The Seven Deadly Sins of Data Security
There is no shortage of advice on how to secure electronic information. Companies can look to pronouncements by state and federal agencies (for example, the recent statements by the California Attorney General and the Federal Trade Commission on mobile application security), private industry (like the Payment Card Industry’s Data Security Standards) and foreign standards (like the European Union Data Protection Directive). There is guidance regarding technical standards, corporate protocols, contracting requirements and others.
Much of this advice is very good and, if implemented, would result in a more secure data environment. What we seldom see, however, is discussion of the most critical element of an effective security regime – the overall security environment itself. Lots of things go into an effective data security program. But because there are so many different aspects to data security, a single point of access can create an insecure data environment – it doesn’t take much to undermine security. To put it a different way, data security is essentially binary. There is no “10 point” scale for data security, where, for instance, if you are at Level 6 you are “reasonably secure” and achieving a higher rating is adequate. Rather, at any point in time, a firm is either secure or not secure.
For that reason, we focus on key weaknesses that will undermine any security program, and have identified the following seven chief destroyers of data security, any one of which can destroy a company’s data security:
1. Don’t have a computer security policy. Whatever the source of data security advice, the first step is, almost universally, adoption of a comprehensive computer security policy. Given this, you would think that by now any and every organization that relies on electronically stored information would have a data security policy. But the truth is that many organizations, including organizations that are highly dependent on critical data, either don’t have any policy, or have never updated the policy they adopted, even though key business functions have changed radically – new programs have been implemented, the company has shifted to a cloud computing model, or mobile applications have become the norm. Even worse, many companies have adopted a data security policy that, on its face, is appropriate, but the policy is effectively ignored, as end users are never reminded of the policy, or are not held accountable when they violate the policy, or the penalty is not equal to the threat to the system created by the violation. Not having a current, enforced policy results in destructive behavior, like downloading from unknown or suspicious sites, using out of date system applications and tools and using business workstations to access social media, all of which contradict a secure system. If you don’t have an up-to-date security policy that is consistently enforced, you have no security.
2. Don’t have a breach contingency plan. Effective containment of a data breach requires fast and definitive action. When executed crisply, a containment program can do more than comply with legal and regulatory requirements; it can sometimes even prevent data from being compromised. A breach contingency plan informs stakeholders – management, employees and owners – of their responsibilities in a breach event, the chain of command and the steps to be taken in response to a breach. Absent a breach contingency plan, we have observed that instead of taking quick and effective action to address the breach and its impacts, those involved often resort to finger pointing and a lot of avoidable expense and liability. In the meantime, the breach is not effectively contained or remediated.
3. Permit employees to link their personal devices to the company’s systems without oversight or restrictions. People like their devices, and there are lots of them – smartphones, tablets, laptops and more – and they like to use them to link to the company’s systems. Unfortunately, allowing unencumbered access to the system is pretty much like spending a great deal of time and money installing a cutting edge security system in your residence, and then leaving a ground floor window ajar or the front door unlocked. There are ways of securing mobile devices, but it requires a great deal of discipline and should not be taken lightly (unless you like leaving your front door unlocked).
4. Rely exclusively on your in-house information technology staff to identify, contain and remediate data breaches. A surprising number of organizations continue to rely on their in-house IT staffs to deal with data security. This is an enormous mistake because the skills that make for a good IT manager are very different than those found in a good data security manager. The skill set begins with the assumptions and goals of the two different groups. The IT staff is tasked with designing and implementing a knowledge retrieval system that facilitates the core functions of the company. As such, the IT staff knows how to manage and update the system and probably knows quite a bit about data security. Data security professionals are focused on a different issue – rather than facilitating authorized access, they focus on unauthorized use. The IT staff, because of its task, does not have the assets of a competent data security team must – investigative tools, forensic engineering expertise, ready access to the most current information on security threats and a detection and containment mindset. Moreover, while companies might recognize the value of their information, and the cost of unauthorized access, companies do not want to spend the money on IT security resources, believing that because their IT staffs are aware of data security, and because the company’s systems have never (to their knowledge) been penetrated before, a “belt and suspenders” approach is wasteful. Or if there is an intrusion, the IT people will catch it and there will be time enough to call in outside consultants to deal with the problem.
5. Notify customers immediately after a data breach occurs without first determining that personal information has actually been compromised. The typical breach notification law requires notification only if certain kinds of data have actually been compromised. Determining if a breach has occurred or if data has actually been compromised can often be a painstaking process, requiring input from several different kinds of expertise. If you erroneously decide that notification is required, a progression of events is commenced that will absorb an enormous amount of time and money and can lead to lawsuits and regulatory inquiries. An unnecessary or imprudent notification can do unnecessary damage to a company and have unforeseen implications. For example, most cybersecurity insurance policies only cover the costs of notice required by law; failing to establish that the breach triggers notice can leave the company without resources to pay for an expensive notification process. And while many firms may decide to notify customers, employees, vendors or other affected parties of a breach whether or not mandated by law, that decision should be intentional, and not simply a knee-jerk reaction. Over-notification can be as significant a mistake as failure to notify – it unnecessarily raises the profile of the company, adversely impacts client and customer relationships, and creates an unwarranted history of non-compliance.
6. Assume that having antivirus protection is a sufficient system security strategy. It is an absolute truism that an effective data security regime must contain antivirus protection. The converse is also true – antivirus protection is not, by itself, an effective security regime. For effective data security, you need additional tools, such as firewall, identity protection and web filters. Traditional antivirus programs alone are not equipped to detect and protect from threats such as phishing scams, network intrusions, adware, spyware, malicious scripts, and many more.
7. Make someone responsible for data security but fail to give him or her sufficient authority or resources to perform the job effectively. This can happen when a company’s IT manager is assigned data security and breach responsibilities and can even happen when a company has a security manager or officer. Responsibility for data security is not a part-time job. System vulnerabilities crop up routinely and without notice and threats to the system occur 24/7, 365 days a year. Effective job performance requires that the manager be familiar with all manner of existential electronic threats, have enough able staff to be able to respond quickly to threats and be part of the company’s security policy-making group.
There is no safety or solace in committing fewer than all of the seven sins or even just one of them. Any single one of them can be deadly. When they are all present, the stage is set for an almost inevitable catastrophic data breach.
Robert E. Braun is the co-chair of the Cybersecurity and Privacy Law Group at Jeffer Mangels Butler & Mitchell LLP. Bob helps clients to develop and implement privacy and information security policies, negotiate agreements for technologies and data management services, and comply with legal and regulatory requirements. He helps clients to develop and implement data breach response plans, and he and his team respond quickly to clients’ needs when a data breach occurs. Contact Bob at RBraun@jmbm.com or +1 310.785.5331.
Michael A. Gold is the co-chair of the Cybersecurity and Privacy Law Group at Jeffer Mangels Butler & Mitchell LLP. Known for both legal expertise and an understanding of technology, he works with Boards of Directors, C-Suite executives and IT directors to address cyber risks. He advises clients on domestic and international requirements for information privacy and security. He represents companies in complex litigation and arbitrations, including class action defense actions connected with data breach and privacy claims. Contact Mike at MGold@jmbm.com or +1 310.201.3529.