and May, 2009. According to the Associated Press, Radisson reported that the data breach affected cardholder names, card numbers and expiration dates of their North American customers but they did not specify how many were affected.

One approach to get companies to pay more attention to data security has been to hit violators financially. Visa and MasterCard impose fines for PCI compliance violations (MasterCard has recently increased their fines hoping that companies will take data security more seriously). Class action lawsuits have also been filed against companies like Heartland by customers whose credit cards were affected in data breaches. Lawsuits and the financial impact to companies who handle sensitive data shouldn’t be the reasons they impose stricter controls, but if that is, then companies who have been spared should take that as a lesson.

Following PCI DSS guidelines for securing data is simply not enough. Everyone in the “payment chain” (i.e. point of sale, processors, financial institutions) is responsible for ensuring data security. The stronger each piece is will help to strengthen the overall security of the data.  Additionally, although PCI compliance varies for different levels/tiers of processing volumes ($), everyone in the payment chain should go beyond what is required to protect the data. A processor using a third-party payment gateway should ensure that vendor is PCI compliant. That same third-party vendor should ensure their customers are PCI compliant as well. Finger pointing won’t solve the problem in a world where companies should work together to produce best practices.

Stronger encryption, along with the safety of, and restricted access to, physical data storage are just a few of the basics. Any company who handles sensitive data should have a dedicated team (or at least a key executive) assigned to manage those controls on a regular basis. A self-assessment or qualified audit should be seen only as a guidepost. Companies relying only on auditors to determine their compliance are putting their company, and customers, in jeopardy. Being compliant doesn’t mean a company’s data is secure and the auditor cannot ensure that data is secure either. Their job is simply to report on the controls in place for data security.  VeriSign’s 2007 white paper about how to avoid an audit failure provides basic, yet necessary, measures for data security that are still valid, yet likely not practiced enough, today. Companies need to take these measures more personally on behalf of the security of their customer data.

Learn more about Data Security by contacting us or call us at 855-204-3838.