Information security analytics

The National Identity Register (NIR), containing the private and biometric details of British citizens, will become a prime target for organized crime, according to critics. British politicians are once again calling for assurances that fail-safe measures will be employed to protect the new database.

Indiana, Wisconsin and Nebraska have been added to the list of U.S. states with their own data breach laws, bringing the total number to 26. According to InfoWatch experts, any companies suffering data leaks will have their work cut out making sure they comply with all the existing laws. Three more U.S. states – Indiana, Wisconsin and Nebraska – have adopted laws on confidential data leaks. The IT Compliance Institute reports that 26 states plus Puerto Rico now have their own data breach laws.

Morgan Stanley has agreed to pay a fine of $15 million for incorrectly storing e-mails, as well as adopt IT security policies and training procedures concerning the retention of correspondence under the supervision of an independent consultant. According to InfoWatch experts, the company’s losses could have been avoided by spending considerably less on an ordinary e-mail archive and an IT security policy.

A report by U.S. congressional auditors has concluded that the costs of complying with the Sarbanes-Oxley Act (SOX) of 2002 have been higher than anticipated. The findings are likely to provide ammunition for further attacks on SOX by U.S. businesses, but, according to InfoWatch experts, if SOX is to be reformed, it needs to be done extremely carefully. Focusing on internal controls and cutting their costs would be far more effective.

Following the theft of a Wells Fargo computer the bank has announced yet another leak of client data. It is the fourth such incident to affect the bank since late 2003. However, the bank has no plans to improve its security measures, instead making money out of such incidents by charging its customers for services to prevent identity theft. With time, according to experts at InfoWatch, Wells Fargo’s strategy is likely to drive its clients away from the bank.

A recent survey by ICBI on risk management has revealed that Basel II is the biggest concern for financial companies. The majority of U.S. banks are confident they can meet the deadline for compliance with Basel II, but are worried about some aspects of risk management.

U.S. firm Mercantile Bankshares has lost a laptop computer with the private details of 48,000 clients. The thieves now have access to thousands of Social Security and bank account numbers. The theft was made possible after an employee violated Mercantile policy by removing the laptop from the company offices. According to experts at InfoWatch, even though there were administrative restrictions, the information on the stolen computer should have been encrypted.

MasterCard and Visa, who recently informed consumers about a leak of credit card details from a British retailer, have refused to identify the careless company. Those affected by the leak are now insisting they have a right to know who failed to protect their private data. Analysts at InfoWatch suggest the best way to avoid an escalation of the conflict would be to introduce legislation to regulate such incidents.

Experience has shown that Sarbanes-Oxley is failing to protect whistleblowers from retaliation by their employers. The safeguards promised by the act have failed to materialize when cases end up in court and experts at InfoWatch suggest that is because many employees are unclear as to who exactly Sarbanes-Oxley is supposed to protect.

Foreign companies represented on the U.S. stock exchanges are currently so immersed in the task of complying with Section 404 of SOX for the first time that they have lost sight of the long-term effects of their actions. As a result, internal controls could well cost much more than they really have to over the next few years. Experts at InfoWatch point out that those companies ought to invest in integrated and long-term solutions that provide full control over regulatory risks and minimize the costs of complying with statutory acts.