Thirty-nine states have regulations requiring companies to inform customers when their personal information has been exposed. But many small- and mid-sized enterprises do not have the budgets to figure out, let alone meet with, these regulations and the variables in them that appear state to state, then notify consumers and state authorities, send snail-mail notices, transmit a blanket e-mail, etc.
Massachusetts recently enacted a data-protection law requiring notification to residents and state authorities if consumer names and identifiers such as credit card accounts or Social Security numbers are improperly accessed or used. A second component of the law mandates destruction of hard copy and electronic data containing personal information of Massachusetts residents.
Matt Pierce, CIO of the Watertown, Mass.-based Cadmus Group – a consultancy that assists government, nonprofit and corporate clients researching environmental and energy challenges –said the state’s law is more strict than most.
In beginning a dialogue with the firm’s human resources director about the protection of personal information, Pierce looked at laws in states in which Cadmus has major offices – Massachusetts, Montana, Virginia, Maryland and Washington, D.C. – thinking employee records were the company’s only worry.
“There are a lot of companies like Cadmus that have a lot of personal records,” he said. They may not be on the order of databases like TJXs, but these companies have a wealth of personal data and vulnerabilities.
After reviewing the laws, Pierce dove into Cadmus operations to “basically get a sense of what we have and how it moves through the system.”
“We don’t have a storefront or sell on the Internet, but we run meetings for the [Environmental Protection Agency],” he explained. “We collect credit cards for registration fees and dinners.” Data collected over the Internet for these events is encrypted end to end and processed by a vendor, so the data is not stored.
“Credit card information exists in session on our servers for a while, but once it’s processed, it goes away,” Pierce said. “I was feeling pretty good about that.”
When unregistered attendees show up for meetings, however, Cadmus employees collect their information on slips of paper. The routine has been to return to the office and process the charges through the company Web site, then file the papers gathered at the event, but Cadmus now is considering alternate practices.
The company has some data-security improvements already in place. The online recruiting system no longer asks for applicants’ Social Security numbers. The request was part of job applications, and the numbers were on-hand if Cadmus offered a position to individuals attracted through the Web. Cadmus decided to purge Social Security numbers in the database. “We’re holding onto many more records than required,” Pierce said.
Steps Against Risk
Cadmus is not alone in surveying its risk and changing procedures to minimize vulnerability and cost in the event of a data breach.
“Organizations are now beginning to put necessary data-privacy and security measures in place in order to comply with data-security regulations,” said Adam Sills, assistant vice president of technology liability underwriting at Darwin Professional Underwriters Inc. In Darwin’s experience, only a handful of companies can satisfactorily comply.
Sills said he sees CIOs working hard to prevent the destruction a data loss can cause. “This is serious and complex business,” he said. “Companies generally try to make a good-faith effort at data security.”
“Some companies still don’t know all of the necessary security steps they should be taking to protect their customers’ data and personally identifiable information,” added Ryan Wilhelm, assistant vice president of technical services at Darwin. “There are other organizations which conduct myriad penetration tests and formal training but still experience breaches. In some cases, a company can do all the right things and still fall victim to a security breach or data loss. It’s not always a system breach. In many reported instances, it is lost or stolen equipment like a laptop or backup tapes.”
Darwin has seen an upsurge in technology liability insurance coverage since the introduction of regulations such as California’s SB 1386, the Health Insurance Portability and Accountability Act and the Gramm-Leach-Bliley Act.
Cadmus’ Pierce has considered insurance, but with an SME’s budget constraints, he instead has focused on better training for employees who manage data, eliminating the number of staffers who work remotely and acquiring protection for all laptops – whether or not they store sensitive data – with TrueCrypt open-source software.
To deal with the risk of lost or stolen computers, Cadmus also employs Computrace. The LoJack-like service for laptops enables remote data destruction once stolen hardware is connected to the Internet and uses the DOD standard so erased data cannot be unerased.
Protecting All Data
“Organizations are becoming significantly more cognizant of the steps they need to take in order to plan ahead for potential data loss,” Wilhelm said. “They are engaging in activities such as system upgrades, increased IT security measures, collection of material data only – no extraneous data collection – and implementation of more stringent data-access policies for employees, vendors and contractors.”
“Most compliance standards require two key factors for adherence: money and a strong organizational commitment to information security,” Sills added. “Appointing a senior-level employee who is dedicated to information security, such as a chief information security officer, will inevitably help the organization to define and implement security measures appropriate to the type and volume of data an organization holds. Increased staff and a knowledgeable privacy attorney are also key assets in developing and overseeing organizational compliance with data-protection requirements.”
The Darwin experts see a company’s size as not necessarily a valid indicator of its risk exposure. “If a breach occurs, the repercussions associated with data-loss expenses can put an organization out of business,” Sills said. “It is important for organizations to learn how these breaches occur and take proactive measures to mitigate system deficiencies.”
“It is also important to avoid the ‘lights are on, but no one is home’ syndrome affecting a large portion of organizations,” Wilhelm said. “If an intrusion-detection system has indicated that a known vulnerability is being exploited, without manpower and well-tested incident response procedures in place, it is likely that a potentially avoidable breach will occur.”
Kelly Shermach is a freelance writer based in Brooklyn, N.Y., who frequently writes about technology and data security. She can be reached at editor (at) certmag (dot) com.