(with apologies to The Wizard of Oz)
Forty-six States have now enacted data breach notification laws, whereby businesses must contact consumers to advise when their personal data gets lost or stolen. Laws also exist in the District of Columbia, Puerto Rico, and the Virgin Islands. It’s a safe bet that the remaining States will get around to notification laws.
Why are such laws necessary? First and foremost: Breaches happen. Secondly, people wish to know – are entitled to know – when their sensitive data is compromised so that they can take action to protect themselves. Not least, breaches are on the increase. Why?
Being that most data breaches originate with human error it seems likely that a combination of lack of awareness, lack of education, sloppiness and poor decisions are reasons.
High profile breaches seem to happen on a constant basis. For some perspective, have a look at The Chronology of Data Breaches, courtesy The Privacy Rights Clearinghouse. That’s just the high profile ones and meant to be, in the words of the PRC, “… a useful indication of the types of breaches that occur, the categories of entities that experience breaches, and the size of such breaches.” A comprehensive listing of breaches would scare you.
Among “new ideas” in data protection is the banning of physical transfer of data. This seems Draconian – and where would this begin and end? As one example: What if you wish to walk a thumb drive across the office? You’d better refer to the organization’s Acceptable Use policy, Security policy and any other controlling documentation. Can you imagine the granular detail of data security policies under such constrictions?
But doesn’t it all come down to one thing? Care. Care that people are trained in the proper handling of data, and subsequent exercise of care. That is, constant awareness for what you’re doing, what you’re putting where, why, when and how.
A fairly high-profile company recently decided to have clients verify and update sensitive information. They decided to merge data sets with each corresponding individual e-mail account and… Send! You already know what happened – things got scrambled and individuals received other folk’s sensitive data.
Where were standards for testing in a test environment, for then producing an action on a limited real-world basis for assessment, and final conduct of large-scale action? Let’s not forget solid contingency planning for the unforeseen – but prevention is key. I believe prevention is possible, but it requires care, awareness, and education. Constant education.
The culture of your organization helps to determine what you do, how, when, and under what circumstances. In this century, it all boils down to eCulture – electronic culture: Know what you’re doing with electronic data and also what that electronic data produces: Paper and other physical records and repositories, such as tape, disk, stick, phone, laptop – indeed anything that can store and transport data from a sheet of paper on up. Policy, education and training – control – must also include personal storage devices that people bring into the environment. Absent appropriate safeguards: If people can do it, they will.
Does your organization conduct regularized training regarding data security? Depending on the nature of your organization, its people, and its business, you may need monthly, quarterly or annual awareness training.
Don’t let your organization’s good standing get mauled by a data breach: The fallout – the loss of trust, loss of reputation, and the reparations – can be enormous.
June 4th: On this day in 1896 Henry Ford took his first car, the Quadricycle, out for a test drive.