Friday, October 26, 2007

The Govenator flexes for privacy!

Well, you can’t accuse Arnold Schwarzenegger of doing nothing about protecting citizens and stopping data breaches.

While the California governor has come under fire for vetoing a bill that would have required businesses to better protect customer information, he did sign another bill, mandating that California government agencies must truncate taxpayers’ Social Security numbers, so that no more than four numbers are displayed publicly. He also signed a third bill, ordering that consumers’ “personal health records” comply with the state’s existing medical privacy laws and require that consumers be notified when their medical or health insurance information has been lost, exposed, or stolen.

Say what you will about his failure to sign all three bills, the truth is that Governor Schwarzenegger took a step in the right direction. While California law will not be as stringent as Minnesota’s when it comes to mandating that businesses protect customer data, or suffer the consequences, it is more protective than before.

Which begs a simple question: why should we need such laws before we act?

No, I haven’t been drinking too much Kool-Aid; this is a relatively elementary matter. It’s something all businesses should consider. For instance, if you’re keeping personal information about your employees or customers, shouldn’t you be keeping their Social Security or credit card numbers under lock and key? Shouldn’t those numbers be encrypted? Shouldn’t you have plans and procedures in place to carefully regulate who has access to that information and how and when they can do so?

And before you tell me, “it’s going to cost too much money to do that,” consider how much it’s costing TJX to settle the data breach cases filed against it. Maybe it’s just me, but I don’t think there are that many companies that can afford to spend $200 million, when they could have spent just a small percentage of that making their systems more secure…which is something they should do in the first place.

Realistically, you should be looking at the steps your company is taking to control the data that’s under your responsibility: ask yourself, “What policies do we have to ensure that people who shouldn’t see this data don’t see it? What have we done to restrict access to the information? And how do we prevent unauthorized access if somehow the information makes it off our network, either through email, USB drives, or even if we’re hacked?”

‘Cause if you don’t do it, please rest assured that there are lawyers somewhere who will be more than happy to ask a jury those very same questions. And in this era, you may not like the answers they deliver.

Yeah, the Governator did the right thing in signing the bills. Companies need to do the right thing by their customers as well, and not wait to act until they’re forced to do so.

Monday, October 15, 2007

Clooneygate and the need to secure and manage data

So, it’s come to this: a fellow can’t even go to the hospital any more without his private medical records being considered fair game for journalists. And with the headlines about George Clooney, we should all be appalled at how this happened, and reconsidering what we need to do to ensure that the information that we consider most important doesn’t make it out to where it shouldn’t be.

Here’s what happened: Clooney was injured in a motorcycle accident in New Jersey last month. He was taken to a hospital for treatment. Apparently, more than two dozen hospital workers were able to access his medical records, and at least one of them leaked some of that information to the media. The fact that such a disclosure is in direct violation of HIPAA regulations seems not to have bothered them at all.

Each of the workers has been suspended by the hospital for a month for the breach. And while Clooney himself has taken the high road (saying in a statement, “While I very much believe in a patient’s right to privacy, I would hope that this could be settled without suspending medical workers.”), it points up a very real problem which businesses of all sizes face: the need to control data, especially sensitive data, using technology (such as encryption), policies (such as access control, background checks), education and obviously a big stick..

A significant portion of unauthorized accesses to private or corporate-critical information will not come from the outside. No, many of these incidents will come from behind your firewall...from the workers within your company whom you trust every day – most of it due to negligence, rather than obvious malfeasance as evidenced in this case. And if they succeed, not only do they access information they really should not have, but they leave you vulnerable to being punished under any one of the myriad of regulations that are out there, both from Federal and state governments (SOX, GLBA, Minnesota HF 1758) and those from the private sector (PCI DSS).

Which, of course, reinforces the absolute need for companies to control their data from the moment it is created, and to ensure that only those people with an absolute need to know have access to it. Taking it further, companies need to remember that data does not exist solely on the network; it’s entirely possible that any one of the hospital workers may have copied Clooney’s medical information onto a USB drive and left the hospital with it.

While technology cannot prevent authorized users from accessing sensitive information for the wrong reasons, it can make it harder for them to move it outside of the organization. Furthermore, technology can absolutely stop people not authorized to see private information from gaining access to it. Encryption and access policies that persistently reside with the data, not simply on the network, can render that data unreadable to anyone not authorized to see it, regardless of where the data ends up (e.g., a USB drive, laptop, etc.).

Again, this isn’t about George Clooney. It is about every company that must protect its information. Your data is constantly at risk, from within your organization and beyond. If you choose not to address the challenge from a holistic perspective, you run the risk of ending up in a true wreck…one that has nothing to do with a motorcycle.