 |
|
|
1 June 2010
Preventable Data Breaches – Chapter 1 – Stolen Computers
3rd parties
Written by Ron Penna
It is amazing to me just how many data breaches are preventable. Now with 46 states having data breach notification laws and national legislation being discussed, it is more important than ever for organizations to limit their exposure to a data breach. An information security breach often costs organizations millions of dollars, and in cases like these, it isn’t even the fault of the company but rather 3rd party contractors.
Through some good planning and proactive solution deployment, the majority of data breaches can be avoided. In our first installment of preventing data breaches, we will focus on 3rd party contractors that have their computers stolen. Let’s take the week of May 10, 2010 as an example. Three (of the several) publicly disclosed data breaches that were announced that week included 1) New Mexico Medicade 2) The Army Reserve and 3) The Department of Veterans Affairs (yes again). In all of these cases, a stolen computer led to the required data breach disclosure.
On May 11, 2010 it was announced that a laptop “loaded with patient information” was in the trunk of a car that was reported stolen. This happened in New Mexico which is one of 5 states that doesn’t have data breach notification laws on the books. However, the agency sent out a message notifying 9,500 New Mexicans who use its Medicaid plan of a possible security breach. The laptop stolen was of an employee of a subcontractor for the company that processes claims and provides dental benefits for the State’s Medicaid program.
Two days later, the Army Reserve announced that a laptop containing the names, address and social security numbers of more than 207,000 Army reservists was stolen. This again was a 3rd party (a government contractor in Georgia) that actually lost the laptop. In this case, the data was on a CD-ROM drive in the computer.
The next day, the Department of Veterans Affairs had yet another data breach when a thief stole a laptop that was unencrypted that had social security numbers and other information for many veterans. Yet again, the laptop was owned by a contractor and not the VA.
Some might say that you don’t have control over 3rd parties, but I say that you can require contractors and other 3rd parties to conform to your information security policies if they want to do business with you. These requirements should include regular auditing and severe fines if conformance is not met. At a minimum these should include the requirement to keep all sensitive data encrypted. But there are many states that require disclosure even if the data is encrypted.
State-of-the-art software that can remotely delete sensitive data is now available. This same software can even track the physical location of the stolen laptop. Most data breach disclosure laws allow an exception if there is sufficient proof that the data was not exposed or could not be used maliciously. This software very well may be able to save your organization from having to publicly disclose a data breach that otherwise would negatively impact revenue, customer loyalty, stock value, not to mention legal liability, fines, and possible regulatory compliance impacts.
Organizations should not only enhance their policies to require this type of software for all mobile devices, but should also require contractors and other 3rd parties that must interact with sensitive data to also use it. This is a very simple, easy and inexpensive way to reduce your exposure to 3rd party contractor laptop theft that can result in a data security breach of your company.
|
|
|
|
|
|
|
|
|
|
