Data Privacy

Regulatory, Protection and Mitigation Considerations

John Wurzler
April 2, 2012

Executive Summary

Personally Identifiable Information (PII) is so prevalent in our everyday lives that it is difficult not to somehow expose this information to the scrutiny of companies, organizations, or other individuals. Whether it’s making a cell phone call, logging on to the internet, using an ATM or even throwing an old credit card bill into the garbage, there are a myriad of ways in which data can be exposed.

The challenge in data privacy is to develop ways to share data while protecting personally identifiable information.1 Since 2005, there have been more than five million records exposed in over two thousand publicly announced data breaches.2 The average organizational cost of such a breach is about $7.2 million, an average of $214 per compromised record, markedly higher than 2009 when the average was $204. This is based on the actual data breach experiences of 51 U.S. companies from 15 different industry sectors.3

This paper provides a brief overview of data privacy controls and exposures, so that your organization can avoid data breaches.

Privacy and Breaches Defined

Data Privacy is the safeguarding of data against unauthorized access or accidental or deliberate loss or damage.4 A data breach is a security incident in which sensitive, protected or confidential data (such as PII) is copied, transmitted, viewed, stolen or used by an individual unauthorized to do so.5

State and Federal Laws Governing Data Privacy

Beginning with California in 2003, forty-six states, including the District of Columbia, Puerto Rico and the Virgin Islands, have enacted legislation requiring notification of security breaches involving personal information. The California Office of Privacy Protection provides information on Recommended Practices on Notice of Security Breach Involving Personal Information.6 A listing of laws by state can also be obtained from the National Council on State Legislation.7 If a state does not have a security breach notification law, companies are not required to let affected individuals know if a breach occurs.

In addition to state laws, there are also federal laws that may prompt notification in the event of a data breach. These laws include the:

  • Privacy Act
  • Federal Information Security Management Act
  • Office of Management and Budget Guidance
  • Veterans Affairs Information Security Act
  • Health Insurance Portability and Accountability Act
  • Health Information Technology for Economic and Clinical Health Act
  • Gramm-Leach-Bliley Act
  • Federal Trade Commission Act
  • Fair Credit Reporting Act

These federal laws do not apply universally; they may apply to either all or only certain sectors of the federal government. A reliable source for summaries of these laws can be obtained from the Congressional Research Services Federal Information Security and Data Breach Notification Laws.8

However, generally these laws require companies handling Personally Identifiable Information to establish the following protocols:9

  • Protection and Prevention: Physical, technical and administrative safeguards designed to protect both paper and electronic records.

Data Loss Prevention

Data Loss Prevention (DLP) is a set of computer security protocols designed to monitor data and protect it from unauthorized use. DLP systems are designed to detect and prevent unauthorized use and transmission of confidential information.10 Lately, perhaps the most high profile means of data loss is through the theft or loss of mobile data-bearing devices, such as laptops, thumb drives and smartphones.11

Data is generally identified as being in one of the following three states:

  • Data in use: Internal operating systems that exchange information
  • Data in motion: Data operating on the periphery of a system or data that interacts with the outside world.
  • Data at rest: Stored data.

DLP systems are designed to protect all 3 types of data and are scalable to meet the needs of various sized systems. DLP systems are commercially available through many network security companies.

Best Practices

Best practices for preventing the unintended release of information include:12, 13

  • Establishing and posting a written privacy policy.
  • Identifying a Chief Information Officer or other person in charge of network security.
  • Establishing an Internet privacy policy and posting it on your website.
  • Establishing a written non-disclosure policy.
  • Practicing data minimization
    • Don't collect information that you don't need.
    • Reduce the number of places where you retain data.
    • Grant employees access to sensitive data on an "as needed" basis.
    • Purge data responsibly once the need for it has expired.
    • Conduct periodic risk assessments.
  • Encrypting all customer or sensitive information stored on your network.
  • Conducting regular reviews of third-party service providers to ensure that they are adhering to your requirements for the protection of private data.
  • Establishing document retention and destruction policy.
  • Conducting background checks on employees and leased workers.
  • Providing training for employees on privacy, data security and related issues.
  • Deploying data loss prevention technologies which enable policy compliance and enforcement.
  • Reviewing of firewall incident logs.
  • Assessing network security through ongoing penetration testing.
  • Evaluating exit strategies (HR), remote project protocol, on- and off-site data storage practices, and physical safeguards.
  • Establishing a comprehensive breach preparedness procedure.
  • Keeping current with security software updates (or patches).
  • Providing Central Station monitored physical intrusion protection for your facility.

Conclusion

Protection of private information is becoming more challenging each year, and loss of data or unintended release of PII will continue to be costly to mitigate. Therefore, prompt and effective responses to breach incidents will become increasingly critical in the future. Establishing response procedures before a breach occurs will enable companies to prevent or reduce data loss and mitigate their financial and reputational costs.

Contact Us

To learn more about how OneBeacon Technology Insurance can help you manage technology risks, please contact Dan Bauman, Vice President of Risk Control for OneBeacon Technology Insurance at dbauman@onebeacontech.com or 262.966.2739.

This article is provided for general informational purposes only and does not constitute and is not intended to take the place of legal or risk management advice. Readers should consult their own counsel or other representatives for any such advice. Any and all external websites or sources referred to herein are for informational purposes only and are not affiliated with or endorsed by OneBeacon Insurance Group. OneBeacon Insurance Group hereby disclaims any and all liability arising out of the information contained herein.

References

  1. Wikipedia: http://en.wikipedia.org/wiki/Information_privacy
  2. Chronology of Data Breaches, June 16, 2011, from Privacy Rights Clearinghouse http://www.privacyrights.org/data-breach#CP
  3. Ponemon Cost of Data Breach, http://www.symantec.com/about/news/resources/press_kits/detail.jsp?pkid=ponemon
  4. McGraw-Hill Dictionary of Scientific & Technical Terms, 6E, Copyright © 2003 by The McGraw-Hill Companies, Inc.
  5. Gartner Report released March 7, 2011, www.gartner.com/it/page.jsp?id=1574514
  6. Recommended Practices on Notice of Security Breach Involving Personal Information, California Office of Privacy Protection, http://www.privacy.ca.gov/res/docs/pdf/COPP_Breach_Reco_Practices_6-09.pdf
  7. State Security Breach Notification Laws, National Council on State Legislation, http://www.ncsl.org/Default.aspx?TabId=13489
  8. Federal Information Security and Data Breach Notification Laws, Congressional Research Service, http://www.fas.org/sgp/crs/secrecy/RL34120.pdf
  9. Ibid. 6
  10. Parker, Smith & Feek website Blog, http://www.psfinc.com/blog/insuring-the-cloud
  11. Data Loss Prevention: Best practices for protecting your most valuable asset, Shon Harris’s Blog, November 8, 2010 http://security.feedfury.com/content/52859731-data-loss-prevention-best-practices-for-protecting-your-most-valuable-asset.html#http://www.logicalsecurity.com/resources/resources_articles.html
  12. Symantec Corporation Press Release, http://www.symantec.com/about/news/release/article.jsp?prid= 20110308_01&om_ext_cid=biz_socmed_twitter_facebook_ marketwire_linkedin_2011Mar_worldwide_costofdatabreach
  13. Tips to Prevent Data Breach, Kroll Fraud Solutions http://www.kroll.com/en-us/cyber-security/data-breach-prevention/cyber-risk-assessments/data-breach-prevention-tips )

  • Preparation for Notification: Recommended practices for timely response to incidents.

  • Notification: Protocols for providing timely and helpful notice to affected individuals.