Protecting Electronically Stored Customer Data
April 24, 2018
Protecting Electronically Stored Customer Data
On Facebook the other day I read a post that asked users to list something that they remember from childhood that the current generation would have no appreciation for or understanding of. Rotary phones, televisions without remotes, no Internet…and the list went on and on. As I looked through the list, and the names of all those who provided input, as well as the ads popping up for items that I researched on entirely different websites, it reinforced my belief that it won’t be long before privacy is just a memory, like rotary phones. And while individuals can minimize their public exposure, businesses are more vulnerable than ever as customer intelligence, and big data are currently the hottest commodities. Unfortunately, these will likely sound familiar.
“Target to pay $18.5M for 2013 data breach that affected 41 million consumers” (USA Today published 5/23/17)
“Orbitz Discloses Possible Data Breach Affecting 880,000 Payment Cards” (WSJ published 3/20/18)
“Credit giant Equifax says Social Security numbers, birth dates of 143 million consumers may have been exposed” (LA Times 9/7/17)
And while the businesses cited here are giants in their respective industries, my prediction is that in time these organizations will become more impenetrable. However, the value of customer data is only going to increase leaving criminals searching for alternatives. The next most likely fertile ground for customer data is small businesses.
Various federal and state laws protect consumer information. The Health Insurance Portability and Accountability Act (HIPAA) protects health-related information. The California counterpart to HIPAA is the Confidentiality of Medical Information Act (CMIA). The Federal Trade Commission (FTC) Act protects consumer information and authorizes the FTC to bring lawsuits against businesses for failing to properly protect consumer data. In addition, data breaches are often litigated pursuant to violation of unfair business practice laws.
I am not an IT security expert. But through businesses I’ve consulted with, I’ve come to understand that data breaches generally arise in two different contexts. First, businesses make accessing information easy. The only layer between a customer’s social security number and thief may be a username and password. Additionally, how information is stored can also promote theft. Combatting these two vulnerabilities require different approaches and the type of data stored and cost of protection will influence the steps a small business should take.
Getting in the Door
In 2017, Fortune magazine, with the help of SplashData, published the most common passwords as disclosed by hacked data. ‘123456’ and ‘Password’ ranked 1st and 2nd respectively. Not only should a company require complex passwords, those with length and special character requirements, but passwords should also expire periodically requiring the user to update the password.
Employers should also not underestimate the intelligence obtainable through social engineering. For those not familiar with the concept, it could go something like this.
Receptionist answers the phone at a doctor’s office. Caller represents they are from the IT company that manages the office’s network. Caller says company is investigating a leak of patient medical information as determined by privacy monitoring software. The astute receptionist knows that a leak of information is bad. The caller follows by saying that company is taking steps to immediately encrypt all healthcare data and, to take the next step, the receptionist needed to disclose receptionist’s username and password. Once disclosed, thief quickly downloads all patient data in less time than it takes for receptionist to realize something fishy was afoot.
This employee should have been instructed from day one to never give out a username and password. It is important to reinforce this policy with the rationale behind it as it is easy for someone to get caught up in wanting to do the right thing.
But even if a thief can get in the door, businesses can make useful information difficult to extract or locate.
Getting Away with the Goods
A recent data breach garnered a lot of attention. Had it not been the substance of the services offered by the company, there would have been a lot less talk.
AshleyMadison.com is a website that claims to pair consenting married adults with other consenting married adults for discreet affairs. Users set up accounts, presumably with some degree of anonymity, to engage in this activity. In 2015 hackers stole information on 37 million users and publicly posted it. It does not appear there was a financial incentive; it was more about embarrassing users. And as reported by CNN, it was this embarrassment that led to the suicide of a pastor whose information was disclosed.
Because of the data breach, the FTC brought a lawsuit against AshleyMadison. In the lawsuit, the FTC detailed the company’s data security failures. They included having passwords and encryption keys available in emails (which were easy to locate), deleted profiles were retained on company servers for up to 12 months, and a shared password to the business’s virtual private network (company’s internal website) was stored in a Google Drive. These failures were instrumental to the hackers. And it would not have taken any special knowledge or training to avoid these mistakes; common sense may have avoided this breach altogether. While the company is making a resurgence, its operations were disrupted for a few years following the breach. The hackers may have gotten exactly what they wanted.
A general rule in the legal arena is that someone must have suffered damages to bring a lawsuit. Damages can include money lost, opportunities lost, and more intangible losses such as to reputation or pain and suffering. It is for this reason that individuals, or even groups of individuals, face a steep climb when suing for a data breach. It is difficult to show damage, for instance, when it was your date of birth, along with 100 million other dates of birth, that was stolen.
This may seem like a respite for small businesses. However, due to the difficulty individuals face in bringing such lawsuits, the government wields its weight. In the AshleyMadison case, it was the FTC as indicated above. In other cases, it can be the Attorney General. And the risk of a class action lawsuit, while difficult to prove, is always present.
More devastating than the financial loss is the harm to reputation that businesses encounter following a data breach. As a consumer, each of the above breaches, except for AshleyMadison, has impacted me. I can’t prove I was harmed, but I have lost faith in the businesses.
I have also yet to hear of a business infiltrated by thieves that was using best practices and the latest technology to avoid improper data disclosure and data theft. Businesses are often just careless. Use the practices talked about here and consult with an IT security expert if you have deeper concerns. If you are breached, legal counsel can help you explore resolution of the issue in the most expeditious, and least-harmful manner.