They go by many names – data leaks, data breaches, identity thefts, cyber attacks – and just as many security measures IT professionals can put in place to protect their customer data and the financial stability of their business. But there’s no need to be overwhelmed: by understanding the answers to these three basic questions about data leaks, you can provide your IT business with a sturdy, dependable security base that greatly reduces your Cyber Liability risks.
- How do I respond to a data breach?
- What is the best password strategy?
- Does encrypted data really protect you?
Question 1: How Do I Respond to a Data Breach?
Data breaches happen because of a number of triggers: hacker actions that target your business, employee errors, stolen / lost laptops or data storage devices, and a variety of other causes. Depending on the type of data involved, you have different legal responsibilities:
- Private Information. State laws officially define what counts as "private information," but generally speaking this category includes names, addresses, financial information, DOBs, SSNs, and other personal data. State data breach laws determine how quickly you need to contact users, when you can be liable, and what other responsibilities you have after a breach. (Want an idea of what you’ll have to do when you’re hit with a data breach? Check out the blog post, “What’s Your Data Breach Notification Plan?”)
- Medical records. Protected Health Information (PHI) includes any medical or billing information. These records are protected by HITECH and HIPAA laws, which can charge fines in excess of $1 million for data breaches. Read more about hospital data breaches and other medical data theft in "HITECH: The Strictest Data Protection Law."
After you comply with applicable laws, you'll have to shore up your defenses and prevent further identity theft. Fixing the security vulnerability should be your top priority. After that, consider paying for credit monitoring services for affected customers, whether or not state law requires you to do so. If you have Cyber Liability Insurance, you'll want to contact your agent immediately as they can help you with the direct and indirect costs of managing a data breach.
Question 2: What is the Best Password Strategy?
A study at Carnegie Mellon University looked at 25,000 user accounts at the university and came to an amazing conclusion: 60% of accounts at their business school had passwords that were "guessable." Members of the computer science department had the best passwords, but nonetheless almost 40% of their passwords could be cracked with the researchers' algorithm.
This research tells us a few things. First, IT professionals are better at choosing strong passwords than businesspeople. You can pat yourself on the back for that. Second, people are really bad at choosing passwords. Even computer science professors. This is troubling for IT professionals who go to great lengths to secure a client's network, only to have it hacked because of one weak password.
Carnegie Mellon has also published a helpful resource on how to choose passwords that a difficult to crack, but not impossible to remember.
Users often overlook the importance of unique passwords. After hackers stole millions of pieces of user data from Adobe, other major tech firms have taken notice and alerted their users about the importance of maintaining strong passwords. Already Facebook and Diapers.com have warned users their accounts may be susceptible to a data breach if they used the same password as they did for their Adobe accounts. When employees use the same password in multiple venues, your network security could be compromised after an unrelated attack.
Question 3: Encrypted Data – Does it Really Protect You?
Does it matter if data is encrypted? Yes, encryption can make it harder (though not impossible) for hackers to access private data. Hackers may steal encrypted data, but never be able to crack the encryption.
Encryption can also prevent you from having to notify customers after a data breach. Some state laws don't require notification if the lost data is encrypted and you can reasonably assume hackers won't be able to read it. However, even if the data is encrypted, cautious IT administrators may still want to contact users in order to avoid a lawsuit later on.
While encryption is good, it is not a perfect defense. Hackers and security professionals have proven they can crack encrypted files. To make matters worse, sometimes the information in non-encrypted files will actually give hackers clues to passwords.
For instance, Adobe did not encrypt files that contained password "hints," and some users simply listed their password in the hint or contained information that made it easy to guess.
The Takeaway: Manage Data Risks
Whether you're an IT professional working with medical data or a consultant who handles online marketplace transactions, you need to know the risks associated with processing, storing, and securing data.