Back to Basics in the Wake of the Capital One Data Breach and Other Data Breaches
News of data breaches are nowadays an almost daily occurrence. Consumers are becoming increasingly more frustrated, disoriented, and paranoid when faced with the growing “you’ve been breached” phenomenon. Companies of all types and sizes fear being compromised in a data breach. Other than reputational risk, the financial costs of a data breach to an organization can be crippling:
Average total cost of a data breach: $3.86 million
Average cost per lost or stolen record: $148
Likelihood of a recurring material breach over 2 years: 27.9%
Average cost of a mega breach of 50 million records: $350 million.
In the wake of the recent and highly publicized Capital One breach – one that affected more than 100 million customers in North America – companies of all sizes must review some basic but critical data security best practices, some of which may have prevented or reduced the extent of the massive Capital One data breach.
- KNOW what sensitive personal information you have in your files and on your computers. Take stock of all personal information collected and used by your company. Particularly critical is the handling of personally-identifying information (PII): Social Security numbers, credit card or financial information, and other sensitive data. Talk to your sales department, information technology staff, human resources offices, accounting personnel, and outside service providers to complete the picture of data collection, storage, and usage. As the Capital One breach has shown us, not even a sophisticated financial institution is immune to the vulnerabilities of outsourced cloud-based data storage. Different types of information present varying risks. Make sure you assess and understand all possible vulnerabilities and implement appropriate responses.
- CONTROL who has – or could have – access to your information. Assess which of your employees or contractors has access to your data and why. Understanding the types of data you have and how it’s used helps to control and protect it from unauthorized access. Consider whether setting up a tiered-access system may be appropriate for your organization. Assess and control any third-party contractors’ access to your organization’s systems and ensure appropriate contractual safeguards that manage third-party risk to your company’s data and systems are in place.
- SCALE down and keep only the data you need for your business. Establish appropriate information retention policies. If there is no legitimate business need for maintaining a database of sensitive personally identifying information, don’t collect it. If you’ve collected it, cease further collection and properly discard it. Keeping this information – or keeping it longer than necessary – raises the risk that the information could be used to commit fraud or identity theft. As was revealed in the wake of the recent breach, Capital One kept credit card applications containing sensitive PII going as far back as 2005. Unfortunately, many organizations are guilty of “data hoarding” and failing to implement common-sense data retention policies, resulting in retaining – and making vulnerable to hackers – far more data than necessary. Scaling down and establishing and abiding by a data retention policy is key to mitigating risk associated with data security.
- PROTECT the information that you keep. The best way to protect the sensitive PII that your organization needs to keep depends on the type of information and how it is stored. Four key elements must be considered: physical security, electronic security, employee training, and the security practices of contractors and service providers. Many data breaches happen through lost or stolen paper documents. Others, involving electronic records, happen due to loss of portable devices – most often lacking proper encryption protection. When it comes to IT systems, ensure your network security is up to date. Disconnect databases containing sensitive PII from internet connections. Restrict employees’ ability to download unauthorized software. Require strong passwords and provide regular training to employees on phishing attempts. Caution employees against transmitting sensitive PII via email. These common-sense safeguards can go a long way in protecting an organization’s data and are no longer optional in the face of mounting risk from inside and outside intruders.
- PLAN AHEAD AND DETECT. Prevention and protection against data breaches are critical. Yet sometimes breaches happen. Create a plan for responding to security incidents and take steps to detect such incidents early to reduce the impact on your business, your employees, and your customers. Consider implementing an instruction detection system, and update it frequently to address new types of hacking. Monitor incoming and outgoing traffic and watch for unexpectedly large amounts of data being transferred. Appoint and train a senior member of your staff to coordinate the response plan. Investigate security incidents immediately and take steps to close off existing vulnerabilities. You may need to notify consumers, law enforcement, customers, credit bureaus, and other businesses that may be affected by the breach. Consult experienced legal counsel about your obligations under state and federal laws or guidelines addressing data breaches.
FMJ’s Litigation attorneys are available to assist you with your review of your company’s data handling practices and privacy policies. If you have any questions about the above alert or are interested in learning, feel free to contact the author, Adina Florea, at firstname.lastname@example.org or 952-995-9500.
Adina Florea is an Associate in the Litigation and Appellate practice groups at FMJ and is a Certified Information Privacy Professional/United States (CIPP/US). Her practice focuses on clients in a variety of litigation contexts, including matters in business law.