It’s not the 14 year old in Russia organizations should be worried about,” Emma Hodson notes. The Van Winkle attorney is speaking to the quarterly meeting of the Asheville Executive Information Technology Forum (AEITF) at Travinia Restaurant in Biltmore Park. Hodson and/or fellow attorney, Allan Tarleton, are discussing the legal frameworks and ramifications around data security and breach notification, an equally scary and esoteric subject for many business owners.
[dropcap]T[/dropcap]he conversation begins with a topic familiar to most everyone, the Target data breach that occurred during the peak of holiday shopping late last year. The statistics of the breach are incredible: 40 million credit card numbers and another 70 million individuals’ personal information stolen. To make matters worse, the breach occurred less than six months after Target spent $1.6 million on a security tool to prevent such a breach. Now, more than eight months later Target is still feeling the effects, and the CEO was fired in June as a direct result of the breach. And a breach (if we use a house as an analogy to a network) is just as simple as someone entering your house uninvited. They don’t always have to take anything, but they could and might have…
[quote float=”right”]Now, more than eight months later Target is still feeling the effects, and the CEO was fired in June as a direct result of the breach. And a breach (if we use a house as an analogy to a network) is just as simple as someone entering your house uninvited. [/quote]When a breach occurs and private information is at risk, both federal and state laws apply to the handling of the breach. Federal laws that govern breach notification include HIPAA/HITECH and FCRA (Fair Credit Reporting Act), while North Carolina is governed in part by the NC Identity Theft Protection Act. Under this act, organizations with access to North Carolina residents’ personal information (broadly defined as a name plus social security number) must take reasonable measures to protect against unauthorized access or use.
From a technology perspective, this “reasonable” requirement demands organizations to properly acquire, communicate, and dispose of personal information data using security standards and policies. In other words, the accessibility, integrity, and auditability of the data must be monitored and maintained to help prevent breaches. Additionally, while companies often focus their security efforts on preventing breaches, timely alerting of intrusions is equally important and can help limit a breach’s scope or prevent a breach all together. (This is what a house would call an alarm system. If the alarm goes off immediately, and authorities respond quickly enough, the intruder might not steal anything at all.)
When a breach does occur, many of the same laws also address the notification of the breach—including the who, when, where, and how of that notification. Proper notification may include individuals whose personal information may have been compromised, the Consumer Protection Division of the NC Attorney Generals’ Office, and even federal damages. Notification may require organizations to include the nature of the breach, specifics about the breach (timing, content, etc.), the number of individuals affected, and steps taken to investigate the breach, as well as the steps taken to prevent another breach.
Unfortunately, breach notification laws are not cut and dry. Confusion often exists in many facets of a breach. Ms. Hodson discussed two primary case studies of interest.
The first involved a vice president of sales that left his smartphone in a bar, and the phone had no password and could not be wiped remotely. The phone has contact information (names, phone numbers, e-mail addresses, and business addresses) but no other information. While certainly valuable information was lost, because the information lost was not defined as personal, this loss does not qualify as a breach.
A second case study revolved around an accounting firm, specifically a couple of their CPA’s (simply named CPA #1 and #2). CPA #1’s assistant accessed a company’s file for a client of CPA #2. Further, CPA #1 is also involved in an affair with one of the owners of that company, and the company file contains the Tax ID number and social security numbers of the owners. In this case a breach has in fact occurred because the assistant was not acting in good faith (or accessing the data for legitimate reasons) when he or she accessed the company file.
Both these cases demonstrate the complexity of breaches and breach notification. This complexity can often result in confusion in how to appropriately respond to a breach, and responsible companies often find themselves doing more than required to ensure they escape additional penalties and fines for not properly responding.
So how do you to prepare for or prevent this kind of mess? The best way to prepare for a potential breach, particularly from an information technology perspective, is to develop policies that outline standards for safeguarding data and planning for potential breaches. A Written Information Security Policy (or WISP) is one such document that can be valuable for any organization. A WISP clearly outlines the life cycle of data containing personal information, as well as the legal obligations an organization has regarding the handling of the data and potential breaches. The policy should also cover potential threats and what safeguards will be taken against these threats. These safeguards can help outline the security needs of an organization both from a technical and non-technical perspective, and can help drive proper implementation. Lastly, a WISP must have full buy-in from organizational management or ownership and a commitment must be made to train employees on the procedures and policies outlined by the WISP. Oftentimes, the weakest link in security of personal information and data are the individuals trusted with access to that data.
[quote float=”right”]Data breaches and loss are subjects that no organization wants to become familiar with. There is no silver bullet to prevent breaches or “Idiot’s Guide” to data breach response. [/quote]Finally, everyone should understand that liability cannot be outsourced. In organizations that handle personal information, Mr. Tarleton strongly recommends some sort of liability or errors and omissions insurance to help ease the financial burden caused by a breach and the potential legal ramifications. An insurance policy obviously won’t decrease any risk of a breach, but it can help an organization survive what could otherwise be a doomsday scenario.
Data breaches and loss are subjects that no organization wants to become familiar with. There is no silver bullet to prevent breaches or “Idiot’s Guide” to data breach response. However, organizations can and must defend themselves and be prepared for a worst case scenario. A holistic and well-rounded defense is paramount, and the solution is often as unique as your organization.
Asheville Executive Information Technology Forum provides ongoing discussions on key technology issues facing local organizations and fosters the development of relationships essential to their members success. Emma and Allan spoke at the July 2014 meeting of AEITF.