Are You Really Ready for a Data Breach? The Necessary Steps
Several high profile data breaches have plagued large consumer organizations in recent months. Perhaps the most notable of these were Target stores, which admitted that information on as many 70 million customers may have been stolen.
Reports indicate that hackers were responsible for the Target breach. Further, most breaches that make headlines in the popular media are traced to hackers who are typically located in Russia, various former Soviet republics, or China. That picture, however, is misleading.
The Department of Health and Human Services maintains a page on its website informally dubbed the Wall of Shame, where it lists healthcare industry data breaches affecting 500 or more individuals. An analysis of those shows that only 8 percent could be blamed on hackers. A full 92 percent are caused by employees and business associates of the organizations whose data was breached. So while foreign hackers make the headlines, organizations need to be overtly aware of internal threats and weaknesses.
Data breaches and privacy ethics
One more fundamental point needs to be made: Every data breach is a violation of privacy. Therefore, an organization’s attitude about privacy is critical to its commitment toward preventing data breaches.
In their 2009 article for MIS Quarterly, “How Ethics Can Enhance Organizational Privacy: Lessons From the Choicepoint and TJX Data Breaches,” authors Mary J. Culnan and Cynthia Clark Williams argue that “firms can enhance their privacy programs by moving beyond merely complying with laws and other regulations, and creating a culture of integrity that combines a concern for the law with an emphasis on managerial responsibility for the firm’s organizational privacy behaviors.”
As with other aspects of an organization’s ethics “ecosystem,” Culan and Williams say that a culture of privacy begins at the top and should be an issue of concern for CEOs and boards of directors. However, surveys indicate that among industry leaders, only 20 percent feel strongly that their organization views information security as a CEO-level priority.
In practical terms, Williams and Culnan say that too many organizations feel that they have met their requirements if they establish legal compliance with privacy laws at a given point in time. The problem with this is that it assumes a “static world.” A better approach is to establish a governance process that performs two functions:
- Assuring compliance with the law
- Assuring privacy programs accurately reflect current risks and best practices
A cross-organizational committee should be established to oversee these principles similar to a disclosure committee as recommended by the Sarbanes-Oxley Act, Culnan and Williams suggest. Along with establishing a “forward-looking” attitude toward the prevention of data breaches, the committee would monitor and aid in the implementation of practical preventative measures, as well as steps taken after a data breach has occurred.
Steptoe & Johnson, LLP, has some 500 lawyers and other professionals in offices in around the world. The firm has done a lot of work protecting companies before and after data breaches. It has created what it call its “Data Breach Toolkit,” which outlines critical steps companies must take prior to and after a breach.
Before a breach
Organizations should perform regular periodic assessments of their internal policies as well as technical measures. These include the following:
Network security. This covers the technical security measures that protect your organization’s network. A checklist would include:
- The type of authentication used
- Firewalls
- Password usage and required strength of passwords
- How former employee network accounts are purged
- Network intrusion systems
- Network encryption
- How mobile devices are handled
- How – and if – network logs are generated and stored
- Software protection against malware and viruses
- Deletion of out-of-date sensitive information
Data mapping and access control. To accurately assess risks and implement sufficiently strong technical measures and cultural attitudes, it’s critical to know what data you have and where it is. Without this information, you have no way of knowing which department and employees need training. Limit access to sensitive information to only those individuals who truly need it.
Records retention. This illustrates the importance of the committee and its commitment to meet on a regular basis to review measures. The Steptoe “tool kit” makes this point directly: If you don’t have it, it can’t be stolen. Do not keep information longer than necessary, and don’t maintain information when it needn’t be retained. Also, be certain that it is properly destroyed.
Business associates. As the previously cited statistics show, business associates are responsible for a great number of data breaches. You need to audit technical data security, policies, culture, and training and be sure they are adequate.
Employee cyber security training and policies. Data breach threats, as well as organizational data systems and data retention requirements, are constantly changing. Organizations need to have an ongoing training program to keep employees up to date and maintain their sensitivity to the issue. Policies need to be updated to reflect these changes, including privacy policies.
Incident response plan. The committee must write a response plan. Those involved with carrying out the response need to be trained and go through some “walk throughs” to familiarize themselves with their duties and be sure that the plan will in fact work “as advertised.”
Insurance. Unfortunately, no system is totally safe. Be sure your organization has adequate insurance to cover a data breach, including response, remediation, and the costs of litigation.
After suffering a breach
If your organization should be the victim of a data breach, the following checklist suggested by Steptoe enumerates the steps that should be taken.
Conducting virtually any business or service today requires gathering personal and sensitive data. And as the headlines prove, breaches of that data are becoming more common and in many cases extremely damaging to both the victims and the organizations. It’s common practice now for organizations to provide costly identity theft monitoring services to victims to help salvage their reputations.
When measures to handle data are proactive, thorough, current, and carefully orchestrated, risk can be minimized.