Revisiting the Basics of Data Breaches
Data breaches have become quite commonplace. We often hear about large data breaches in the news. We see emails from our favorite stores and banking institutions alerting us to the most recent data breach. Think about how many times your bank has mailed a new debit card because of a data breach or you received an email or letter offering credit-monitoring service due to a data breach.
Data breaches can be frustrating in our personal lives, but how often do we think about what caused that data breach and how that relates to our companies and careers? We assume that if we were ever in that situation we would absolutely know what to avoid, but would we really? How many times did we hear about a coworker clicking a link in an email, or someone responding and providing their password or other sensitive data? It happens, especially when you have a heavy workload and are under deadline pressure.
Many organizations have their IT department or cybersecurity team send reminders to employees to participate in annual security awareness training. Every year, I follow up with my employees and make sure it is on everyone’s to-do list, including my own. Usually, the scenarios portrayed are simple and basic, with titles such as “Email and Phishing,” “You are the Shield,” “Browsing Safely,” and “Data Security.” Completing each video and quiz takes approximately 10 to 15 minutes to complete. Although many of the tips are common sense or common knowledge, it is helpful to have the reminders on an annual basis.
Additionally, it is important to not only participate in this training, but to also go back and review the current data security in place and how it fits into your policies and procedures. Prior to reviewing policies and procedures, it is also important to understand the basics; including what is data security, what information should be protected, what a data breach is, how it can happen, and who is responsible when a data breach occurs.
What Is Data Security?
Data Security is keeping sensitive information protected whether you are accessing, transferring, processing, archiving, or deleting the information. As many organizations rely heavily on technology, many data security solutions will include cloud access security, data encryption, hardware security modules, key management, web browser security, biometrics, and email security. While technology is an important part of our daily jobs, many of us still use paper. Protecting hard-copied data is just as important as protecting data in the cloud and on an organization’s network. Making sure that computer screens and cabinet and office doors are locked is also an important part of keeping sensitive information secure. Even when shredding sensitive information, it is important that the data be disposed of properly. At many organizations, especially in finance and human resource departments, there is a wealth of information on employees, company policies and procedures, and other company specific-information.
What Information Should Be Protected?
So, exactly what is sensitive information that should be protected?
Sensitive information that may require a data security protocol includes protected health information (PHI), personally identifiable information (PII), and trade secrets or intellectual property. Whether your payroll department reports into human resources or finance, much of the information handled on a daily basis will be considered PII and/or PHI.
PII is information that can be used to identify, locate, or contact a specific individual. PII is not data that can lawfully be made available to the public in the form of federal, state, or local government records. Examples of PII data include an employee’s social security number, driver’s license number, bank account number, full name, date of birth, home address, phone number, employment history, and email address. Even a photograph of an employee is considered PII. An important note is that personal information that does not associate the data with a specific person is not considered sensitive data as that information is unable to be used to identify, locate, or contact a unique individual.
HIPAA (Health Insurance Portability and Accountability Act) privacy rules provide federal protection for PHI that is held by covered entities. This information may include demographic information, medical history, test and laboratory results, mental health and physical health conditions, insurance information, and any other data, including payment that a health care professional, organization, or health insurance company may collect that identifies an individual.
Now we know what data security is and what information must be secured, but what is a data breach?
What Is a Data Breach?
When sensitive information is released without an authorization, it is considered a data breach. The release of the information does not have to be intentional, nor does the information have to be obtained by hacking the system to be considered a data breach. Let us look at the various ways a data breach can occur:
- Mobile devices—Cell phones, flash drives, portable hard drives, laptops, and any other data storage medium if lost, stolen, or discarded improperly can be a source of a data breach.
- Negligence/mistakes—Employees may accidentally send an email to the wrong individual, bring documents home, upload files to a public share drive, or store data in an inappropriate location. Additionally, employees may verbally release information without proper authorization.
- Theft—Employees or third parties may maliciously access information without authorization.
- Cyberattacks—Phishing and spear phishing, skimming devices, malware, compromised passwords, IP spoofing, as well social engineering are all tools that can be used to initiate a cyberattack resulting in a data breach (see the APA’s news article on recent phishing scams).
Who Is Responsible?
If a data breach occurs, who is responsible? What if the data breach occurred with a third-party vendor or a contractor that was hired for just one day? Is it the person who clicked on the link in the phishing email? Does the fault lie with the security protocols and cybersecurity currently in place?
Data owners are legally responsible to maintain the security of PII and PHI of customers, employees, and clients. However, as an organization, accountability is a team effort and involves all employees from the C-Suite down. Ensuring that employees are educated and there is a cyber-security plan that is integrated into policies, procedures, and best practices can ensure protection against a data breach. A few best practices to help ensure against a data breach include:
- Use a firewall for your network
- Require dual authentication for login
- Use VPN (virtual private network) for remote access
- Require complex passwords and set policies for how often passwords are required to be changed
- Use data encryption to protect content, including emails and files that are transferred
- Establish policies for internet and software usage
- Establish policies for use of personal mobile devices on site and the business use of personal devices. Utilization of mobile device management software can be helpful.
- Continuously keep servers and all workstation patches up to date
- Use endpoint encryption when using USB (universal serial bus) devices
- Use shred bins to dispose of papers
- Lock screens when you walk away from your computers with PII and PHI
- Ensure work locations are secure for employees who work with PII and PHI data
- Don’t discuss PII and PHI in open locations for others to hear
- Lock papers and folders in offices and cabinets; set a “clean desk policy” to avoid having sensitive data easily accessible
Ultimately, as employees of our organizations, we do have an interest in keeping the company data and network secure. It is not the sole responsibility of the IT team. Work in partnership with your IT department, legal team, executive team, training department, and human resources team to ascertain and balance acceptable risks, compliance, and overall security.
Nicole D. Orr, CPP, SHRM-SCP, is Director of Payroll and Tax Compliance at Pace University. She is a member of the APA’s National Speakers Bureau, Social Networking Committee, Best Practices Subcommittee of the Strategic Payroll Leadership Task Force (SPLTF), Immigration Subcommittee of the Government Relations Task Force (GRTF), and the IRS Issues Subcommittee of the GRTF. Orr is also a member of the Board of Contributing Writers for PAYTECH.