Preventing Data Breaches – On the Cheap
In a prior post, Warren Buffett’s Fighting Stance, the principles of a good martial arts fighting stance were applied to protecting competitive, proprietary information. The value of a good “information protection fighting stance” was also highlighted in the wake of the recent data breach (also as noted in an earlier post) where Heartland Payment Systems disclosed it was subject to a massive data breach, which potentially exposed the personal information of 600 million cardholders. Now, a week after this disclosure, Heartland will have to defend class action litigation arising from this breach: A lawsuit was filed on January 27, 2009 in U.S. District Court in Trenton, N.J, which alleges that Heartland failed to adequately safeguard the compromised consumer data, did not notify consumers about the breach in a timely manner as required by law, and has not offered to compensate consumers for costs they may incur in protecting themselves from identity fraud. Click here for a copy of the Complaint.
This massive data breach is likely to galvanize support for federal legislation. In this regard, Senator Dianne Feinstein (D-Calif.) re-introduced two bills concerning consumer privacy protection earlier this month. Additionally, immediately after taking the oath (the first time), President Obama outlined his plan to enhance the nation’s cyber-security.
While it is premature to weigh in on the merits of federal data protection legislation, companies may actually welcome such steps. For example, President Obama’s plan and federal legislation would likely alleviate a company’s burden in complying with the existing patchwork of state data protection and security breach notification laws. Further, federal legislation would also bring additional resources and enforcement power of the federal government to an area that generally crosses state and international lines.
In the meantime, however, companies have a number of low costs options for improving their own information security fighting stance. And the significance of taking such steps is underscored by two points:
First, a 2008 Data Breach Investigations Report by Verizon concluded that of more than 500 data breaches that were investigated, more than half required no or only a low degree of skill to perpetrate. Further, the report found that basic security tools and precautions would have prevented the breaches.
Second, a 2008 survey by the Computer Security Institute of 144 respondents identified the average loss arising from a data related breach to be $288,618.00 per respondent. Survey results may be downloaded here.
So with this in mind, companies should consider incorporating these points into their information protection fighting stance:
- Identify the information to be protected: Satisfying a company’s obligation to protect information begins by understanding what information the company has and where it is located. Private personal customer data – like sensitive company information such as transaction data, R&D results, corporate financial records, — are often stored (or duplicated) in widely dispersed locations. The company cannot protect information until it knows that it exists, where it is located, and how it is used and stored.
- Control Access: Once a company identifies the information to be protected, it needs to take steps to restrict access to protected information — paper and electronic files — to those with a legitimate business need to access such information. Companies also need to continually evaluate their access controls to make sure terminated employees’ access rights are terminated or reassessed as job responsibilities change. This point may generate a sarcastic mental inquiry of “yah’ think so Einstein” but this oversight happens … a lot. See Former Fannie IT Contractor Indicted for Planting Malware (The IT contractor was terminated, but his server privileges were not).
- Employee Education: Training and education for employees is a critical component of any security program. Without it, it is analogous to installing heavy duty doors with state of the art locks but leaving the doors wide open or forgetting to lock the doors so that anyone may pass through. Simply put, security measures are of little value if employees do not understand their roles and responsibilities.
- Control what and how information leaves the office: Companies should have a written policy for when employees may remove personal information from the company facility and under what circumstances. This is especially important because portable devices and laptops are the most likely sources for a data breach. For example a June 2008 study conducted by the Ponemon Institute on behalf of Dell found that more than 12,000 laptops are lost by users each week as they pass through airports. Click here for the study. Additionally, companies may find themselves on the hook for the negligence of their employees with respect to mishandling data. See Bell v. Michigan Council 25 of American Federation of State, County, Municipal Employees, AFL-CIO, Local 1023 2005 (Mich. App. 2005) where plaintiffs – victims of identity theft – asserted that the Union they were members of was liable for not safeguarding their personnel information and that this negligence facilitated the identity theft perpetrated by a third party. On appeal, the Court found the Union did owe plaintiffs a duty and the question of negligence was properly submitted to the jury.
- Encrypting Private Data: There are a number of commercial encryption solutions available to protect digital information. Also small businesses or business professionals could consider open source solutions like TrueCrypt (www.truecrypt.org), which is a free, open source, on-the-fly encryption software that can encrypt a dedicated space on your hard drive, a partition or the whole disk, as well as removable storage devices. Encrypting or redacting data may also eliminate the need in some states to provide notifications of a data breach.
- Don’t Forget Third Parties: Attention should be given to third party vendors with access to protected information. This includes evaluating information security, background checks, and addressing data security in contractual agreements. It is a good practice to spell out in an agreement between the company and the third-party vendor the vendor’s responsibilities in protecting the data and for reporting breaches. You may also want to consider reserving the right to conduct periodic audits of the vendor’s security measures or to pass risks of exposure onto the vendor.
- Properly Destroy Personal Information: Properly disposing of personal/confidential information is a must. For an egregious example of “why” data needs to be properly destroyed (and monitored) see Thrift shop MP3 player contained U.S. military documents. For paper, this means shredding. For all storage devices containing personal information, deleting or reformatting is not sufficient. Instead, destruction should be pursuant to a recognized security standard, e.g., U.S. Department of Defense Standard DoD 5220.22-M, to ensure that old data cannot be recovered.
- Prepare for the Worst — ahead of time: If a breach occurs, how will the company respond? A number of issues need to be addressed, including technical, legal, and public relations issues. This plan should ensure that appropriate persons within the organization are promptly notified of security breaches, and that prompt action is taken–both to respond to the breach (to stop further information compromises and to work with law enforcement), to notify regulators and people who may be potentially injured, and to deal with the press. Such a plan should clearly address how the company will comply with the requirements of the applicable security breach notification laws. Certainly no business professional wants to be put in a position to address these decisions, let alone making these difficult decisions on the fly.
In addition to preventing costly data breaches, these no-costs steps also highlight to your customers and employees that you are taking extra precautions to protect their data, which, unfortunately, may separate you from your competitors.
Jason Shinn works with companies to address best practices for information protection, including complying with state and federal laws. Feel free to contact him with any questions or concerns about this topic and the issues raised in this post.