Print
Email
Print Edition Stories
MHT's Galen Moore: Six Mass. tech firms head to world economic forum
New England prepared to leverage smart grid expertise
Google's Summer of Code
As businesses face a March deadline under an oft-delayed state law to protect customer and employee personal information, data breaches affecting Massachusetts residents remain strikingly frequent.
More than 1 million Massachusetts residents were hit by 807 data breach instances from Nov. 1, 2007, to Oct. 31 of this year, according to a report by the Massachusetts Office of Consumer Affairs and Business Regulation, which monitors and enforces state data breach regulations. In the six weeks since, 59 additional breaches have been reported to the state.
Yet tight finances and the perceived high cost of compliance with technical aspects of the rules make full compliance with the impending deadline unlikely for at least some firms, business leaders say, clouding the full impact regulations may have on stemming the tide of breaches.
An examination of some of the more recent filings with the state show businesses from the largest financial institutions to the smallest nonprofits have been hit by data breaches, some of them likely preventable.
For example:
• Three separate breaches at State Street Corp. affecting 42 Massachusetts residents involved State Street employees accidentally sending personal information of a customer to the wrong client or financial adviser and a Web site glitch that disclosed account information to the wrong customer.
• An outside attack on Lexington-based Scottish Rite Charities Web server that, unbeknownst to the nonprofit, held the credit card information of 481 customers, including 47 Massachusetts residents.
• A criminal case involving a former human-resources employee of 1-800-East West Mortgage in Marlborough and Access TCA Inc. in Whitinsville who allegedly took employee data from both companies and e-mailed it to his personal e-mail account.
David Bernotas, president of 1-800-East West, declined to comment on the specifics of the ongoing case other than to say the individual has left the company.
He did say, however, that “it is against corporate policy to e-mail or distribute in any way, shape or form company material.”
State officials say it’s difficult to determine whether the pace of breaches has quickened, but expressed concern about the breadth of attacks on personal information and confidence that new regulations will prevent some of these attacks from happening again.
“Now at least in Massachusetts we have a starting point, and it’s not a great start. The numbers are huge no matter how you look at it and it’s unacceptable,” said Barbara Anthony, undersecretary of consumer affairs and business regulation. “As a commonwealth, we’ve taken very appropriate and meaningful steps to install a culture of security in businesses.”
Yet the growing number of data breaches, and the media attention some of them attracted, is still not enough of an impetus for some of the smallest businesses to come into compliance, business leaders say.
“I think it’s a back-burner issue with a lot of small- and medium-size businesses, with all of the other things they’re facing,” said Robert Baker, executive director of the Smaller Business Association of New England. “It’s one of these ticking time bombs.”
While all businesses have been required to report potential breaches of customer or employee data — defined as a name attached with a social security number, account number, drivers license or other identification — businesses were given well over a year to implement new policies and technologies to protect personal information. In the meantime, regulators have tweaked the regulations.
The final regulations call for companies to develop policies around access to personal information and how it should be disseminated. Companies also must institute strong access-control technologies to lock up private data as well as encrypt information sent over the Internet or held on portable devices.
“I think (regulators) were very responsive to the business community,” said Deborah Birnbach, a partner in Goodwin Procter LLP’s data security practice. “That said, some parts of (the regulations) are still unwieldy.”
Coordinated attacks on IT servers were recorded in several letters to the state, including a breach last year of a UMass Amherst server that held Social Security numbers and credit card data of an unknown number of individuals.
A spokesman said the university has implemented new measures to protect its IT infrastructure.
In the Scottish Rite case, foundation staff were unaware donor credit card information was accessible through its website-hosting server.
Scottish Rite Director Steven Pekock was unavailable for comment.
A startling amount can be sourced to simple human error. Of the more than 800 breaches in the state report, about 300 were caused by people either intentionally or accidentally misdirecting personal information.
In one of State Street’s instances, an individual mistakenly mailed monthly account statements to an accountant and investment advisor not hired by the accounts’ owners. The letter to the state said the typing error was not caught by a quality control review and the company is enhancing its processes to prevent future mistakes.
There is little technology can do to prevent typing errors and some hackers will still get through the most stringent systems. But state officials say with the right controls and training in place, business should be able to cut down on some of the costly mistakes. “We’ll never be 100 percent safe,” Anthony said.
RSS Feeds
Comments
Please Login/Register to post comments.
No comments have been added or approved.