Recent breaches raise spectre of liability risks

Organizations that fail to show due diligence when it comes to protecting their data assets face a very real risk of legal problems in the not-too-distant future, analysts said.

The renewed caution comes in the wake of last week’s news that hackers broke into a California state personnel database and gained access to financial and other confidential personal information on all 265,000 state government employees, including Gov. Gray Davis.

Incidents like this and the recent theft of more than 13,000 confidential records from Costa Mesa, Calif.-based Experian, a major credit reporting agency, are shining the spotlight more brightly than ever on liability issues for companies doing business over the Internet, warned Michael Rasmussen, an analyst at Giga Information Group Inc. in Cambridge, Mass.

“The whole issue has gotten to a scale where companies face a real risk of legal liability,” Rasmussen said. “There are going to be landmark cases where people are going to be suing other people. That is what is finally going to get the attention of companies.”

In the California incident, a hacker broke into a database housed at the state’s Stephen P. Teale Data Center in Rancho Cordova and accessed names, Social Security numbers and payroll information for everyone from office workers to judges.

The break-in occurred April 5 and was discovered by the state controller’s office May 7, but it wasn’t disclosed to the public or the state employees until May 24.

The handling of the incident has provoked criticism from the California Union of Safety Employees (CAUSE), which slammed state controller Kathleen Connell for the delay in informing victims that their personal information had been compromised.

“It is an outrage that the controller herself has been negligent in recognizing the peril posed by this high-tech invasion of privacy,” CAUSE President Alan Barcelona said in a statement.

Connell’s office refuted the criticism and said it had acted swiftly in asking the Sacramento Valley Hi-Tech Crime Task Force to conduct a criminal investigation of the incident.

“It is the Teale Data Center and not the state controller’s office that is solely responsible for the security breach, and that agency has accepted full responsibility,” Connell’s office claimed in a statement.

Incidents such as these show why companies need to ensure that they are following best practices around information security, said Rick Fleming, a vice president at Digital Defense Inc., a San Antonio-based security consultancy.

“It won’t take too many more cases of folks enduring identity theft or financial hardship for somebody to start suing,” he warned.

Fidelity Canada closes security hole

Toronto-based Fidelity Investments Canada Ltd. said it has corrected a problem that allowed an Ottawa college professor to access static account information belonging to other customers.

Fidelity spokeswoman Kimberly Flood said last week that the cause of the error, which affected customers only in Canada and data held on one server, is still under investigation. She added that the Web logs for the company’s site showed that no one else accessed the information. The Web site and server in question serves only 17,000 customers in Canada.

Flood said the company has offered to give the 30 customers known to have been affected new passwords for their accounts.

Ian Allen, a computer professor at Algonquin College in Ottawa, brought the glitch to Fidelity Canada’s attention in an e-mail sent May 24. Allen said he received a user identification from Fidelity Canada in the mail and then went to the Web site to check his account information.

“I got my paper user ID, brought up my statement and looked up at the URL. I thought, that is interesting the URL ended with cache/statement799.pdf,” he said. “I wondered, if they put [the account information] in the cache, how do they stop me from getting other things in the cache? And the answer is, they don’t.”

Allen said he changed the 9 to an 8 and hit the Return key, and up popped someone else’s statement. He kept changing numbers and sampled all the way down to 1 and got a hit each time.

Flood said the pages Allen accessed were static Portable Document Format pages containing only account information. They weren’t interactive pages that could be used for transactions, she said.

Allen wasn’t meant to see the address he saw, Flood said. “We certainly appreciate that he brought it to our attention,” she said.