Personally Identifiable Information (PII) is so prevalent in our everyday lives that it is difficult not to somehow expose this information to the scrutiny of companies, organizations, or other individuals. Whether it’s making a cell phone call, logging on to the internet, using an ATM or even throwing an old credit card bill into the garbage, there are a myriad of ways in which data can be exposed.
The challenge in data privacy is to develop ways to share data while protecting personally identifiable information.1 Since 2005, there have been more than five million records exposed in over two thousand publicly announced data breaches.2 The average organizational cost of such a breach is about $7.2 million, an average of $214 per compromised record, markedly higher than 2009 when the average was $204. This is based on the actual data breach experiences of 51 U.S. companies from 15 different industry sectors.3
This paper provides a brief overview of data privacy controls and exposures, so that your organization can avoid data breaches.
Data Privacy is the safeguarding of data against unauthorized access or accidental or deliberate loss or damage.4 A data breach is a security incident in which sensitive, protected or confidential data (such as PII) is copied, transmitted, viewed, stolen or used by an individual unauthorized to do so.5
Beginning with California in 2003, forty-six states, including the District of Columbia, Puerto Rico and the Virgin Islands, have enacted legislation requiring notification of security breaches involving personal information. The California Office of Privacy Protection provides information on Recommended Practices on Notice of Security Breach Involving Personal Information.6 A listing of laws by state can also be obtained from the National Council on State Legislation.7 If a state does not have a security breach notification law, companies are not required to let affected individuals know if a breach occurs.
In addition to state laws, there are also federal laws that may prompt notification in the event of a data breach. These laws include the:
These federal laws do not apply universally; they may apply to either all or only certain sectors of the federal government. A reliable source for summaries of these laws can be obtained from the Congressional Research Services Federal Information Security and Data Breach Notification Laws.8
However, generally these laws require companies handling Personally Identifiable Information to establish the following protocols:9
Protection and Prevention: Physical, technical and administrative safeguards designed to protect both paper and electronic records.
Data Loss Prevention (DLP) is a set of computer security protocols designed to monitor data and protect it from unauthorized use. DLP systems are designed to detect and prevent unauthorized use and transmission of confidential information.10 Lately, perhaps the most high profile means of data loss is through the theft or loss of mobile data-bearing devices, such as laptops, thumb drives and smartphones.11
Data is generally identified as being in one of the following three states:
DLP systems are designed to protect all 3 types of data and are scalable to meet the needs of various sized systems. DLP systems are commercially available through many network security companies.
Best practices for preventing the unintended release of information include:12, 13
Protection of private information is becoming more challenging each year, and loss of data or unintended release of PII will continue to be costly to mitigate. Therefore, prompt and effective responses to breach incidents will become increasingly critical in the future. Establishing response procedures before a breach occurs will enable companies to prevent or reduce data loss and mitigate their financial and reputational costs.
To learn more about how OneBeacon Technology Insurance can help you manage technology risks, please contact Dan Bauman, Vice President of Risk Control for OneBeacon Technology Insurance at dbauman@onebeacontech.com or 262.966.2739.
This article is provided for general informational purposes only and does not constitute and is not intended to take the place of legal or risk management advice. Readers should consult their own counsel or other representatives for any such advice. Any and all external websites or sources referred to herein are for informational purposes only and are not affiliated with or endorsed by OneBeacon Insurance Group. OneBeacon Insurance Group hereby disclaims any and all liability arising out of the information contained herein.
Preparation for Notification: Recommended practices for timely response to incidents.
Notification: Protocols for providing timely and helpful notice to affected individuals.