Data security is becoming increasingly important as companies put more of their business and data online, and as more employees are working remotely. Taking protective steps – focusing on technology and people – should be front and center. Below are two scenarios, loosely based on real cases (some details have been changed to protect the embarrassed), that illustrate this point.
A retailer wanted to use its website to sell its products on the internet. The company hired an outside vendor to develop, program and publish the website. The website was hosted on the company’s computer server, which also housed the company’s internal functions.
Problem – A hacker was able to obtain administrator password access to the website through a hole in the website’s security. The hacker then set up a program to steal credit card information that was entered on the website during the order process. Stolen information included the purchaser’s name, billing address, card number, card expiration, and CVV/security code.
Result – Although the number of impacted transactions was smaller than breaches that make the news, the data breach impacted people in, and therefore was governed by the laws of, all 50 states and certain U.S. Territories. As a result, the company was required to notify all of the impacted customers, notify certain state Attorneys General, purchase fraud monitoring for affected customers, and prepare its customer service for the myriad of calls that would be received. Further, due to the loss of credit card information, the company was required to conduct an extensive forensic examination of its system, implement numerous changes and updates, and was at risk for a fine due to the breach. The ultimate cost to the client exceeded $200,000.
What could have been done? – There were multiple technology-related failures. The hole in the website’s security was something that could have been patched before the hack ever occurred through an already released update – the company, however, did not get around to installing the update as recommended. More importantly, the entire issue could have been reduced, if not avoided, by using a secure portal to redirect the customer to the credit card processor to enter credit card information. If this process had been utilized, the company’s website would never have had any credit card information.
Further risks – The problem could have been worse. Because the website was located on the same server as the company’s internal functions without any significant barrier between the two, the hacker could have used the website access to infiltrate the company’s own systems.
A large entity that handled personal information, including personal health information, was very concerned about data security. As a result, it had created a system under which employees were to only use the encrypted work email to transfer and discuss anything involving personal health information of third parties and not use personal email for such tasks. The company further created a secure virtual private network (VPN) for employees to log in remotely to be able to transfer and discuss health information. That system required significant authentication, which was a bit cumbersome and took longer to log-in through. The company took additional steps to make sure its software and security were always up to date.
Problem – One employee, who worked from home, had to deal with personal health information every day. He felt, however, that the process to access the company server remotely was too cumbersome. He therefore asked another employee to send him an email every day containing the information he would need for the next day. He asked that the information be sent to his personal email.
Result – The individual’s personal email was hacked and the hackers changed his password, reset his security questions, changed his two-factor authentication method, and locked him out. At that point the hackers had all of the information that was stored in his personal email account. This resulted in a significant data breach of personal health information and the company had to report to determine the type and amount of data potentially lost (the individual rarely, if ever, deleted any emails), notify the Department of Health and Human Services, and notify all of the potentially impacted individuals. The company also faced significant penalties, fines and potential legal liability.
What could have been done? The company did everything it could, technologically, to protect the data. But it failed in two respects when it came to its personnel. First, it failed to properly train its employees (especially the individual who requested the information sent to him and the person that complied with the request) about the importance of the policy to only use the company’s own system. Second, it failed to create a system that worked well with how its employees worked – causing the individual to find a way around the system. Creating policies that complement your company culture and that work with how employees normally work makes it easier for employees to comply.
There is never a bad time to take a hard look at your company’s data security, the technological protections you have in place, additional technology that can be beneficial, the policies you have in place, and how well your employees know and comply with those policies. By reviewing these items, you can help protect your business from becoming the next victim.
Peter T. Berk is a partner with the law firm of Funkhouser, Vegosen, Liebman & Dunn – FVLD. FVLD is a nationally known and respected Chicago-based, full-service law firm with a broad corporate and litigation practice. FVLD, which just celebrated its 40th anniversary, provides comprehensive and personalized legal services to clients ranging from local entrepreneurs to globalized entities worth billions of dollars in a wide array of industries. Its attorneys strive to deliver superior accessibility, vision, and expertise, with a core group that has collaborated together for decades, pooling their skill and experience to better foresee and flexibly address the entire spectrum of challenges our clients face across the globe.
Peter has extensive experience in cyberlaw, technology and data privacy issues. In his practice, Peter helps clients plan for, prepare for, and (hopefully) prevent problems that can arise with data privacy and security issues. He has drafted and audited internal and external policies, negotiated contracts that involved data transfer and security both within the United States and internationally, and been involved in data breach investigations and responses. Peter prides himself on providing solutions that actually work with the culture, workflow and processes for each client so that there is better adoption of best practices.
There is one thing that causes every business owner to grimace. You sent an invoice to ABC company, that they
Our people are unique CFOs. They are all operationally
based financial executives.
Created Custom For Your Company By an Experienced CFO