Data
Security
A Year of Lessons Learned From 2010
Of all the pitfalls and challenges that businesses faced in 2010, the most overlooked hazard may have been data security, which has come to pervade business transactions and the collection of consumer data, whether it be online or offline. Although there were fewer data security breaches reported last year than the previous year, frequency is distinct from severity, and businesses must remain vigilant. Data security issues are the quintessential iceberg: a recognized threat at the surface level, but capable of causing ruinous damage in a worst-case scenario – an average $6.6 million in costs and expenses according to one study. It is not hard to see why. Legal obligations are confusing; the applicable laws are a complex and haphazard patchwork of state and federal laws; and the management of internal and external resources in the event of a breach or intrusion can be overwhelming, especially for public companies. As with all things, an ounce of prevention is worth a pound of cure. This article is intended to give businesses a few concrete tips to help bolster their data security efforts in 2011 by drawing from the lessons of 2010.
Resolution No. 1: Acknowledge the Risks
For starters, businesses would be remiss to underestimate their risk for a data security breach or intrusion. Security breaches do not selectively affect Fortune 500 companies – they can affect any business that stores information electronically. Nearly all businesses fall within this category, and are thus at risk.
Information does not have to be private or sensitive to be desirable to intruders. Some business owners may feel that they are not at risk for data intrusions because they do not collect what is known as “personally identifiable information,” such as individual names in conjunction with social security numbers, or credit card, bank account and pin numbers. However, data security threats are not limited to the theft of identities or account numbers. The reality is that information-collection is still big business, both domestically and overseas. Customer lists are attractive not only to competitors, but also to third-party intermeddlers looking to make a profit from delivering working e-mail addresses to advertisers or spammers. Not only is the content located on a network valuable to intruders, the computer resources themselves can be valuable. Any computer workstation could succumb to malicious code that would transform the computer’s hardware and resources into a vehicle designed to carry out a perpetrator’s unlawful scheme. This occurs when hackers or “hacktivists” collaborate to take down a Web site (like Mastercard or Paypal after the Wikileaks debacle): thousands of innocent home and business computers are compromised, enlisted in the perpetrators’ attack network and manipulated to execute a widespread coordinated service availability attack on an identified victim’s Web site. Business owners should thus, at a minimum, acknowledge the risks that exist, seek help in evaluating the potential for liability, and develop a plan to bolster their data security efforts.
Resolution No. 2: Encrypt
Everything
At a bare minimum, business owners should determine the extent to which their consumer, customer and business data is encrypted, and shore up those efforts if needed. Although the benefits of encrypting data would seem obvious, the legal reasons for pursuing a high-quality and comprehensive encryption system are plentiful. As many companies already know, the majority of states have data breach notification laws which require certain disclosures to be made if a data intrusion or breach occurs. However, a number of them carve out exceptions for data breaches or intrusions involving encrypted data. Simply put, if unencrypted data were accessed by intruders, a business could be overwhelmed by the legal obligations imposed by the various states to notify the individuals affected, as well as the applicable attorney general offices. If that data were encrypted, however, the obligations could be far less burdensome. Taking a thorough assessment of or revisiting the company’s encryption scheme should be on every owner or executive’s 2011 to-do list.
Resolution No. 3: Learn from the
Army’s Mistakes
The
largest breach of the most classified and sensitive documents in this nation’s
history was not a product of brute-force attacks carried out by overseas
hackers, not spyware, nor viruses, phishing, or any other malicious attack du jour – rather, those records were
quietly accessed and disclosed by an insider who possessed the necessary
credentials and was allowed access to such information: Army Pfc. Brad
Manning. Numerous similar “insider”
breaches occurred in 2010. For example,
a six-week employee of Ameriquest Mortgage used his
time at the company to lift personal information from mortgage applications to
create fraudulent ID documents, obtain credit cards, and hundreds of thousands
of dollars in cash. The
One of the most common examples of “insider” involves departing or former employees. In a number of cases, former employees lift business/proprietary data prior to their departure, or in some cases, use their passwords to access their employer’s business weeks after leaving the company. The lesson is that companies must evaluate the extent to which their communications, correspondence, company information, business data, client lists and other information is accessible to those who should not have access. Access restrictions are sometimes inconsistent or incorrect, third-party software add-ons can leave loopholes, and the warning signs provided by prophylactic measures (whether consisting of software or resources) could be missed or overlooked. In some cases, businesses establish access controls too rigidly – simply “allowing” or “denying” – without thoughtfully considering the extent to which limited access should be given. Businesses should evaluate which employees should be privy to certain types of information, implement those access controls and revisit them when appropriate. Legal counsel can help recommend other measures and controls that will help minimize the risk of valuable data leaving the company’s vaults.
