STAMFORD, CT--(Marketwire - Apr 8, 2011) - Protegrity USA, Inc., a leading provider of end-to-end data security solutions, today issued guidelines to help companies protect their Personally Identifiable Information (PII), such as names, email addresses and passwords, in the wake of the Epsilon data breach. On Friday, April 1, Epsilon Interactive announced that unknown intruders had broken into one of its email servers and accessed the names and email accounts of some of its 2,500 corporate customers, including Best Buy, Citibank, Disney, JPMorgan Chase, Hilton and Marriott. By following standard corporate security office (CSO) protocol and using modern data security solutions, this breach could have been prevented.
"The Epsilon breach is further evidence that companies and their so-called trusted partners are not following best practices or using the most advanced technologies to secure sensitive customer information," said Iain Kerr, President and CEO for Protegrity USA, Inc. "To avoid breaches like this, companies really need to understand the full scope of their sensitive data flow and concentrate on protecting not just the network but the data itself. The Epsilon case is also a huge wake-up call that companies absolutely need to hold all outside partners that handle their sensitive information to the highest data security auditing standards."
To maximize protection for PII data and eliminate the risk of brand damage resulting from breaches experienced by Epsilon and its customers, Protegrity offers these guidelines:
Treat PII data as if it were financial information - PII data has become a primary target of malicious attacks because it can be exploited for phishing scams to prod for more valuable information such as credit card and bank account numbers. Since there are less regulations and available guidelines on protecting PII data, we recommend looking to more established regulations and applying their guidelines. For example, by protecting PII as you would financial information, you will ensure that you have the best security measures in place to mitigate the next breach. Organizations can refer to publically available guidelines, such as PCI DSS 2.0 and others, to establish an internal PII data security policy that is run by the corporate security office.
Know where your data is going and protect the data first and foremost - Most companies have focused their data protection strategies on protecting the network where the data is stored, rather than protecting the actual data. Start with an internal data classification audit that walks through your data flow for your internal business processes as well as all external processes with third party vendors to identify all potentially sensitive data. Outsourcing your database hosting duties does not mean that you outsource liability.
Audit your data flow, and be sure your vendor is also audited regularly - Once you know your data flow and have classified the data, you should then determine that any vendors with access to the data are complying with your standards for data security. At a minimum, you must know what type of security solution your third party firm is using during data transit and at rest, and when and how frequently that firm is audited.
Protect your PII data with modern solutions - While Epsilon did not disclose what type of data security solution it was using when its servers were breached, the company reportedly was not using encryption. Organizations need to actively monitor emerging data security solutions because older technologies like access control, masking and hashing are no longer sufficient. At a minimum, PII should be protected by modern encryption; however tokenization provides the strongest and most cost effective data security.
Ensure separation of duties - Creating a separation of duties between the corporate security office and the database administrator will ensure that no single individual or group controls access to information in the database without oversight of the CSO. This separation of duties should also be established between the CSO and anyone who administers IT systems that data flows through.
About Tokenization
Tokenization is the process of protecting sensitive data by replacing it with alias values or tokens that are meaningless to someone who gains unauthorized access to the data. Businesses are increasingly turning to tokenization to secure their high risk data, such as PII and credit card numbers, because this emerging technology assures the highest level of protection while dramatically lowering the cost of data security compliance. Protegrity Tokenization customers benefit from a tokenization solution that is higher performing, more scalable and much faster to deploy than any other solution on the market. For more information, please visit http://www.protegrity.com.
About Protegrity
Headquartered in Stamford, Conn., Protegrity provides high performance, infinitely scalable, end-to-end data security solutions that protect sensitive information across the enterprise from the point of acquisition to deletion. The company's award winning software products span a variety of data protection methods, including end-to-end encryption, tokenization, masking and monitoring and are backed by several important data protection technology patents. Currently, more than 200 enterprise customers worldwide rely on Protegrity's comprehensive data security solutions to enable compliance for PCI-DSS, HIPAA and other data security requirements while protecting their sensitive data, brand, and business reputation. For more information, please log on to http://www.protegrity.com.
Contact Information:
Media Contact:
Shannon Hutto
Bateman Group for Protegrity
(415) 503-1818
protegrity@bateman-group.com