Half A Billion Served…and Counting
- Date: 30 September 2011
- Author: broyer
- Category: Cloud Computing, News, Services, Virtualization
I’m pretty sure I don’t have connect-the-culture dots to explain the title of this post. However, MacDonnell Ulsch, CEO and Risk Analyst of Boston-based ZeroPoint Risk Research spends a lot of his time “connecting the dots” between organized crime, terrorist financing, narcotics trafficking, trade secret theft, money laundering and cloud computing in revealing what Ulsch calls “the progression of increased regulatory, legal, financial, reputation and cascading risk.”
In his recent keynote before the recent Federal Financial Institutions Examination Council (FIFEC), which promotes uniformity and consistency in the supervision of financial institutions, Ulsch appears to hold innovations and paradigms – among them cloud computing – for failing to meet the mandatory minimum requirements associated with data security and privacy regulations which could lay a foundation for other highly impactful risk.
“Technology innovation is in part what makes America great, and it is a clear demonstration that the U.S. is a technology leader,” said Ulsch. “Holding these cloud computing vendors accountable is fundamental and vital to managing information at risk.”
Pointedly, Ulsch contends that data breaches, including those originating inside and outside of the organization, continue to affect companies at an alarming rate – have resulted in nearly half a billion electronic records in the United States have been compromised over the last six years.
Interestingly, Ulsch’s presentation took place in the backyard of the country’s toughest privacy regulation, 201 CMR 1701 and he discussed many complexities associated with 201’s specific requirements in a cloud computing environment, including third-parties with sensitive information access, information systems access, and physical plant access.
Ulsch, author of the book THREAT! Managing Risk in a Hostile World, encouraged the conference attendees to approach the management of risk from a post-breach perspective. “Assessing the potential impact of risk before it happens is the best way to put in place the protective mechanisms needed to reduce the likelihood of a breach or the severity of one,” he said. “Focus on managing vendor approaches on information security, information privacy, threat and risk analysis, compliance requirements, enforcement mechanisms, internal audit access and latitude, and foreign corrupt practices management.”
Understanding how a cloud vendor is going to manage these elements, said Ulsch, is critical to managing information risk as part of corporate governance. Questioning cloud providers about the approach to-and level of-due diligence applied to domestic and foreign partners and providers is increasingly necessary. How are backgrounds investigations conducted to prevent criminals and even terrorists from gaining employment in these companies? With billions of dollars of technology investment behind the development of communications networks in emerging foreign economies, what protections are principal cloud computing providers using to manage client information risk? While cloud computing is economically compelling, providers will constantly seek lower cost services to remain competitive.
You know, I get Ulsch’s suggestion that an ounce of prevention is worth a pound of cure, however, I think in this case he’s not giving enough credit to cloud computing as a technology that — implemented properly—actually shields data from being compromised. I’ll even grant him that cloud computing vendors have to be held accountable for securing data in their possession. From where I sit, however, for him to “connect the dots” from all of the “organized” activities and outcomes outlined in his address to the practice and deployment of cloud computing results in well-intentioned, albeit fallacious, thinking. In fact, cloud computing is neither fully panacea nor pariah.
On a related front…
Recently, Mississippi became the 46th state to enact a data breach notification law. Mississippi has joined the majority of other states and now has a law that governs an organization’s obligations should it suffer a data breach relative to Personal Information (PI) of a Mississippi resident.
Similar to many other state data breach notification laws, the obligation falls on any organization which owns, licenses or maintains PI of any resident of Mississippi. Like others, Mississippi defines PI as an individual’s first name or first initial and last name along with Social Security number, driver’s license number or financial account number or credit card number (along with the required security or access code).
Under the new law should an organization be required to notify impacted individuals relative to a breach of their PI, such notice should be made without unreasonable delay. Notice can be made in writing, by telephone, through electronic means (if the person’s primary means of communication with the affected individuals is by electronic means), or through substitute notice (provided that the cost of providing notice will exceed $5,000 or the affected class of persons is more than 5,000 individuals).
A safe harbor exists if, after an appropriate investigation, the entity reasonably determines that the breach will not likely result in harm to the affected individuals. If the PI was encrypted, there is a presumption that harm will not result. In either case, notification would not be required.
Oh, and those four other states in the United States that have not passed similar legislation – I’m talking to you Alabama, Kentucky, New Mexico and South Dakota – to use another finely-tuned colloquialism, it’s probably time to “finally get with the program.”
To help your organization reduce the risk of data theft, contact Venyu today.
Comments
Comments are currently closed.