Data Security: Why Care? Steps to Prevent a Data Security Breach
A recent survey of 583 large and small private sector and government organizations reports that 90% of respondents' networks were breached at least once by hackers, and more than half had two or more breaches in the past 12 months. I was stunned to read that, but as the recent stories of hacking even at Lockheed Martin and Sony have shown us, today it is often a question of "when", and not "if", when it comes to data breaches.
I was less surprised by the consequences. Forty-one percent of respondents lost $500,000 or more in cash outlays, labor, overhead, lost revenue and other expenses as result of their security breach, and based on recent regulatory enforcement trends, I would expect the costs of a breach to continue to rise. Regulatory actions against companies following security breaches are no longer limited to businesses with industry-specific regulations, such as healthcare and financial services. There has been a sharp uptick recently in investigations by state attorneys' general and the FTC into security breaches, and with states passing new security laws, such as those in Massachusetts, this trend is likely to continue.
The Federal Trade Commission recently entered final orders against Ceridian Corporation and Lookout Services, Inc. after asserting they had engaged in unfair or deceptive acts by "fail[ing] to provide reasonable and appropriate security for the personal information" despite the assurances of data security in their advertising materials. Among other things, those orders require the companies to have comprehensive security programs and submit reports from third party consultants about their security measures and effectiveness, and those obligations continue for the next 20 years. To date the FTC has acted against only fairly blatant security failures, but the warning is clear. Perhaps even more alarming, class action lawsuits are becoming common following a data security breach, and the plaintiffs' bar is starting to view data breach lawsuits as the next "asbestos".
Survey respondents reported complexity and resource limitations as the biggest barriers to improving network security. Given the cost and apparent probability of a breach, perhaps we all should apply more resources to thwarting attacks, and develop our capacity to detect and contain breaches. Almost all states have laws requiring companies to provide notice of data security breaches, and HIPAA includes a notification requirement with respect to protected health information. From a legal perspective, we should prepare for the possible loss of sensitive customer and employee data.
Here are some steps you can take to help prevent a data security breach:
- Appoint a chief privacy officer and empower that person to analyze and improve your data collection and security practices, and implement data collection, protection and destruction policies. Then keep the policies up to date and comply with them.
- Analyze what data you collect and why – collect only what you need to run your business and destroy it securely as soon as you no longer need it. Dispose of records and equipment containing personal information in a secure manner, and don't just put them in the garbage. Shred paper records with a cross-cut shredder and overwrite the data on hard drives or destroy them. Destroy disks or tapes containing personal information before disposing of them.
- Assess the vulnerability of your network to commonly known and reasonably foreseeable attacks, and conduct periodic penetration tests of the effectiveness of systems and staff in detecting and responding to security breaches. Hire a security analyst to help with this unless your IT department has the relevant expertise. Use intrusion detection technology to detect efforts to access sensitive data.
- Scale your data security measures based on the sensitivity and volume of the data you hold, but at a minimum implement the data security assurances you give to customers, including any in your marketing materials and website.
- Train your employees who have access to data to protect it. Limit access to employees who need the information to do their jobs, and terminate access rights of former employees and contractors immediately. Avoid employee failures by training them to regularly change, and not share, passwords. Run background checks on employees who will have access to data.
- Protect information on laptops and other portable devices by limiting the number of people permitted to carry sensitive information on portable devices. Encrypt personal information on laptops and portable devices, and wherever feasible encrypt personal information on your network.
- Require service providers and business partners who handle your sensitive data to follow your security policies and procedures. Make compliance a part of your contract and monitor and enforce compliance. Use a business associate agreement when required.
- Avoid simple mistakes. Make sure your IT staff updates software to address known vulnerabilities. Don't store passwords in unencrypted, clear text. Require the use of "strong" alphanumeric passwords that combine letters, numbers and symbols. Lock out users who use incorrect user ID and password combinations after three attempts. Don't use faxes, email or voice mail to send messages containing sensitive personal information.
Many of these steps are simple to take if you spend a minute thinking about your data and where it may be accessible to outsiders. It's the failure to take simple, obvious steps to protect data that most exposes you to regulators and lawsuits, but as the public becomes more sensitive to data security, the standard for "reasonable efforts" to protect sensitive data is rising. A little planning now can go a long way towards mitigating the future pain caused by a data security breach.
Any questions regarding data security practices can be directed to: Curtis Capeling or Jacob Feldman.
