Data Breach Revisited…
Quite some time ago we did a piece on data breaches, with the recent FTC Settlement with Cbr Systems, Inc, http://www.business.ftc.gov/blog/2013/01/bank-data-security-not-kind-bank, it seems like a good time to revisit the topic.
If you’re concerned about your existing data security practices or are considering moving to an offsite backup solution to avoid the risks of fire or having physical backups removed from your premise contact our sponsor Top Speed today!
http://www.tsis.net/services/online-backup
http://www.tscsnv.com/services/security-services
What would you do if you had an employee call and say anything similar to; I lost the backup of our data, I had the drive containing some of our data stolen or it was left at a location where the data could possibly be acquired by an unauthorized person. All of those described scenarios are breaches of data. A data breach will test your sanity, knowledge of your protection in place and your client’s confidence.
Many of us are familiar with a disclosure of a data breach because we’ve heard on the news about a major company having a data breach, received a personal letter (or notified in an approved manner) that our data might have been accessed or stolen, or talked with a friend about data breach circumstances. Typically the laws supporting the disclosure of a data breach aren’t talked about in detail. Don’t worry, I am going to avoid delving into the abyss of interpretation, perspective and potential hazards of telling you the laws deepest meanings however, I am going to encourage you to take a different look at the technology you use, security practices regarding technology and to learn more about the laws that govern your business’s data.
Nevada Revised Statue (NRS) 603.A220, Disclosure of breach of security of system data; methods of disclosure (http://www.leg.state.nv.us/nrs/NRS-603A.html#NRS603ASec220) seems to be a straight forward read as guidelines for what to do after a data breach.
• NRS 603.A220 Disclosure of breach of security of system data; methods of disclosure, section 2
ends with, “or is reasonably believed to have been, acquired by an unauthorized person.” Here are a
couple of thoughts that jumped out at me;
o I’m responsible for taking the daily backup off site to my house, so that the data is safe from say a fire. The backup goes into my drawer in my home office until the next morning. Let’s say I have a dinner party or I go out and the kids decide to have a party, unless I know I’m the only person with access to the data – couldn’t the data be acquired, duplicated and put back. Typed out, that certainly seems James Bondish but is certainly possible.
o What about spouses/significant others/children/family member, are they an unauthorized person? Is this a data breach even if they’re in possession of a device for a brief time until they see you again? I can see this being argued both ways.
o A more common scenario is the actual theft or loss of a company device (laptop, USB drive, backup
drive, mobile device…), as was the case for Cbr Systems, Inc.
Now that we’ve explored the ambiguity of a data breach what about the disclosure portion. Disclosure is to be immediate unless there is an active investigation, and then notification is immediately after the investigation is complete or determined that notification won’t compromise the investigation. Notification can be made through written or electronic means unless you qualify for the substitute notification option. There is also a specific requirement to notify any consumer reporting agency, without unreasonable delay, if the data collector determines that notification is required for more than 1,000 persons at any one time.
Let’s remember that we live in a society that allows people to sue over spilling hot coffee on oneself. When it comes to the safety of your data and your sanity a few catch phrases come to mind;
• An ounce of prevention is worth a pound of cure
• Be prepared
• Hope for the best. Expect the worst.
Ultimately, the disclosure of a data breach is determined by a risk analysis with your data, security practices and/or being put in the position of a data breach. If you have to disclose a data breach to your clients will you:
• have confidence in the rest of your security measures?
• be able to convey confidence when you tell them?
• rest easier knowing that you are educated about different security practices and options?
• or make the choice now to get a step ahead, review all of your current data security practices, play
devil’s advocate, look for the pitfalls and vulnerabilities. Look for alternatives when you find those
vulnerabilities and make the appropriate changes now, so down the road you don’t find yourself
looking having to disclose a breach in your data and attempting to restore your clients faith in the
information they’ve put in your hands.
As a final note, keep in mind we only mentioned two of the Nevada Revised Statues and there are many more regulations – be proactive!