We know that data thieves frequently target credit card data. When these thieves are successful, the various card brands, (Visa, MasterCard, American Express, etc. ) can levy heavy fines on the merchant who suffered the breach. Merchants who have chosen to accept credit and debit cards are contractually obligated to have in place a very prescriptive set of security controls, collectively known as the Payment Card Industry Data Security Standards (PCI-DSS), to prevent the unauthorized use/disclosure of cardholder data. In addition to large fines for non-compliance, a merchant can be held responsible for reimbursement of fraudulent charges and card reissuance costs. The merchant's reputation will certainly suffer in the court of public opinion.
As consumers, we expect the merchants we do business with will protect our credit card data and not allow it to fall into the hands of identity thieves or other nefarious users. Similarly, we expect every organization, website, and governmental agency to protect the data they require us to provide when using their services. As a merchant, as well as a data steward of customer (applicants, students, alumni, employees) data, the University is also expected to abide by best practices, legislative mandates and contractual obligations to protect the data we have been entrusted with. This includes meeting the highly prescriptive obligations of the PCI-DSS, as well as ensuring reasonable security measures are in place to protect other data we have been entrusted.
While most of us don't handle payment cards on behalf of the University, virtually all of us have access to sensitive data that must be appropriately protected. Protecting this data is a mixture of common sense and sound business processes. PCI-DSS requires all employees be provided with annual information technology security awareness training, and all employees should have a common baseline knowledge of computer security threats and best practices to thwart unintended exposure of data. On a university campus, sensitive data exists in many locations, including centralized and departmental servers, your desktop computer, backup media, and paper forms. The records contained within this data includes, but is not limited to , social security numbers, credit card numbers, driver's licenses, addresses, passport numbers, student educational records, protected health information, research data, and other such information.
A recent study by the Ponemon Institute estimated the cost of a data breach to be $145 per compromised record. A data breach of only 1,000 records therefore could result in $145,000 in direct and indirect costs. Each of us must be vigilant and do our part to protect sensitive information. There are many practices which can contribute to a more secure environment. Here are a few we suggest you consider.
Each of us should be vigilant and pro -active as any breach of sensitive data results not only in costly remediation, but also tarnishes the University's name and reputation. As always, if you have any suggestions or comments, please let us know.
|Heartbleed to blame for Community Health Systems breach||08/20/2014 |
|Many Chrome browser extensions do sneaky things||08/20/2014 |
|How to solve Java's security problem||08/20/2014 |
|Why would Chinese hackers want hospital patient data?||08/19/2014 |
|Symantec folds nine Norton products into one service||08/19/2014 |
|Fear the golden ticket attack!||08/19/2014 |
|Hackers steal data on 4.5 million U.S. hospital patients||08/18/2014 |
Last Updated: July 31, 2014