By MICHAEL W. ELLIOTT, CPCU, AIAF, the senior director of knowledge resources for The Institutes in Malvern, Pa., a provider of
knowledge solutions for the risk management and property/casualty insurance industries
Over the past several years, many organizations have fallen victim to hackers who have stolen customer data. A case in point is Sony Corp. The direct cost to Sony for recent multiple hacks could be as high as $1 billion, and the breach could severely affect Sony's strategy of using cloud computing to make content available on tablets, mobile phones, and other portable devices. By contrast, Lockheed Martin, a large defense contractor, recently disclosed that it quickly discovered a massive cyber attack by hackers and that no customer data were breached.
Despite these disparate outcomes, experts agree that for virtually all organizations that maintain customer data electronically, it is not a matter of if but when a breach of sensitive customer data will occur.
Traditionally, organizations have turned to their IT department to mitigate the risk of a customer data breach, with specific measures largely based on physical and procedural controls. Concern was focused on insiders either maliciously tampering with the data or releasing it to outsiders.
Despite the elevated risk environment, many of the recommended controls are familiar: firewalls, antivirus software, data encryption, patch management, password management and intrusion detection. Others are based on housekeeping, such as removing customer data and software that are no longer being used. An emerging technology called data loss prevention software monitors all the data paths of an organization--including email, blogs, webmail and file transfer protocol servers--to detect and prevent a leakage of customer data.
Yet a layered security approach with a focus on technology, processes and people is considered to be most effective. Think of a layered protection system as an onion with its various layers, each of which must be penetrated to get to the core. A focus on processes involves areas such as employee training and adherence to industry standards for protecting customer data. A focus on people brings in the all-important human element, including the extent to which the organization has a security-aware culture.
CHANGING LEGAL AND REGULATORY ENVIRONMENT
Proving that a customer data breach has occurred and pinpointing its cause can be accomplished with the right tools. What is difficult to establish is that a plaintiff has suffered damages, an essential element for prevailing in a lawsuit. Just because a customer's data have been breached doesn't necessarily mean that the customer has suffered direct monetary damages, which may not surface until many years later, if at all.
Legal rulings and interpretations are broadening the accepted definition of damages in this area. Recent court rulings have referred to a fear of identity theft as being sufficient to proceed with a suit, and a legal concept has emerged that the time one spends monitoring his or her credit data following a breach is sufficient to constitute damages.
Meanwhile, most states now have privacy laws that require businesses operating in the state to notify customers in the event of a breach, with the details varying significantly by state. Some laws go well beyond simple notification by imposing additional requirements, such as a written security plan.
Federal involvement has been limited mainly to the healthcare and financial services industries. The Health Insurance Portability and Accountability Act (HIPAA), enacted in 1996, imposed privacy and security controls on customer data for the healthcare industry. Similarly, the Graham-Leach-Bliley Act (GLBA) of 1999 imposed requirements on financial services companies with regard to the sharing and protection of customer data. The Fair and Accurate Credit Transactions Act of 2003 imposed requirements on creditors with regard to identity theft.
Recently, the federal government has increased its activity in this area. The Obama administration proposed to Congress a national standard for notifying customers of a data breach, replacing the myriad state laws that apply. Included are strict penalties for cybercriminals and incentives for close cooperation between the government and the private sector to protect the nation's critical infrastructure.
In another move members of Congress recently sent a letter to the Securities and Exchange Commission asking it to issue guidelines for disclosing a network security breach, including details on any data that were stolen. The purpose is to clarify the responsibility of senior management of public companies for disclosing data on cyberattacks. Many companies are reluctant to disclose such information, and the amount of detail provided varies tremendously.
AN ENTERPRISE APPROACH
Given the size and complexity of the cyberrisk exposure, the high probability of a breach, and the evolving legal and regulatory environment, organizations should treat the possibility of a customer data breach as a threat that calls for an enterprisewide response. This involves taking broader action than merely implementing stringent risk controls and complying with applicable laws and regulations.
An organization should:
-- Identify customer data breach as one of its critical risks that needs to be treated through a combination of mitigation, retention and transfer.
-- Employ scenario analysis to brainstorm the worst conceivable customer data breach, project the consequences of that breach, and suggest ways the breach could have been prevented or the consequences minimized.
-- Continuously scan the environment for changes in legal interpretations, laws and regulations.
-- Ensure that all vendors identify and mitigate their risk of a customer data breach.
-- Develop incident response and business continuity plans, and keep them updated based on changes to the organization and technology.
-- Link the risk of a customer data breach to its strategy by considering the opportunities and threats posed by digital technologies that handle customer data
-- Most importantly, ensure that the board of directors and senior managers support and are actively engaged in its cybersecurity program.
Customer data breaches are being reported with increasing frequency, and public awareness of the issue is growing exponentially. It is imperative that organizations develop such a comprehensive plan for protecting sensitive customer data and responding to any breaches that occur.
August 1, 2011
Copyright 2011© LRP Publications