Enterprises have expanded their data collection measures dramatically in recent years, thanks in large part to the growing use of online services, mobile applications and the Internet of Things. Experts involved in a series of "town hall" events honoring Data Privacy Day 2014 said that companies -- to their own detriment -- aren't doing enough to either protect the data they collect, or to plan for the inevitable day when their data will be breached.
Tim RohrbaughCISO, Intersections Inc.
Data Privacy Day, originally adopted by Congress in 2009 and recognized every year on January 28th, was created to promote collaboration among government, industry, education and non-profit organizations to improve data privacy and security.
For the fourth year running, the Online Trust Alliance (OTA), a non-profit group that works to enhance Internet users' ability to protect their security, privacy and identity, is marking Data Privacy Day with a series of events in New York City, San Francisco and Seattle. It has also produced an accompanying resource document to help organizations develop, implement and update corporate data protection and privacy policies.
Craig Spiezle, founder and president of the OTA, said that despite a number of high-profile data breach incidents in the past year, for many companies data protection is still a struggle. He said protecting data starts with the basics: The OTA found in a recent analysis of nearly 500 breaches that 89% were due to a lack of rudimentary security controls and best practices. Though that number seems staggeringly high, Spiezle called the statistic "conservative" in comparison to the Verizon 2013 Data Breach Investigations Report, in which the company found that 97% of breach incidents could have been avoided with reasonable security controls.
Among the biggest missteps that are often made in data protection, he pointed to a lack of encryption, unchecked user account access and poor patch management, issues that have been problematic in enterprises for years. Even with basic measures in place, Spiezle said he wants attendees at the OTA's town hall events to come away with a blunt message.
"They will experience a breach incident. … Companies need to be part of the discussion and recognize that they are stewards of consumers data and move from a compliance mindset to being more proactive, realizing they hold sensitive data," Spiezle said. "And if they're not, they're really not meeting their obligations to their customers or their stockholders."
Tim Rohrbaugh, chief information security officer of Chantilly, Va.-based Intersections Inc. and a moderator at today's OTA event in New York, added that the first shortcoming for many businesses dealing with data protection and privacy is what he called a "state of denial."
"I think what the town halls are there to say is that it can happen to you," Rohrbaugh said. "And usually this crime comes from opportunity, not necessarily [attackers] targeting you directly."
Defining sensitive data
As an example, Spiezle pointed to the recent expansion of California's SB-46 breach notification law that added email addresses, online user names and other previously innocuous online data to the list of personal information subject to data breach notification regulations. There are 46 U.S. states that maintain unique laws on the same subject, providing many different interpretations of what constitutes sensitive data.
Rohrbaugh suggested that companies can't rely on regulatory guidance alone to classify data. He pointed to the 2011 Sony PlayStation Network breach, which included millions of customers' email addresses, as an example of how organizations must be proactive in addressing data privacy and security. At the time of Sony's breach, the exposure of email addresses likely wasn't a violation of California's SB-46 as it would be now, but the incident still dealt a serious, costly blow to the Japanese electronic giant's business and reputation among customers.
Instead of running that risk, Rohrbaugh said companies should be more cautious about the data they collect from consumers. Start by asking whether collecting certain types of data provides any real value to the business, he said, and if the cost of protecting data outweighs the gains from collecting it, simply don't ask consumers to provide that info. Rohrbaugh also warned companies to consider the shifting view that consumers hold of their personal information, where a customer that might not consider some types of data personal today, but may change their mind later.
"If you go by regulations, you are setting yourself up for a reputational damage incident … a situation where you're going to be out of line with public perception because the data that was being collected 10 years ago has grown drastically," Rohrbaugh said. "Data that seemed obscure just a few years ago is being monetized by criminals today."
Implementing proper data classification methods is indeed a major hurdle for numerous organizations, but there are many more considerations to make when implementing a data protection policy. Organizations also need to determine the key staff members involved in such a plan, constantly re-evaluate the business environment in which it operates, and ensure that security best practices, such as the use of SSL encryption for data collection, are in place. The plan must then be tested for real-world situations.
Updating, testing policies
"It's a big effort and everyone high-fives, and then it gets put on the credenza in the executive's office hoping no one has to touch it," Spiezle said. At a minimum, he said companies should revisit the breach response section of their plans quarterly.
Of course, a major aspect of updating a data breach response plan is preparing for the day when it needs to be deployed. Rohrbaugh advised enterprises to put their incident response processes through their paces on a daily basis. For every suspected security incident, the staff members tasked with handling a breach should be informed, the team should come together and research and remediate the incident, and then do a post-mortem on the process once it's completed.
Spiezle emphasized that companies can have the "basic components" of a data breach response plan in place well in advance of an incident, and then apply minor updates for specific circumstances. For example, he estimated 90% of a webpage detailing a breach can be concocted ahead of time, as well as instructions for the call center representatives tasked with handling customers' phone inquiries.
"An incident response plan is just like having sprinklers in an office building. You don't want to ever have to use those sprinklers," Spiezle said, "but you sure want to know they'll work and put the fire out when that happens."