Data breach is everybody’s business

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.stlamerican.com/news/columnists/guest_columnists/article_1effd20c-180a-11e4-b1bb-001a4bcf887a.html

For businesses, technology has greatly expanded opportunity … and risk.
Purchases can be made online from across the globe. Vital personal
information is stored digitally by virtually every enterprise. Medical
information can be exchanged by just pressing send.

And all of it can be exposed in a data breach. There isn’t a business,
non-profit, institution or civic organization today that can avoid the
reality that they are in the data management business and all the risks
that come with it.

The threat of data becoming compromised is such that a whole new market has
been created for the insurance industry. “Cyber policies” can afford some
protection against losses; however, companies should always be aware that
not all cyber policies cover the risks a company faces. Cyber insurance
policies should cover the costs associated with the data breach, including
engaging legal counsel, hiring investigators, providing credit monitoring
for customers, and enlisting public relations experts to facilitate
communications with all parties served by the company.

Companies can also proactively protect themselves in other ways. First and
foremost, they should develop policies and educate employees on those
policies. This includes establishing, publicizing and encouraging internal
reporting mechanisms. Companies can institute electronic security policies
that identify who should receive the report of a breach and establish the
levels of discipline up to and including termination if an employee misuses
data or takes part in a data breach.

Firms should consider creating a data management team with clear
responsibilities and a thorough understanding of the types of data
collected, processed and developed. They should also understand legal
responsibilities and regulatory requirements. There are now 46 states with
data breach laws and none of them are uniform. A university discovering its
students’ data compromised can face scrutiny from every state in which its
students reside. Meanwhile, the federal government offers protections in
the Health Insurance Portability and Accountability Act of 1996 and
Gramm-Leach-Bliley Act.

Businesses should also develop a risk assessment and mitigation plan. This
includes reviewing vendor contracts to find weak links that could expose
data. Even if a company shuns the exchange of data online, they can be held
liable for data shared with vendors who do expose that data, however
unintentionally, in a breach. A company that couriers its billing records
to a bank needs assurances that the courier and the bank have policies in
place to protect the data.

Companies should review the policies of their vendors. If the vendors do
not have an electronic security policy that addresses employee background
screening and data management, then your company should write one for them.

In addition, companies should also consider engaging a third party audit to
review policies, compliance efforts and technical infrastructure. This is
often done after a breach. It’s best to find any holes before they are
compromised.

If a data breach does occur, businesses must not only discover its source,
mitigate impact and comply with appropriate state and federal regulations,
but also take immediate action to recover from the breach. That means
engaging legal counsel to provide protection from potential civil
litigation and the discovery process through the attorney-client privilege.

This is especially important because third party reports from IT forensic,
accounting or crisis communications firms, as well as internal company
communications, may be discoverable in civil litigation. If outside counsel
is engaged, these communications may be protected under the attorney-client
privilege.

Obviously, technology is part of data breach avoidance including data
encryption, security and monitoring software, password protection and the
like. But the human element and lack of meaningful policies and preparation
can create gaping holes that put data at risk. The best advice is
thoroughly evaluating your data management risks and considering a cyber
policy, developing the right team and policies to manage your data,
ensuring vendors are sufficiently protecting information you share with
them and educating all employees about risks and responsibilities.

Technology is a wonderful business tool, but it carries evolving risks that
can’t be relegated to a back burner of inaction.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!