Resolution No. 4: Manage the Cloud
Another major focal point for businesses seeking to bolster their data security and privacy efforts has involved the use of shared resources or tools based on cloud computing concepts. Although heralded as the solution for businesses seeking to maintain productivity while cutting costs and promoting efficiency, cloud-based applications are really nothing new. Online e-mail account, such as hotmail or gmail are good examples of commonly-used cloud applications. Cloud-based applications have exponentially grown in the last few years, however, and now offer businesses the ability to conduct nearly every facet of their day-to-day operations remotely, offering office suite software, CRM, ERP, financial, PIM, video/telephony and other services.
Companies should evaluate whether cloud-based solutions meet their IT or operational needs. However, depending on the sensitivity of the data being shared, there are several issues that companies should address before implementing such solutions. For example, companies should ensure that the contract with the solution provider addresses common data security and privacy issues, such as: who owns the business data stored on the provider’s remote systems? How does the solutions provider handle requests for information from outsiders, such as third parties, the government or auditors? What type of security policies exist? What is the provider's disaster recovery policy? How will the provider assist the company in transitioning its data to a new vendor if and when the relationship ends? How does the provider comply with applicable laws? Reputable cloud-based solution providers will be able to address these concerns. Companies should enlist their legal counsel as early as possible to assist.
Resolution No.
5: Prepare for the Lost and Unfound
The loss of data from a lost or stolen portable device can be devastating. Every day, business professionals lose their PDAs, laptops are stolen, iPhones and BlackBerries are forgotten in bathroom stalls, and flash drives fall off keychains, never to be seen or heard from again. It can happen to anyone – even the President of Qualcomm suffered the loss of his laptop (containing financial data, e-mails, and other proprietary information) at a conference years ago. No business wants its budget, five-year strategic plan, discussions of a merger or internal problems to fall into the wrong hands or become public – or have consumer or investor confidence affected by such a public event. The most notable incidents involving lost or stolen portable devices from last year resulted in the loss of nearly 300,000 Medicaid health records stored by a Pennsylvania health insurance company, when a flash drive containing this data was lost or misplaced; over 100,000 client records lost by the Colorado Department of Health Care Policy and Financing, when a hard drive from their IT office was stolen; over 800,000 and 14+ years of records stored by South Shore Hospital, whose back-up data tapes were apparently lost by their professional data management vendor; and over a million records stored by BlueCross BlueShield of Tennessee, which were lost after the theft of 57 hard drives. According to public records, it appears that every few days in 2010, a laptop, PDA or other device containing data or records was lost or stolen. Business should not only protect their mobile and storage devices from intrusion, but plan in advance for such casualties. Simply establishing remote wipe software could help mitigate the damage resulting from these types of unintended losses. Legal counsel can also help develop control plans, formal policies and procedures, and help navigate the legal hurdles that exist if sensitive consumer, patient, or student data is on a machine that is lost or stolen.
In today’s world, data security and privacy threats are rampant. Unlike other challenges in 2010, security risks will not subside if the economy improves. For help or more information about how Ice Miller can assist your business with data security and privacy concerns, please contact Michael Wukmer, Dustin DuBois, Alex Forman or any one of Ice Miller’s data security and privacy team.
This publication is intended for general information
purposes only and does not and is not intended to constitute legal
advice. The reader must consult with legal counsel to determine how laws
or decisions discussed herein apply to the reader's specific circumstances.