It’s less than a week after the annual RSA security conference and the number of data breaches continues unabated. Two small, but significant items appeared in the news, that illustrate the challenges companies face in everyday business operations. One event happened in New Hampshire and the other in the Boston area.
The NH event involved a vendor of EMC. Apparently an employee was sending an Excel document to someone and accidentally sent it to the wrong person. The spreadsheet had names, Social Security numbers and addresses in hidden fields. The people affected were part of the Data General Retirement Plan. When the vendor learned of the “oops”, it immediately notified the NH Office of the Attorney General. As soon as the error was detected, the vendor contacted EMC and all the recipients of the emailed file, who confirmed they deleted it.
The disclosure and letter sent to the affected parties states the breach occurred between January 7 and January 30, 2014. EMC retained InfoArmor to provide the victims with one year of identity theft protection for free. The letter also mentions that residents of North Carolina may also be affected and that they should remain vigilant for 2 years, in case of any negative repercussions.
The event in Boston affected Thermo Fisher Scientific. In this case, a laptop was stolen from an employee that contained names and Social Security numbers of some employees. The incident occurred in December 2013 and the company discovered the breach in January. The company offered free credit monitoring services from EquiFax to all those affected. Unfortunately this is not the first breach for Thermo Fisher Scientific.
In both of these cases, there was nothing malicious about the events. The emailed file had unnoticed hidden fields, so the sender thought it was fine to share. Hiding columns and rows in a spreadsheet is very common for anyone who uses Excel. It makes it easier to review relevant information in a single screen. A few years ago, a similar breach occurred at a bank in Wyoming. In this case, social security numbers and other sensitive information from loan applicants went to the wrong person.
In the case of the stolen laptop, the files with PII were not encrypted, so anyone could read them. The company had to inform the affected employees, notify state authorities, investigate the cause of the breach, pay for remedies and pay for credit monitoring for the victims. The impact to the sender’s reputation and bottom-line were significant.
What if each company had an undo key for its actions? We are so used to hitting undo when we write something, that we expect it. If I accidentally type the wrong word or copy the wrong piece of data into my spreadsheet, I can always hit the undo key.
By using file-level security on sensitive documents, you have an undo key for the type of mistakes these companies experienced. As soon as EMC’s vendor noticed the error in sending the spreadsheet, the sender could have killed access to the document. If the laptop’s files were protected by the continuous encryption of file-level security, only authorized users could open the file and see the information inside.
If the files were encrypted, there is no data breach event, according to data breach notification laws. The laws state that if the sensitive information is in a form that is unreadable by a person, then an affected company does not need to notify local, state or national authorities.
Data breaches are very expensive for any organization. Whether the breach involves 4 people or 400,000, the hard costs and costs to your reputation, not to mention potential lawsuits, could be very high. Having an undo key for inadvertent actions may save your company.
One wrong mouse click could ruin your day.
Photo credit David Singleton