Experts advise businesses to protect against potential data breaches
The former chairman of Impairment Resources has had about six months to consider the plight of what used to be a thriving business in the workers' comp system. It all came to a screeching halt after the New Year's Eve break-in at the company's California offices.
"The cost of dealing with the breach was prohibitive," the company said in its bankruptcy filing two months later. "I was really struck by the fact that, in a few minutes, a criminal act can change the destiny of an organization," Brigham said of the scope of the fallout.
Data at risk. The cost of a typical data breach can be in the hundreds of millions of dollars, especially when medical information is included. "It's an issue that, throughout the claims arena, we need to be cognizant of," Brigham said. "In terms of medical records and other client records, we need to consider all the potential ways people could have access to that and what the consequences would be."
Like many business owners, Brigham believed his company had taken appropriate steps to safeguard data. As he and many others have found out, the points of vulnerability are not necessarily obvious.
"We are aware acutely of problems with theft through the Internet," Brigham said. "However, do we also consider more traditional ways; if somebody came into the office and stole a computer or backup drives, would one be protected? Is everything encrypted?"
Those more traditional ways are increasingly concerning IT experts, especially as more companies are using the bring-your-own-device paradigm. While it saves employers money to allow employees to use their own phones, laptops, and tablets for business, it causes sleepless nights for IT professionals.
Companies can ensure the security of electronic devices they provide by guaranteeing a level of encryption and security access. But that control disappears when client email accounts and other information is stored on employees' personal devices.
"A lot of security risks people talk about are all related to network threats -- unsecured wireless or hacking through firewalls," said Robert Wilson, CEO of workerscompensation.com. "In reality, the danger really lies in thumb drives or laptops misplaced in airports."
The risk of data loss is easier than many employers might think. For example, several computer storage devices containing personal information on more than 800,000 people in the California child support system were believed lost in transit several months ago on the way from Sacramento to an IBM facility in Boulder, Colo.
"It could happen to most companies out there, and they just don't think about it," Wilson said. "Suddenly, you have a $280 million liability."
The companies most at risk, Wilson says, are entities that handle claimant and personal data like medical and legal providers, and the companies that support them through sharing and managing data. "I don't think companies appreciate the risk," he said. "What happened to Impairment Resources is a wake-up call. ... It needs to get everyone's attention that it could expose you."
As Wilson sees it, employers should ask themselves what would happen if their hard drives were stolen. "If the answer is a potential loss, you need to look at securing it."
Solutions. "If you are managing information that is vulnerable to identity theft, make sure the building is secure," Wilson said. "Make sure [the information] is encrypted and only certain people can get to it."
In addition to building security where sensitive data is housed, IT experts advise a variety of actions to protect data from breaches. Some include:
- Avoid putting computers on an exterior wall.
- Do background checks on vendors who may come in contact with sensitive information.
- Develop policies and procedures for employees whether using their own or company devices.
For example, a policy could stipulate that the user can read his email on his phone but not have data or files related to specific customers without following specific procedures related to encryption. Once employees get used to the policies, they can be retained for every level of media and every type of system.
Some experts suggest using a data encryption program, such as PGP. Standing for, pretty good privacy, the program was created in 1991 and is now considered by many to be the standard for signing, encrypting, and decrypting texts, emails, and files to increase email security.
Brigham hopes employers will take these and other IT suggestions to heart. "It appears we have created a heightened sensitivity to the field of the need for even more diligent security procedures beyond usual standards," he said."So perhaps our misfortune will benefit others."
Read more at the WorkersComp Forum homepage.
October 8, 2012
Copyright 2012© LRP Publications