Data Security Breaches: Problems And Solutions Steven C. Bennett With a combination of risk assessment, technical solutions, and stafg training, it is possible to keep data secure. InformatIon Is the new currency of commerce. Sensitive data, such as social security numbers, credit card information, fjnancial records, health data, and in - tellectual property may be worth millions of dollars in the hands of hackers and data thieves. With the assis- tance of the Internet and new storage media, confjden - tial information may be compromised on a larger scale and faster pace. In 2006 and 2007, for example, more than 300 major incidents of data breach were reported each year, and 2008 is on pace for a similar total. Data Loss Archive and Database, www.attrition.org. Millions of pieces of personal data have been stolen in recent years, Steven C. Bennett often from prominent companies and organizations. At- is a partner at Jones Day in New York, and teaches Electronic Discovery at Rutgers torney General Announces Data Breach At New York Bank Possibly Law School. The views expressed, Affecting Hundreds Of Thousands Of Ct. Consumers, Millions however, are solely those of the author, Nationwide, CT.gov, May 21, 2008, www.ct.gov/ag/cwp/ and should not be attributed to the view. Even without actual identity theft, the magnitude author’s fjrm, or its clients. Xi Steve Chen and Brandon T. Morris, summer of the problem of data security, and the potential cost of associates at Jones Day, assisted in the remedying data breaches, has become a major problem. preparation of this article. If organizations and companies do not address data se- curity issues, critical threats to information privacy may develop. Businesses and other organizations thus must take action to secure the sensitive data they control. This article provides a list of potential actions that businesses The Practical Lawyer | 39
40 | The Practical Lawyer December 2008 and other institutions may wish to consider in mini- promised. Some state laws also limit use of specifjc mizing the risk of data security breaches and the personal information, such as social security num- consequences of breaches when they occur. bers. LaWs CUrrEntLY aPPLICaBLE to WHat Can BE DonE to rEDUCE tHE Data sECUrItY BrEaCH • There is no sin - rIsk of Data sECUrItY BrEaCH? • Risk gle federal law that governs all use and disclosure assessment and development of responsive mea- of sensitive information. Rather, specifjc statutes sures can work in tandem to prevent or mitigate and regulations may restrict use and disclosure of data security breaches. Rather than waiting for a information in certain contexts, and require enti- breach to happen, companies can identify weak ties that maintain this information to take reason- spots in their existing systems, and develop preven- able steps to ensure the security and integrity of tive measures. Most signifjcantly, businesses should that data. Four major statutes in this area include: establish comprehensive data-detailed security the Fair Credit Reporting Act (“FCRA ”), 15 U.S.C. policies, and create a security-conscious workforce, §1681 et seq., Title V of the Gramm-Leach-Bliley through training and periodic reminders. Compa- Act (“GLBA ”), 15 U.S.C. §6901 et seq., Section 5 of nies may also invest in new data security technolo- the Federal Trade Commission Act (“FTC Act”), gies to stay ahead of ever-evolving security threats. 15 U.S.C. §41 et seq., and Part C of the Health In- surance Portability and Accountability Act of 1996 risk assessment (“HIPAA ”), 38 U.S.C. §1320d et seq. The FCRA To develop an effective data security program, primarily regulates the distribution of “consumer the fjrst step is to identify all reasonably foreseeable reports” by “consumer reporting agencies.” The internal and external threats to information assets GLBA imposes security obligations on “fjnancial in need of protection. Companies should exam- institutions.” The FTC Act holds liable companies ine each major area of data operations, including that fail to implement necessary security protection, information storage, network security, regulatory to the extent that such failures may be considered compliance, and employee training. Appropriate questions may include: “unfair” or “deceptive” trade practices. HIPAA • Is the information system ready to fend off a requires privacy and data security standards for hacker’s attack? health care information systems. • Is the company’s information storage policy understandable and comprehensive? state Laws • Has the existing security policy been enforced? On the state level, at least 38 states have passed Is there any nonconformity in compliance that