Identity theft will financially impact commercial and nonprofit businesses, governments and consumers. Organizations have strengthened their security policies and have implemented firewalls, anti-virus and authentication to prevent unauthorized access to networked systems —but this is no longer enough. Mobile devices, such as laptops, tablets, handhelds, PDAs, converged PDAs and smartphones are used to access sensitive information from networked resources yet remain outside the network's control. Often overlooked, and left unprotected, these devices pose new threats to organizations when information is transmitted to them or if lost or stolen. And, as U.S. state and federal governments pass new laws, such as California's Civil Code Section 1798.8, focused on data privacy, organizations have even more at stake.
Passed in September 2002 by the California Legislature and Senate, Civil Code Section 1798.8 was heavily influenced by a hacking attempt on the payroll database for the state of California. For more than a month, hackers had access to the personal information of 265,000 state employees. Worse yet, individuals affected were kept uninformed more than two weeks after the breach was discovered. The law, which went into effect on July 1, 2003, requires any organization that electronically stores personal information of a California resident, to notify those individuals without unreasonable delay upon the discovery of a breach to that computer system. And, the computer system referenced is not limited to specific computing platforms. Breaches of security on mobile devices such as laptops, tablets, handhelds, PDAs, converged PDAs and smartphones that contain personal information are also included — yet remain the most severe and overlooked threat to the organization as a repository for sensitive information.
Civil Code Section 1798.8 brings with it a new standard of accountability. Organizations can no longer keep mum after a cyber attack in an effort to preserve their reputations and avoid public outcry. Non-compliance can result in steep fines against the company as the result of civil action lawsuits where a Californian can personally recover damages.
The best way to avoid costly fines and litigation relating to data privacy regulations, including Civil Code Section 1798.8, is to make data security a priority and to put a good implementation plan in place. Defense strategies, including sound practices, deployment of sophisticated technologies and adequate staffing and training, can significantly minimize your company's financial liabilities, legal exposure and brand damage.
Take an inventory of your sensitive data
Examine the type of personal information you currently store electronically. Identify where it is located, who controls it, who and what has access to it, how it is stored and how it is protected. Then ask yourself the following questions to see if you can reduce the amount of information you currently store and the number of access points to that information:
- Must the personal information be stored electronically?
- Must the personal information be stored on your primary network?
- Does it include information you no longer need that can be deleted?
- Is there any unnecessary redundancy in the personal information you're storing?
- Must you use federal and/or state identification numbers, or can you substitute your own?
- Must you store customers' or employees' financial account information on an ongoing basis, or can you request it when you need it?
- Is the personal information capable of being accessed only by those who really need it?
- Are the machines or devices where the personal information is displayed and used accessible or visible to unauthorized users?
Create a policy on how to manage sensitive data
While most companies have security policies for computer usage and privacy, a sensitive data management policy is different. This policy will define what the company must do in the event of a breach to computer systems and the compromise of confidential data. This policy will spell out ownership, functional roles required to implement the policy, responsibilities of the functional roles, procedures required to implement the policy and controls required to measure compliance and effectiveness.
Page 2 >>
This was first published in January 2004