8 Cheap Tips for Avoiding Pesky (and Expensive) Data Breach Notifications
IT and legal need to limit the risks associated with incident response while conserving resources--especially during the current economic downturn. These easy data breach protection tips shouldn't break the bank and may give you the elusive and magical ROI you need.
By Bart A. Lazar
- Restrict the placing of personal identifying information on laptops. The theft of laptops is definitely a major, if not the largest source of data base security breaches. Therefore, if you can keep personal information off of the laptops you can reduce breaches that trigger the statute. You say that is impossible? Well, look at the definition of personal information, and you might see some possibilities. Most of the state laws define personal information as (a) an individual's first name or first initial and last name, in combination with (b) one of the following; (i) social security number; (ii) driver's license number or state identification number; or (iii) account number or credit or debit card number in combination with any required security or access code or password. Therefore, if you keep names, but don't tie those names into any of the other identifiers a breach may not pose the potential for identity theft and not trigger the sending of notices under the state laws.
- Require personal information placed on laptops to be encrypted. If you can't restrict, encrypt. It is more expensive than restrictions (approximately $100 per laptop to enable encryption) but worth the cost in that it will also diminish the risk of identity theft, and the unauthorized access or disclosure of encrypted information does not trigger the sending of notices under the vast majority of the state database security laws. Just make sure it is at least 128 bit encryption, which is the standard specified by the Massachusetts law.
- Replace or truncate social security numbers. If your business can substitute another number for a social security number, e.g. some letters from the persons first and/or last name with the last 4 digits of the person's social security number, you will create a fairly unique identifier that is difficult to use for identity theft purposes and should take you out of most state database security breach law scenarios. An added bonus is that it will help your company comply with the ever increasing and similarly dreaded state social security laws.
- Impose restrictions on vendors. In my experience, vendors, who are processing data on behalf of their clients, represent the main victims of security breaches—yet much of the cost and potential loss of goodwill are suffered by the client. Baking certain restrictions/specifications in an rfp, as well as incorporating provisions into a contract that require a vendor to protect data, can help to reduce security breaches, or at least better protect your company in the event a breach happens.
- Conduct due diligence on vendors. It makes sense for a CIO or a representative of the IT staff to interview the CIO of a vendor or actually inspect the premises as part of awarding a contract. Plus, it might be a good way for you to get a free trip to India or Chile!
- Check the garbage. Several security enforcement proceedings were the result of thefts by cleaning contractors, or failure of a company to properly shred personal information.
- Don't forget physical security. With all the efforts placed on technological measures, remember that locking computers and installing or upgrading physical access or video security can be useful in protecting your equipment and personal data, as well as providing additional protection for your company's trade secrets.
- Communicate your policies to your employees. Often companies have good policies in place. (If you don't have policies in place, please add—develop and implement policies to this list and move one desk back towards the rear of the classroom). The problem is often that the employees have not been sent the policies to read, have not been asked to confirm that they have read and understand the policies and/or they are not trained on the policies. Training is relatively inexpensive, can be combined with other training—like anti-harassment or electronic communications policy training and provides a reasonable chance that inadvertent security breaches can be avoided, as well as provide some defense in the event of litigation.
data
Articles
Receive the latest security news as it breaks.