some form of data breach notifjcation law. See Scott could create company liability for potential Berinato, CSO Disclosure Series: Data Breach Notifjca - breach? tion Laws, State By State, CSOOnline.com, February • Do the company’s employees have suffjcient 12, 2008, wwwhttpcsoonline.com. In total, as many knowledge and awareness about data security as 48 states have some kind of law “aimed at the attacks? prevention of unauthorized disclosures of personal Expert assistance may help to identify all potential and fjnancial information.” Security Breach Legisla- risks to an information system. Several companies tion, in 50 State Statutory Surveys (2007). These laws, specialize in cyber-crime response and computer in general, require businesses to notify consumers when their personal information has been com-
Data Security | 41 forensics. Internal data security assessments may encryption, bits of data are mathematically jum- also be conducted on a regular basis. bled, with a password-key. The encryption process makes data unreadable until decrypted. Encryp- risk Evaluation tion can be very cost-effective in data protection. Once potential threats are identifjed, compa - Protecting customer records through encryption nies should evaluate the magnitude of the risks pre- may be substantially less expensive than paying for sented, by assessing the likelihood that a threat will cleanup after a data breach. In testimony on iden- materialize, evaluating the potential damage that tity theft at a Senate hearing after the Department could result, and assessing the suffjciency of poli - of Veteran Affairs lost personal data on 26.5 mil- cies, procedures, and safeguards in place to guard lion veterans, Gartner, a research company, noted against foreseeable threats. For example, if con- that encryption can cost as little as $6 per customer sumer information stored in company computers account, while cleanup costs can range upwards and mobile data systems such as laptops is not en- of $90 per customer account. Gregg Keizer, Secu- crypted, the likelihood of a threat materializing may rity Cleanup Costs Much More Than Encryption: Gartner, be signifjcant, and potential damage may be great. TechWeb.com, June 6, 2006, www.techweb.com. As a result, the company may choose to implement Despite the benefjts of encryption, and many a policy requiring data encryption, or some other highly publicized losses of unencrypted data, procedures to safeguard such information. many organizations lag in use of encryption. In Some smaller companies cannot afford the ex- the Ponemon Institute’s 2008 Annual Study, only pense of sophisticated data security systems, even 21 percent of the 975 companies polled reported though their vulnerability to data security breach that they had enterprise-wide encryption plans, is as great as for their larger counterparts. One so- although the fjgures are increasing. Ponemon In - lution is to seek help from larger companies that stitute, LLC, 2008 Annual Study: U.S. Enterprise share the smaller company’s data security interests. Encryption Trends 2 (2008), www.pgp.com/down- loads/research. For example, merchants may request assistance New technologies have helped to simplify the from credit card companies to conduct security process, and reduce the cost of encryption. For ex- assessments and enhance security systems. Larger ample, companies have increasingly adopted a plat- companies may have incentives to provide such as- form approach to encryption. Id. at 3. A “platform sistance, when they must share consumer data with approach” uses a single console “to deploy and their smaller affjliates. manage multiple encryption applications.” Id. at 20. Companies see this approach as increasing effjcien - Implement technical solutions cy and cutting costs. Id. at 3. In addition, hardware Today’s technology has developed a variety of encryption appliances may replace older software- media to store data, ranging from backup tapes, to based designs, and may eventually replace them al- laptops, to fmash drives. Companies must deploy var - together. Neil Roiter, Hardware-Based Encryption Gains ied security technologies to address diverse security Most Innovation Of ’07, SearchSecurity.com, Jan. 3, problems. In general, technical security solutions 2008, www.searchsecurity.techtarget.com. include one or more of the following approaches. The new hardware designs may decrypt data in close to real time, and users may not notice any Encryption delays in data access. System performance can be Encryption is the most commonly used method further enhanced by limiting encryption to sensi- to keep confjdential information secure. Through
Recommend
More recommend
