Danger Zone - Privacy of Client Data

Background What do the above companies along with hundreds of others have in common? When it comes to their technology, there are at least three things. First, they all have or at least profess to have the finest I.T. (information technology) systems available. Second, they purport to have the brightest and finest I.T. technicians available maintaining their I.T. systems to ensure they are adequately protected from outside intrusion. Finally, all of them have experienced unauthorized access to their data and the release of private information of their employees, clients, and customers. The Issue Should unauthorized access and information releases be of concern to PEOs? Clearly the answer is yes! PEOs maintain the personal information of their corporate employees, worksite employees, and warehouse in their databases the information of previous employees, all of which can number from hundreds to millions of records. Yet when the question of unauthorized access to data is posed to PEO owners and officers, the response is often “we have a great computer system and our I.T. technicians have assured me that there is no chance of our data being accessed”. Sound familiar? While there are exceptions, generally Fortune 1000 companies have the most recent advances in I.T. tools and technicians at their disposal. Yet, as previously noted, unauthorized access to their data still occurs. No firm in today’s world, PEOs included, can safely assume that unauthorized access to their data is not possible. Those who believe otherwise are most likely accepting substantial risk. According to the Identity Theft Resource Center, through May of 2009 over 12,000,000 records containing personal information have been compromised. The Ponemon Institute, a privacy management research firm, indicates that data breaches cost on average over $197 per personal record compromised. The legal notification requirements of a breach, or even suspected breach, cost $10 to $12 per individual record with the balance being applied to individual credit monitoring services to prevent I.D. theft as well as actual individual I.D. theft resolution expenses. In 2007, a PEO experienced a breach that resulted in the loss of records of 159,000 former and current worksite and corporate employees. Using the numbers previously cited, a conservative loss cost of this incident was over $1,500,000 not to mention the individual prevention and restoration costs. Loss Drivers There are three primary areas of data compromise. These are a) unauthorized access to data, b) lost or stolen information, and c) the acts of dishonest employees. We will explore each in more detail. Unauthorized access to private information through a company’s I.T. system is the most common method of data compromise. Companies that maintain private information on individuals and businesses are obligated to safeguard this information utilizing the most current technology applications and methods available. Many states have enacted laws requiring this private information be encrypted. It is incumbent upon the owners of companies to be sure that this is the case, typically through their I.T. technicians. It is an ongoing evolving process that continually attempts to safeguard the data from unauthorized access. Loss of Information. The second area of data breaches occurs due to the loss of information. Theft and/or loss of laptop and notebook computers is the leading cause of compromise. This is how the previously cited PEO in 2007 lost the personal records of 159,000 current and former employees. According to the Ponemon Institute, over 12,000 laptop and notebook computers are lost in U.S. airports every week. Only 33% of these lost machines are ever reclaimed by the owners. As a result, over 400,000 machines are sold at airport auctions annually, intact with all the information in place when they were lost. These numbers do not include machines lost and stolen in other places. According to employee surveys, over 58% of business laptops and notebooks contain private information of employees and clients on their hard drive. In order to eliminate this risk, PEOs should not allow corporate data to be kept on the laptop/notebook’s local hard drive. Remote data access should be through a secure private network or virtual private network via an internet connection with the data encrypted. Further, rules should be in place that forbids the transferring of corporate data to portable drives. Again, remote access should be granted only through secure networks. Additional losses of data have occurred due to server theft, lost backup tapes, lost data tapes, and lost shipments containing data. Employee Actions. Employees are the third largest source of unauthorized data releases. These releases can occur both through the I.T. system as well as through physical records. They can occur due to lax attitudes toward security as well as through dishonest acts. A recent study by the Ponemon Institute found that employees are increasingly becoming more lax in their compliance with corporate data security. Consider the following survey responses: ,[object Object]

43% have lost data bearing devices

21% have turned off their mobile devices security tools

Danger Zone - Privacy of Client Data

Recomendados

Recomendados

Mais conteúdo relacionado

Último

Último (20)

Destaque

Destaque (20)

Danger Zone - Privacy of Client Data