Data Breach – Can You Win This War?

As a business owner or CEO, you know that information technology has become a key part of your operations.  But having an IT budget and finding the right employee or vendor for your IT needs—or what you think are your IT needs—will no longer suffice when it comes to privacy, security and data breach.  It isn’t just about IT anymore.  You cannot just point to the IT Department and check privacy and security off your list.  Keeping your company protected is the job of the C-suite to janitorial and everyone in between.

Many businesses are woefully unaware of the laws that apply to their collection, transmission, storage and disposal of personal information.  State and federal laws governing identity theft prevention impose certain requirements on all businesses and public entities, not dissimilar to what healthcare providers must meet under the widely-known HIPAA laws.  So, in addition to damage to reputation, and damage from lost data and downtime, you could be facing significant fines and lawsuits which, under Consumer Fraud Acts, could include treble damages.

As an initial inquiry, do you know what types of private data your organization holds?  Employee data, health data, customer data, and financial data, including payment card data, are the most common.  Do you know who in your organization has access to this data and should they? Can you track their access?  Who specifically is responsible for the different components of your privacy and security program and are they performing according to company policy (if you have one)?  Who from outside of your organization is given access to your data?  Are you abiding by your contractual obligations related to privacy and security and are your vendors abiding by their obligations to you?

What are the greatest risks to your data? Hacking grabs the headlines, but often employee error and even improper disclosure or destruction of paper records can result in breaches and fines, too.  What are your best options for protecting against your greatest risks? Encryption and other technology solutions are important.  But simply training your employees on the risks, and on your company’s policies, is a basic protection and is often a mandate of state and federal laws.

What plan is in place for when your data is compromised, i.e., you suffer a data breach?  The law imposes specific requirements for investigation, notification and mitigation when a data breach occurs.  A data breach response team is indispensable, as is cyber insurance.  Both must be in place before a breach occurs.

Beyond satisfying yourself that you have taken all reasonable precautions in this area, you also may have a governing board, shareholders, members or other constituents who look to you for assurance that security and privacy in the organization have been vigilantly addressed.  Witness last month’s mailing by the American Dental Association (ADA) to its members containing a coding manual but also, for some of the recipients, a USB drive infected with malware, purportedly the fault of a subcontractor of an ADA vendor.  The ADA issued an alert but time will tell if this will be enough to cure the problem created by this infection.

An infected USB drive is just one of many threats that could impact your business.  The Information Security Forum (ISF) earlier this year issued its Threat Horizon 2018 report looking at nine key threats that impact businesses and recommending actions to improve cyber resilience.  The themes of the ISF report are threefold: technology adoption dramatically expands the threat landscape; the ability to protect against these threats is progressively compromised; and government will increasingly intervene.  Other reports, such as Verizon’s 2016 Data Breach Investigations Report, reflect that information security risks for businesses fall into the realms of the human element, conduit devices, configuration exploitation, and malicious software.

You may not understand all of the nuances of these threats and the protective measures needed to address them, but you will understand the closing message from the Verizon Report.  That message is to have a plan that involves your people, processes and technology, and to test and update your plan regularly.  Which means you now should have an idea of where to begin.  And this blog will provide analysis, tips and guidance.  But if you don’t bother to do your own investigation and planning, you will be wondering why you didn’t make protecting one of your most valuable assets a priority.  As quoted in the Verizon Report:

Know your enemy and know yourself and you can fight a hundred battles without disaster.”- Sun Tzu

Leave a Reply