News is breaking of a breach at HSBC affecting 24,000 customers with Swiss Bank Accounts. The implications of this breach are global, and the press is speculating that the breach could expose those using the accounts to avoid taxation in their home countries.
French authorities have identified a former IT employee of a Swiss subsidiary as the suspect and allege that the former employee obtained the information between late 2006 and early 2007. Initially, when HSBC discovered the breach, it thought it affected fewer than 10 customers. The reality is that approximately 15 percent of the bank’s customers could have been affected.
From a security standpoint there are a number of things that make this newsworthy: First, the breach was allegedly committed by an insider, and insider theft is among the greatest dangers to financial data. Second, it appears that the suspect was attempting to sell the data, with speculation that he was offering the information to countries to identify tax evaders. Third, there is the numbers question. How could HSBC identify “fewer than 10” affected and then have a breach that in reality numbered in the tens of thousands. Finally, there is the question about sovereignty. France is one country that has access to some of the data. It has promised to turn the data over to Switzerland but the plain fact is there is no clear cut law that would prohibit France from using the data against citizens who were using Switzerland to avoid taxation.
With truly international data breaches, how long will it take to get truly international legislation?
Showing posts with label data breach legislation. Show all posts
Showing posts with label data breach legislation. Show all posts
Thursday, 11 March 2010
Thursday, 5 November 2009
First the telecos …?
Today brings news that the EU will require telecommunications companies to inform affected parties on data breaches. Although some would argue (and are arguing) that this measure should extend to all businesses – and we agree, eventually – the EU measure is a critical first step. Since the telecommunications companies and service providers have online components as well as the means to store vast amounts of customer data, starting measures with these groups makes sense.
We fully expect data protection measures to extend to different business types and industries, but these extensions should be done in a measured, controlled manner. The very worst thing that the EU could do is impose broad, blanket data protection measures that would affect all industries immediately. Historically, these measures (for example Sarbanes-Oxley in the United States) have created compliance costs and headaches that can be as difficult to maneuver as the problems they were intended to solve.
Rather than bemoan the fact that the measures are starting with the telecos, let’s look to this an important first move that is being done correctly and gives all businesses time to prepare for the inevitable cross-industry data protection measures that will emerge in the coming years.
We fully expect data protection measures to extend to different business types and industries, but these extensions should be done in a measured, controlled manner. The very worst thing that the EU could do is impose broad, blanket data protection measures that would affect all industries immediately. Historically, these measures (for example Sarbanes-Oxley in the United States) have created compliance costs and headaches that can be as difficult to maneuver as the problems they were intended to solve.
Rather than bemoan the fact that the measures are starting with the telecos, let’s look to this an important first move that is being done correctly and gives all businesses time to prepare for the inevitable cross-industry data protection measures that will emerge in the coming years.
Subscribe to:
Posts (Atom)
