Are You Breaking the Law? Know How to Handle Sensitive Information
Four years ago, hackers gained access to the credit or debit card numbers of more than 45 million individuals by breaking into the network of TJX, the parent company of clothing retailer TJ Maxx. It was just one in a string of such hacks.
This past April, hackers gained sensitive user information from users of Sony’s Playstation network, forcing the company to shut the network down for days. Our sister site SecurityNewsDaily has logged more than two dozen serious hacks at large corporations, prominent web sites and governments already this year. [Cybercrime Blotter: High-Profile Hacks of 2011]
These high-profile data breaches have made securing sensitive client information a higher priority than ever for IT professionals.
But recognizing the threat hackers pose is the easy part. The tough part is convincing a company’s leadership that adequate data security measures are worth the large investment — of money, time and energy — that their implementation requires.
“It’s tough to tackle because it’s a lot of mundane work,” said IT consultant Mike Meikle, who heads the Richmond, Va.-based Hawkthorne Group. “It’s all policies that have to be written and approved,” he said. These include policies regarding passwords, information security training and restricting network access.
“There’s a lot of hard, human effort that has to go into it, and that’s hard to sell to senior management,” Meikle said.
Part of this human effort is sifting through data security laws that, though complex, often require only basic data security measures. Organizations that merely meet the requirements set forth by these laws — including HIPAA for the healthcare industry and certain provisions of Sarbanes-Oxley for the financial industry — are still vulnerable to breaches of data security, experts say.
Ben Wright, an attorney who teaches courses for IT professionals on handling sensitive information, said his students mistakenly assume data security laws offer proper guidance on the subject they regulate.
“The reality is that the law is very confused and inadequate on topics of what to secure and how to secure it,” Wright said, adding that this makes it difficult for companies to be sure they comply with these laws.
Ensuring compliance often requires cooperation among multiple company departments. This, said New York-based attorney Kenneth Rashbaum, is a reality too few IT professionals take to heart.
“One of the biggest misconceptions among IT personnel,” Rashbaum said, “is that they can steward sensitive information without input from the legal, compliance and risk management personnel.
Above (and beyond) the law
Making matters more complex are the difference in data security laws from country to country. Rashbaum said some countries have data protection laws that restrict the transfer of information without the consent of the person to whom the information belongs. “A number of countries prosecute,” he said, and a violation of these laws can result in rather adverse publicity in the countries in which the data were created or are located.”
While some country’s data laws are comprehensive, others were designed with basic procedures in mind. “A lot of times,” he said, “these laws were created specifically to force organizations to do the standard housekeeping and best practices they should have been doing anyway.”
This creates a challenge for IT professionals. They must convince their companies’ leaders not only to comply with data security laws — hopefully an easy case to make — but to argue for more extensive protection than that which the laws require. Building an infrastructure that offers this protection level can take staff time from many company departments and a lot of money.
In making this case, Meikle said, IT professionals should emphasize the bottom line. “You would go to senior management,” he said, “and say, ‘Let’s look at this as a business problem.’”
The key, he said, is to mention that the cost of addressing a disastrous data security breach — paying government penalties, rebuilding an information infrastructure and losing customer confidence — makes the cost of ensuring data security seem like a bargain.
“IT executives really need to start speaking the language of business,” Meikle said.