Over the last few years, we have all heard of companies in all industries lose their sensitive internal data, whether stolen or leaked to the outside world. These incidents included theft and sale of customer account details to external parties, printing and copying of sensitive data, loss or theft of laptops, USB sticks, disks and mobile devices, to name just a few. A common thread in a vast majority of these incidents involved internal users, trusted third parties and consultants.
Protecting a company’s most valuable assets is of paramount importance, yet a majority still fail to recognize the impact a mistake or malicious act by an insider can have on their businesses. They fail to adequately put measures in place to reduce or eliminate their risk from authorized users.
Here are a handful of recent cases:
- A former employee of Morgan Stanley pleaded guilty to stealing confidential data from about 730,000 customer accounts. He copied names, addresses, account numbers, investment information and other data to his home computer so he could work on it. While improperly accessing the information, he was interviewing for a new job with two Morgan Stanley competitors.
- An employee of the Children’s Medical Clinics with a retaliatory agenda to cause damage to the clinic’s reputation, stole and improperly disclosed 16,000 patient records. Notification letters were sent to affected people to inform them that an employee took paper records from the facility and sent screenshots of electronic patient records to a former clinic employee. The Office for Civil Rights (OCR) health data breach portal indicates patient names, dates of birth, diagnostic information and treatment information were disclosed.
- Eight alleged members of an identity theft ring, including a former assistant clerk at Montefiore Medical Center in New York, was indicted on a variety of charges stemming from using stolen information on nearly 13,000 patients to make purchases at high-end retailers.
- Two former GlaxoSmithKline scientists were indicted for stealing trade secrets from the drug maker as part of a conspiracy to seed a startup company with a raft of confidential data, according to federal authorities.
- A former employee of Sutter Health emailed patient records to unauthorized users containing PHI, including names, dates of birth, insurance identification numbers, dates of services and billing codes.
Today organizations have a significant budget to implement IT security, they implement security policies and educate their authorized users. Most are significantly invested in technologies like VPNs, firewalls, virus protection, end-point encryption, data at rest encryption, data in motion encryption, data loss prevention (DLP) and monitoring technologies. With all this investment, why are these types of breaches still taking place?
And, why are the customers and patients left with the burden of dealing with their compromised personal information when breached entities get a slap on the wrist, and offer those that are affected a big “pacifier” in the form of identity theft protection for a year or two? Everyone is overlooking the fact that once the confidential data gets out, it is out there indefinitely, unless you have some means to dynamically render this data useless.
While these technologies are necessary, they expose unprotected data to unauthorized people. Most companies are driven by “compliance” and compliance does not equate to security. True security requires you to protect sensitive data and files when you create them, and to apply persistent usage policies that travel with the files throughout their life, regardless of location. That guarantees you are in control at all times of the lifeblood of your business.