This summer has seen a great number of data breaches all over the world. Some of these are high profile, like Epson Korea and the rash of Sony hacks. Some are small, like an incident in Louisiana where copies of confidential documents were found on a city street. And some just make you shake your head, like the play book of the Green Bay Packers being scattered all over the street.
46 states in the US have data breach notification laws that address when personally identifiable information (PII) is breached. Many countries outside the US have data breach notification and security laws that cover similar circumstances, with some of the strongest in the EU. According to the Privacy Rights Clearinghouse, since 2005 there have been about 2600 data breaches made public affecting 535 million records – the real numbers may be higher, since laws differ on when to notify affected customers.
Current US federal law requires a business or organization to notify a customer of a data breach only in limited circumstances. The law focuses on social security numbers, financial information, health data and other unique data that a criminal could use to steal your identity or money; remember that data breaches are primarily about making money. It doesn’t include names, phone numbers, email addresses and other obvious information.
The US Congress is looking to create more comprehensive legislation, since state laws are not consistent and may conflict when interstate commerce is affected. There are a number of pending data breach and security bills going through Congress. The White House also has a proposal on cybersecurity that addresses data breaches.
- Data Accountability and Trust Act (DATA)
- SAFE Data Act
- Data Security and Breach Notification Act
- Personal Data Privacy and Security Act
- White House Cybersecurity Proposal
The bills and proposals focus on protecting data and specifying how and when to notify people when information is compromised. Some of the bills talk about identifying and fixing potential data security vulnerabilities. This includes determining what personal data to keep and for how long. This data minimization provision would mean that a business should retain only data needed for a legitimate business purpose and dispose of anything else as soon as possible. This would make it less likely that PII is compromised.
It is important that these proposed laws focus on breach notification, but it’s more important to encourage practices to reduce the risk of a breach in the first place. As has been proven over and over again, this involves people, process and technology. Developing processes and procedures and training people on using them is just as critical as the technology. You can have the greatest technology in the world, but if it’s not used properly or people ignore it, it’s worthless.
Confidential data is typically in two places: databases and documents. Most database management systems can encrypt the data inside the database, which lends a level of protection to the information. For organizations dealing with customer data, it’s not just a matter of protecting privacy but also complying with regulations such as the Payment Card Industry Data Security Standard (PCI DSS).
It’s important to protect data inside a database, but increasingly the vulnerabilities come from information stored in documents. Whether you are in Healthcare and worried about medical records or an attorney worried about your client’s will, documents are your lifeblood. The best way to reduce the risk of a data breach from a document is using persistent document security. This encrypts a document and lets you control who can access the information inside it. The security goes with the document and is just random characters to anyone who isn’t authorized to use it. Most data breach legislation says that if data is encrypted, there is no need for notification if it is lost or stolen. The information is not accessible, so there was technically no breach.
It might be some time before the US government finalizes data breach and security legislation. Rather than waiting around, you can protect important information now. Determine what confidential information is in databases and documents and apply the appropriate technologies and processes to ensure it’s safety. You don’t want to fiddle while you are vulnerable.
Photo credit Fresh & Easy Buzz