Most companies have never had to deal with mandated disclosure, or even reporting breaches to law enforcement. Therefore, to ensure compliance with the law, you should outline detailed procedures for reporting breaches (internally, as well as to law enforcement), investigating and disclosing breaches and audits. Have your corporate counsel and applicable law enforcement agency review these procedures.
If you have any third-party relationships where personal or sensitive information is involved, you may want to examine the necessity of this relationship. If it makes sense to continue this engagement, ensure that your contracts give you the control you need—of processes, investigations, notification and so on.
Educate your employees
Employees need to be educated on the importance of protecting sensitive data on all computers, including handhelds. Training should include the policies for managing sensitive data and recognizing signs of computer security breaches to their computers and procedures for reporting breaches.
Encrypt sensitive data when it's not in use
Once you've narrowed the personal information you're storing, consider encrypting it. When measuring effectiveness and reporting compliance, encrypting personal information during storage and transmission can give you a real advantage. For example, SB-1386 only requires notification when unencrypted personal information "was, or is reasonably believed to have been, acquired by an unauthorized person." Choose a product that uses a non-proprietary, government-standard encryption specification, such as AES, DES or Triple DES, and is government-certified and validated FIPS 140-2 compliant.
Prepare for a possible breach
Prevention is the best medicine. In advance of any incident, educate your customers and employees by providing information about what they can do to protect themselves against identity theft, such as subscribing to a service that provides credit-report activity and buying identity theft insurance.
You may also want to draft notification document(s), in advance of any need, describing what protective and defensive measures an individual whose personal information may have been compromised can take. That means you'll need to have contact information for everyone whose personal information you retain.
Be prepared to investigate a breach efficiently and quickly using either internal or external resources, or a combination of both. If you plan to handle investigations internally, you may want to acquire forensic/incident response software that is capable of producing court-admissible evidence, should you need it.
Ensure your current software is configured correctly
According to Gartner, sixty-five percent of attacks exploit misconfigured systems. Therefore, maximize your current investment in security-related software by ensuring it's configured correctly and patched properly on an ongoing basis. Check to ensure that you're exploiting all applicable logging capabilities of your existing software. If you develop custom applications, ensure your developers are properly trained in state-of-the-art secure software development techniques, since you can be attacked via application, as well as network, vulnerabilities.
Ensure regulatory compliance with security policy-based software
Now that you have identified policies and procedures, invest in controls that are essential for risk management and that ensure regulatory compliance. Good policy-based software ensures that the measures you put in place to safeguard the privacy of sensitive information is not defeated.
Protect your extended perimeter
The perimeter as we know it today is gone. With the introduction of new mobile and wireless devices, computing is no longer restricted to a fixed location or tied to a physical network. Sensitive data can be accessed and stored on laptop and tablet computers, as well as PDAs and smartphones. Once beyond the firewall, that information is outside an organization's span of control. An unsecured device in the wrong hands can expose sensitive data, as well as be used to access network resources. Therefore, securing these devices is not only essential to protecting sensitive data; it is a necessary component of network security.
To maximize the protection of sensitive data, devices must be protected whether in a connected or disconnected state. Implement policy-based mobile security software with robust on-device security for controlling access privileges, authenticating users and devices and encrypting sensitive data. Make sure it is implemented on each mobile computer, handheld and smartphone that is used to access your enterprise network.
Given the security risks associated with information traveling over the Internet, link-level encryption technology, such as Secure Socket Layer (SSL) or Virtual Private Network (VPN) technology, should be implemented to protect the data as it is transmitted to and from the enterprise network. In addition, a personal firewall should be implemented to further control access to mobile computing devices.
Identity theft is a major issue faced by everyone. Defense strategies, including sound practices, deployment of sophisticated technologies and adequate staffing and training, are critical. The most severe and overlooked threat to your organization, mobile and wireless devices must also be included as a key component of your defense strategy. Sensitive data is stored on laptop and tablet computers, as well as PDAs, converged PDAs and smartphones and is too easily accessible if the mobile device is lost, stolen or left unattended.