Friday, April 6, 2007

What you Need to Know about Breach Notification and Privacy Laws

Have you ever heard of California law SB 1386? Chances are good that if you do business in the United States, whether you have heard of it or not - and even if you're not in California - this law impacts you.

SB 1386 was a groundbreaking statute that first took effect July 1, 2003. You can find the actual bill here, but boiled down, it exists to protect the personal privacy information of all California residents. If your business has acquired such personal information (which includes SSN, driver's license number, account or credit card numbers, etc.), and you realize that at some point, you did not have complete control over that data, you must alert each individual in writing of the potential breach of their information.

The law also establishes provisions for civil suits by impacted residents, creating a basis for class action suits against your company should such a breach occur.

To date, well over 50 companies and institutions have been required to alert individuals of the risk of identity theft due to this law.

"So what?", you say, "I don't do business in California". Since SB 1386 took effect, 33 other states have approved similar legislation and several others are considering it - as is the Federal Government. The University of Georgia has put together some great resources, including a map of the states with approved legislation.

What are the REAL Impacts of Breach Notification Acts?
So chances are pretty good that at least one of these laws impacts your business. But what are the real impacts? Let's look at an example. A financial services firm with 3,000 clients obviously stores protected data. One day, they realize that a laptop with client records was stolen from the back seat of a car. The likely impacts of this event include:
  • Written notification to each client at a cost of approximately $3,000.
  • To try to maintain their clients' confidence, they elect to provide 1 year of credit reporting services for each of their clients (this is becoming the norm). At a cost of $50 per client, that will run them $150,000.
  • Depending on their state, they may be subject to fines reaching as high as $150,000.

So that creates the potential for over $300K of hard costs. But what about the soft costs? How many clients are going to leave because of this event? How many clients are going to file suit? If this company only lost $300K, it would be a miracle. In reality, an event like this could cripple a small company.

Now, what happens if you're a local or regional retailer? Do you know whether your systems record the credit card numbers that you take? Do they store them unencrypted? You might easily have 100,000 consumers' information. Can you imagine the cost should you be breached?

What Should You Do?
So clearly, the impacts of these laws are real and they are significant. The question then becomes, what do you need to do to protect your company?

For starters, you need to take data security seriously. This starts with security policies and procedures. For example, you probably have back-up tapes of servers and databases. What is your policy for handling and storage of those tapes? Is that policy followed by your IT organization? What about password management? Do you have employees that share passwords? Or do you have systems whose administrative password is left blank? These are common issues for SMBs but it is precisely these issues that could result in a breach of your data. Establishing a thorough set of information security policies and then training your team to follow them is a critical step in protecting your data and your company.

In addition, you do need to make sure your networks, servers, workstations, desktops, mobile devices, etc. are all protected from breach and inappropriate access. If you're a mid-size company with just a handful (or less) of IT people, you probably don't have the security expertise needed to evaluate and implement a sufficient level of security around your technology. Bringing on a consultant to help this process will be money well spent. However, be warned - if the consultant you hire works for a company that sells security appliances or other network devices, they may have an agenda when they walk in the door (to sell you expensive technology).

Ideally, you'll find a security consultancy that is vendor-neutral. Ask them if they resell hardware and whether the company receives any income from such sales. If they do, my advice is to keep looking. This is exactly why my company doesn't resell hardware at all. We want to be completely neutral and be able to advise our clients strictly based on what is in their best interest. I don't want this to be a commercial about Pervasive Solutions - I just want to underscore that if you bring in a hardware reseller to audit your security, don't be surprised when their recommendations come back with six figures worth of equipment that is "mandatory".

Admittedly, this is a really high-level glance at this subject. The implications of the various Breach Notification Acts and Privacy Laws vary by state. But in the end, the message is clear - if you have a breach, you must publicly disclose it. Regardless of the hows and the direct costs, that type of disclosure can have such a detrimental impact on customer confidence that you really need to do everything you can to protect yourself. Get serious about security NOW.

If you have questions or would like my help, please feel free to give me a call or shoot me an email. I look forward to hearing from you.


No comments: