Saturday, January 28, is Data Privacy Day, a day designed to promote awareness about privacy and education about best privacy practices. With that in mind, we decided to devote today’s and tomorrow’s posts to data privacy and how companies can achieve more secure, robust methods to dealing with the ever-present risk of cyber crime and data theft. Today’s post is by Tim Francis, business insurance management and professional liability and cyber insurance lead for Travelers.
IT departments play a pivotal role in identifying and mitigating exposures to cyber threats. However, there are risks that exist outside the company network. Businesses may be overlooking other points of vulnerability where a hacker can potentially attack, including but not limited to company cell phones, smart phones, tablets, laptops and other mobile devices. Every type of technology brings the potential for a cyber crime. Even if every employee is securing their personal and work technologies constantly, information can be compromised.
Institutions that understand the commitment necessary to create a robust anti-fraud program have a plan in place that involves numerous security options. This includes proper breach response planning, establishing information, and insurance protection. Corporate risk managers can be a valuable asset to their companies by becoming part of the planning process. They can also activate their professional networks and refer their companies to other advisers for additional guidance including lawyers, crisis communications specialists and other professionals.
Corporate risk managers should also advise their companies on the importance of employee engagement as part of a cyber risk management plan. When employees understand the potential impact on the company (possibly including their job security) they are likely to be more willing to take the necessary precautions to protect company information by following established protocols for information security. Employees should understand the costs associated with addressing a breach including having to install credit monitoring for hacking victims, liability expenses and potentially losing business and even deterring new business opportunities from prospective clients who get wind of security failures. Getting full buy-in and participation for mitigating cyber risk from the top down in an organization can make a significant impact on reducing cyber exposures.
Operating without a cyber risk management plan could have a crippling effect on a company’s reputation. The way in which companies respond to cyber threats can be scrutinized by clients, stakeholders and the public, especially because victims are often directly impacted by slow response. For example, if a company does not respond quickly, victims of the crime may miss opportunities to cancel credit cards and alert their banks about suspicious activity. The window for fraudulent activity can be prolonged by companies that are unprepared to deal with a cyber breach. With a strategy in place for responding to a cyber event, businesses can execute against their plan and focus on getting back to business as usual.
As cyber attacks dominate headlines, companies must make efforts to properly secure both their technology and networks. Recent media reports have identified major companies, organizations and governmental entities across the U.S. as unfortunate examples of what can happen when a business is unprepared for a cyber crisis. Corporate risk managers can help their companies to adapt their risk management strategies and practices so that their employees and their customers remain ahead of emerging cyber risks.
I wrote a blog post a while back suggesting that risk managers treat data in the same way they treat any asset. Separating data (physically and electronically) makes it more difficult to steal that data and more difficult to utilize stolen data. For example, storing usernames and passwords in different databases with different access credentials means a cyber criminal needs to hack two databases instead of just one. Keep in mind though, too much separating or duplication of data becomes its own risk as you have more assets to protect from loss.
I would also suggest, as part of the cyber/data risk management plan the organization outline everywhere data is stored (servers, desktops, laptops, cell phones, paper files, etc.). This should be so detailed as to list everyone who has a company cell phone or laptop. You can then look at where data is transferred (data is at higher risk of loss when being transferred than when sitting still). With that information you can prevent unnecessary data storage and transfer and plug unnecessary openings such as open ports, redundant servers, old files.
With regard to the comments about quick action to prevent further losses, just like any risk management plan the cyber/data risk management plan should include a checklist in the event of a loss. For example:
1.) Determine what data was compromised and in what way.
2.) Plug the hole and/or prevent further losses.
3.) Determine who (customers, employees, the public) is affected.
4.) Outline a plan (changes, mitigation, actions to take, PR).
5.) Contact any regulatory bodies that must be notified (often law states the privacy commissioner must be notified of all breaches of public data).
6.) Contact affected people and advise what they need to do.
7.) Contact the media if necessary (it’s better to come from the organization than leaked).
6.) Review organization for similar exposures.
7.) Review the process.
The checklist should include specific names of people responsible for implementing the checklist.
That’s my $0.02, hope it’s helpful to someone.
Great comment, SL. It was in-depth, informative and, of course, timely.
Public Law 107-347 (FISMA) vs. 45 CFR (HIPAA)
Data, in its quiescent state is unintelligible and unusable. A database interrogation/query results in an accumulation of filtered data formatted in the requested context. This is information.
Usually we are talking about three different participants in this transaction. An OS (Operating System), a DBE (Data Base Engine), and Data Retrieval/Assembly interface work in unison to accomplish the task. In the HIPAA context of eHR (electronic Health Records) the concern currently starts and stops with the collection of data into information.
Who is the legitimate guardian of these components? Various NIST publications (800-53 for instance) provide guidance as to the security of the OS and DBE with some attention to media disposition. Although lacking specifics, it is necessarily vague to allow shaping and molding of security by what is known as the “System Owner”. This is from the technical perspective, not the specific handling of “information” as it pertains to eHR. The eHR is the unique purview of a Privacy Officer and HIPAA.
HIPAA, the guardian of eHR, relies on 45 CFR PART 160 & 164 to draw guidelines in the preservation of information privacy.
It is a matter of perspective. HIPAA has an interest in the transaction by representing the customer/patient/health information owner and that individual’s right to privacy. NIST sets the stage from a 180 degree opposed perspective focusing on the “Mine” the data came from. NIST controlled Data Mining results in a HIPAA controlled point of information.
How will these, very different perspectives, co-exist? Time will tell.