Data Breach
What would you do if you had an employee call and say anything similar to; I lost the backup of our data, I had the drive containing some of our data stolen or it was left at a location where the data could possibly be acquired by an unauthorized person. All of those described scenarios are breaches of data. A data breach will test your sanity, knowledge of your protection in place and your client’s confidence.
Many of us are familiar with a disclosure of a data breach because we’ve heard on the news about a major company having a data breach, received a personal letter (or notified in an approved manner) that our data might have been accessed or stolen, or talked with a friend about data breach circumstances. Typically the laws supporting the disclosure of a data breach aren’t talked about in detail. Don’t worry, I am going to avoid delving into the abyss of interpretation, perspective and potential hazards of telling you the laws deepest meanings however, I am going to encourage you to take a different look at the technology you use, security practices regarding technology and to learn more about the laws that govern your business’s data.
Nevada Revised Statue (NRS) 603.A220, Disclosure of breach of security of system data; methods of disclosure (http://www.leg.state.nv.us/nrs/NRS-603A.html#NRS603ASec220) seems to be a straight forward read as guidelines for what to do after a data breach. There are two terms and a thought that I’d like to focus on. The two terms are both defined within the Nevada Revised Statues and combine it with NRS 603A.220 Section 2- makes my mind reel.
• NRS 603A.030 “Data Collector” defined. “Data collector” means any governmental agency, institution
of higher education, corporation, financial institution or retail operator or any other type of business entity
or association that, for any purpose, whether by automated collection or otherwise, handles, collects,
disseminates or otherwise deals with nonpublic personal information.
• NRS 603A.040 “Personal information” defined. “Personal information” means a natural person’s first
name or first initial and last name in combination with any one or more of the following data elements,
when the name and data elements are not encrypted:
1. Social security number.
2. Driver’s license number or identification card number.
3. Account number, credit card number or debit card number, in combination with any required security
code, access code or password that would permit access to the person’s financial account.
*The term does not include the last four digits of a social security number or publicly available information
that is lawfully made available to the general public.
Okay, now that we have context for some of my reeling thoughts:
• Personal information mentions ‘when the name and data elements are not encrypted’. So if my information
is encrypted I don’t have to report a data breach? This wouldn’t make sense because you give a hacker
(or someone that knows what they’re doing with technology) an encrypted file and time (minutes to
years), the encryption can be broken and information accessed.
• Personal information also mentions account number in a very general manner. Does this mean that
businesses that use company names for account numbers and don’t have any passcodes to use the
account would have a data breach even if the data only contained general information (such as a client
list of business name, business address, and phone number) that could be retrieved from spokeo.com,
phone book or general web search?
• NRS 603.A220 Disclosure of breach of security of system data; methods of disclosure, section 2
ends with, “or is reasonably believed to have been, acquired by an unauthorized person.” Here are a
couple of thoughts that jumped out at me;
o I’m responsible for taking the daily backup off site to my house, so that the data is safe from say a fire.
The backup goes into my drawer in my home office until the next morning. Let’s say I have a dinner
party or I go out and the kids decide to have a party, unless I know I’m the only person with access to
the data – couldn’t the data be acquired, duplicated and put back. Typed out, that certainly seems
James Bondish but is certainly possible.
o What about spouses/significant others/children/family member, are they an unauthorized person? Is
this a data breach even if they’re in possession of a device for a brief time until they see you again? I
can see this being argued both ways.
o A more common scenario is the actual theft or loss of a company device (laptop, USB drive, backup
drive, mobile device…).
Now that we’ve explored the ambiguity of a data breach what about the disclosure portion. Disclosure is to be immediate unless there is an active investigation, and then notification is immediately after the investigation is complete or determined that notification won’t compromise the investigation. Notification can be made through written or electronic means unless you qualify for the substitute notification option. There is also a specific requirement to notify any consumer reporting agency, without unreasonable delay, if the data collector determines that notification is required for more than 1,000 persons at any one time.
Let’s remember that we live in a society that allows people to sue over spilling hot coffee on oneself. When it comes to the safety of your data and your sanity a few catch phrases come to mind;
• An ounce of prevention is worth a pound of cure
• Be prepared
• Hope for the best. Expect the worst.
Ultimately, the disclosure of a data breach is determined by a risk analysis with your data, security practices and/or being put in the position of a data breach. If you have to disclose a data breach to your clients will you:
• have confidence in the rest of your security measures?
• be able to convey confidence when you tell them?
• rest easier knowing that you are educated about different security practices and options?
• or make the choice now to get a step ahead, review all of your current data security practices, play
devil’s advocate, look for the pitfalls and vulnerabilities. Look for alternatives when you find those
vulnerabilities and make the appropriate changes now, so down the road you don’t find yourself
looking having to disclose a breach in your data and attempting to restore your clients faith in the
information they’ve put in your hands.
As a final note, keep in mind we only mentioned three of the Nevada Revised Statues and there are many more regulations – be proactive.
1 Comment
…..Data breaches are so common that more than 167 breaches were reported during the first three months of 2008. So what do you do if you learn that a company storing your personal information falls victim to a data breach?