Reducing the risk of data breaches requires assessing your company’s vulnerabilities, then addressing them with policies, procedures, training and agreements.
The media tend to focus on external hackers, but “the real culprits for most our clients are internal,” according to employment law attorney Robert Fitzpatrick. Employee data breaches can be classified into the deliberate and the negligent, Fitzpatrick said. In the latter case, most of the negligence falls on the company for failing to identify vulnerabilities and address them with preventative measures.
Vulnerabilities
Prevention starts with a vulnerability assessment, which should cover your data’s entire life cycle, according to Jennifer Trulock of Baker Botts LLP. Are the people, process and technology in place to track and control data from creation to deletion?
Companies often fail to identify the information that’s sensitive, and “make sure that throughout the organization, people are on the same page” regarding what information belongs to the company, added Paul Starkman of Pedersen & Houpt PC in Chicago.
Failing to assign clear ownership for data protection is another common weakness, Trulock said. “The head of IT may not be the right person to make sure confidential business information is protected,” she said. “There are compliance officers and there are IT people, and sometimes they don’t talk as much as they should.”
This can hinder the proper implementation of preventive measures. “We see, regularly, companies buy tools but maybe don’t educate their employees about the tools,” Trulock said — for example, 40 percent of executives reportedly turn off laptop encryption.
The Human Element
Organizations devote most of their resources to preventing hacking,” but people within the organization are responsible for 70 percent of data loss, she said. One common scenario involves “the long-term, trusted employee” who turns out to have been appropriating or misusing data, Starkman noted. “This is something that happens all the time because of a lack of internal controls and a lack of auditing.”
Fitzpatrick also cited a widely held mentality among employees that they are entitled to remove certain information for future use, such as to burnish their credentials with prospective employers.
Sometimes this data is removed during the normal course of business, then when the person’s employment ends he or she has a lot of sensitive information on mobile devices, Fitzpatrick explained. Or sometimes an employee will start taking data after seeing “the handwriting on the wall,” he added.
Preventing situations in which terminated employees access the corporate network through another employee’s password goes back to building a culture of how important it is to protect data, Fitzpatrick said.
Process of Prevention
The process elements of prevention include periodic risk assessments, security audits and documented security procedures “that actually reflect the needs of our business,” Trulock said. Having employees sign agreements on confidentiality and nondisclosure should be more than just a paperwork exercise.
“I find employers will have an employee sign a confidentiality agreement,” including an intellectual property provision, Trulock said, but “in my experience employers rarely walk the employee through the IP provision.” And on termination, “you want people to certify that they’ve given everything back to you.”
Not enough companies have a clear picture of where all of their laptops and portable devices are, Starkman added. “Knowing what you have and then being able to protect it is what it’s all about” — including data held by vendors, as Target’s data breach illustrated.
Balancing the people, processes and technology elements of prevention requires consulting with the internal stakeholders, including general counsel, internal audit and the owners of the actual business processes, Trulock continued. “Identify what’s high-risk; protect the stuff that’s important.”
This consultation process should yield a series of policies, procedures, agreements and training for protecting data. The training should cover IT policy, information security, working remotely and preserving company records, Trulock said. “Employees can’t comply with policies if they don’t understand them.”
Fitzpatrick, Starkman and Trulock spoke in a May 20 webinar presented by the American Law Institute.
Risk assessment, training and security policies in the HIPAA context are detailed in the Employer’s Guide to HIPAA Privacy Requirements.