So you think your company is immune from a data breach? Your IT team has set up a firewall, intrusion-detection prevention, and antivirus protection. The company has never been the victim of a data breach. So you and your fellow corporate officers assume your company is sufficiently protected.
That is, until an employee downloads confidential information to his smartphone and inadvertently leaves it in his car overnight, and a thief breaks the window, and steals it. Unfortunately, the device is not password protected, giving the thief instantaneous access to the names of millions of customers and their private account information, including Social Security numbers.
Should something like that happen, it wouldn’t be an isolated incident. In the last year alone, there have been a number of notable data breaches at such high-profile companies as LinkedIn, Twitter, Bank of America, Citigroup, Google, and Yahoo, not to mention breaches that have occurred at multiple state and federal government agencies. And the threats are no longer just external: employees are increasingly causing security breaches as well.
Security breaches violate a host of federal and state laws that require organizations to safeguard their nonpublic information (NPI). NPI comprises information included on applications for credit cards or loans. It also includes such personally identifiable information as Social Security numbers, PINs, and usernames and passwords, as well as confidential employee data, such as medical information. When employees carry information outside the confines of a company on laptops or other mobile devices, they also put confidential business information, including trade secrets and financial data, at risk.
Given the growing incidence of breaches, as well as the volume and types of information stored electronically, data protection should be top of mind for company executives and not just the CIO. The severe financial consequences of data breaches—including sanctions, lawsuits, and reputational harm—put them squarely in the CFO’s bailiwick.
Although there’s no surefire way to prevent data breaches, CFOs should encourage their organizations to reduce the likelihood of a breach. Senior executives should take an inventory of their data. Then they should implement an information-governance program that includes the following.
• Records retention policy. Companies need to retain data until it no longer has a business purpose or until the required statutory retention period expires—and no longer.
• Bring your own device (BYOD) policy. A BYOD policy educates employees about how to access corporate data and how to prevent data loss on their electronic devices, such as by using passwords and wiping technology.
• Litigation-hold procedures. Organizations must require employees to retain all information when legal matters are anticipated or pending and confirm and monitor compliance.
• Perform regular privacy audits. To identify vulnerabilities in security procedures, organizations should perform compliance audits at least annually. More frequent audits may be appropriate in organizations with more sensitive data.
• Know your cloud providers. Before signing a contract with a third-party cloud provider, organizations should confirm that their data will be secure. This begins with a company understanding of how the cloud provider stores and backs up data, who has access to the data, and what security protocols it has in place. The provider should have policies that address security breaches and natural disaster recovery. Organizations that store sensitive data in a data center must also ensure it has rigorous protocols for physical and application layer security. In addition, they should ask whether the data center has been audited and certified as SSAE 16 Type II – meaning its security controls are effective.
• Monitor employee risks. Employees are an organization’s first line of defense against data leaks, so everyone should be aware of the risks and costs of breaches. Organizations should check the backgrounds of users who have access to sensitive data and restrict access to that data. Finally, companies should institute policies that govern social media usage and train employees on the permissible uses of social networks.
Companies should also invest in remote monitoring software that protects their network and proprietary information by ensuring compliance with data security policies. Monitoring internal social media applications, such as Yammer and Salesforce’s Chatter, can yield clues that enable organizations to intercept employee breaches before they occur. Employees also need to be notified that they have no expectation of privacy online and that their computer usage is being tracked.
• Ensure crisis and litigation readiness. CFOs should work with general counsel to ensure their companies are prepared to handle a security breach and ensuing litigation or regulatory investigations. All organizations should have a crisis management plan that designates internal and external stakeholders responsible for responding in the event of a breach. The plan should anticipate potential scenarios and assign tasks for each stakeholder to perform in a crisis. In the case of litigation, organizations can apply advanced data detection and redaction technologies during the review of potentially relevant information to ensure that they do not inadvertently disclose NPI or PII during discovery.
As in many situations, the best defense to a data breach is a good offense. Taking proactive steps before a breach occurs can help organizations protect their sensitive data and, in the event of a breach, limit its damaging effects.
Bill Mariano is a vice president with Xerox Litigation Services, the electronic discovery division of Xerox.