E-CommerceALERT.com is part of the Bennett Gold LLP web site network.
LINK TO: Bennett Gold LLP, Chartered Professional Accountants, home page.
LINK TO: E-CommerceALERT.com Home Page.
CLICK to GO BACK to Main Page.

Research and retrieval of news articles by:
Bennett Gold LLP, Chartered Professional Accountants

Effective December 31 2012, articles are no longer being updated on this web site.
The site is now maintained as an historical archive, covering notable e-commerce news articles from the period 1999 to 2012.


Source: Forbes

Posted on January 11, 2010

Next time you spill a latte on your laptop or drop your hard drive, you may want to think twice about who you pay to salvage your data. You may recover your precious PowerPoint presentation - but you could lose something far more valuable.

Data-recovery services are responsible for a surprisingly large chunk of privacy breach incidents, in which companies lose control of personal data pertaining to employees or customers, according to a study released Tuesday by the privacy-focused group the Ponemon Institute. Data-recovery services are responsible for as many as one in five of the data-loss incidents at companies that hire the services, the report says.

The Ponemon study surveyed 636 information technology professionals who had used data-recovery services or had knowledge of them. Of the 83% of respondents whose organizations had at some point lost their customers' sensitive data, 19% said they had experienced a data breach when they hired a third-party data-recovery firm.

"A lot of organizations are focused on firewalls or perimeter controls and ignoring simple issues like these," says Larry Ponemon, the group's chief executive. "You're handing over your company's crown jewels to a stranger, often without assessing what security controls are in place to reduce the risks."

Ponemon's definition of a breach doesn't necessarily include identity theft or even a malicious person--it's merely a situation in which personal data leaves a company's control. But in many cases just that movement of data can constitute a security violation. When sensitive information like social security numbers or credit card data is involved, companies are legally require to notify affected customers or employees.

For an example of those security nightmares, look no further than the National Archive and Recording Administration (NARA). Last November, the agency's officials were called before the House of Representative's Oversight and Government Reform committee to explain an incident in which a hard drive with 76 million veterans' personal records had been sent to a contractor for repair without encrypting or erasing the information.

In that hearing, NARA officials argued that the information had been in the hands of trusted contractors and thus safe. But the agency's own inspector general countered that the hard drive had been in the hands of multiple companies before it was eventually disposed, potentially exposing its data to theft and government standards violations. Rep. Patrick McHenry, R-N.C., accused the agency of "staggering negligence" and "a culture of blatant disregard" of security policies.

Other incidents have led to more easily traceable harm. One financial services organization interviewed by Ponemon discovered that its data-recovery service employed staff with criminal records, and these employees had sold information on high-net-worth individuals whose information had been stored on a damaged laptop.

Ponemon's survey showed a disconnect between companies' awareness of data-recovery security problems and the measures they take to avoid breaches. More than 80% of respondents said that security should be a "major criterion" when choosing a data-recovery contractor. But only 22% of respondents said they felt their data-recovery service was "secure." Half of the respondents said their IT security staff is involved in choosing a data recovery firm. Forty-six percent don't have a company policy regarding the security of data recovery, such as sending only hard drives without personal data, or with all personal data encrypted, to the services.

"Companies are trusting their data to third parties without a lot of vetting," Ponemon says. "These are people who could be incompetent or even criminal. The risk is very real."

CLICK to GO BACK to Main Page.

E-Commerce Alerts are issued by Bennett Gold LLP, Chartered Professional Accountants as situations develop. Bookmark this site and check back often. Our e-mail address is: info@BennettGold.ca

In accordance with United States Code, Title 17, Section 107 and Article 10 of The Berne Convention on Literary and Artistic Works, the news clippings on this web site are made available without profit for research and educational purposes.

Final Entries

LINK TO: Bennett Gold, Chartered Professional Accountants: A Licensed Provider of WebTrust Services.

WebTrust Is Your
Best Defense
Privacy Breaches.

Get WebTrust
Working For
Your Site.