Have you ever read a news article and thought: “You must be kidding me! How is this news?” That was my exact reaction when reading a recent article about the ruling that employers in Pennsylvania are “legally responsible for protecting workers’ sensitive data.” My hope is that you’re having a similar reaction as I did.
Of course, employers are responsible for protecting their employees’ data. It’s an inferred duty as soon as the employer begins accepting that data as part of normal business processes. Convenient or not, it’s part of being a good data steward. And, it’s something that every employee expects will occur when he/she provides personal information to an employer upon hire.
Jump back to your elementary-school years. If a friend told you a secret in confidence, and you blabbed the secret to the whole school, you no doubt lost that friend’s trust (and likely had some relationship repairing to do). At the most basic level, you weren’t a good steward of the data entrusted to you by your friend. This anecdote is clearly an oversimplification of the situation at hand, but it highlights what’s going on in this ruling.
The short version of the story is that the University of Pittsburgh Medical Center had the data of 62,000 employees stolen. The information in question? “…birth dates, addresses, and social security numbers…” The fallout? “…numerous false tax returns were filed [on behalf of the affected employees], and many of the employees were unable to collect their tax refunds.” The employees filed a class-action lawsuit against the hospital.
Unsurprisingly, the Pennsylvania Supreme Court ruled the hospital was responsible for protecting the information in question and that “companies who don’t safeguard personnel data can now be found negligent and become subject to financial losses.”
To me, the fact it took a court ruling to address this issue is a symptom of a larger problem in information security. Many businesses base their information security programs solely on what they are required to do by regulations, compliance frameworks, their clients, and their business partners. When taking this approach, these businesses are doing the bare minimum. They’re driving their security efforts around compliance with obligations rather than trying manage cybersecurity risk to a level the company can accept. In most organizations, this mistake is incidental, rather than intentional.
In many cases, small- and medium-sized organizations simply don’t have the resources to make information security a priority. Customers don’t ask about it, and the company doesn’t have the money to spend on it, so nothing happens. However, sensitive data is still there. There’s still a risk that it could be compromised.
Larger businesses, on the other hand, might have the resources to prioritize information security, and they might believe they’re doing just that. The problem is that many of these organizations simply don’t know the location of all their data. They may be working to protect what they know they have, but if they have data they’re unaware of—it’s likely unprotected, or at least not adequately protected.
So, what can we do to fix this? Here are the five things I recommend:
1. We must acknowledge our responsibility. If your business accepts sensitive data, you have a responsibility to protect that data—whether it’s “required” (by a regulation, a client, a compliance standard, etc.) or not. This is an inferred duty for any entity that stores, processes, or transmits sensitive data of any kind. We must be good stewards of the data entrusted to us.
2. We must know the locations of the sensitive data in our possession. This means conducting inventory of all the sensitive information your organization has. It’s not easy, and it’s not fun, but it’s an important task and one that information security professionals specialize in. It’s what each organization must do to protect the data within its control. Identify all processes where data comes into your organization, where it comes from, where it’s stored while you have it, and how it leaves the organization (including who the information goes to and whether you’re holding those parties accountable). And, of course, be sure to include in your inventory the processes where your company creates sensitive data.
3. Examine (or implement) controls around the data stored, processed, and handled by your organization. Are the controls in place reasonable for protecting the data in question? Are there any controls you could (or should) add? What level of risk are you currently accepting? Are you okay with that?
4. Review your controls periodically. This generally comes in the form of an audit or assessment. An assessment can ascertain whether or not existing controls are functioning as intended, as well as whether or not they are having the desired impact on cybersecurity risk. If the controls are not functioning properly or not effectively reducing risk, change them or add additional security measures.
5. Focus on properly securing information before anything else. Do this, and compliance with cybersecurity obligations will be a natural result. The days of focusing on compliance alone will (or at least should) soon be over.
Thanks to the ruling in Pennsylvania and a new privacy law going into effect in California in 2020, companies are now facing higher scrutiny to handle data responsibly. Smart companies are seeing the writing on the wall and adjusting their information security practices accordingly. Those who don’t will eventually be forced to adopt more stringent practices, one way or another. Whether that change is the result of fines, fallout, or new regulation remains to be seen.
Our team at LBMC Information Security can help you move from a posture of merely maintaining compliance to being an industry leader in responsibly and securely managing data. Contact us today to learn more!