The CEO was staring at screen images of his internal network, along with his customer database and all the customers’ personal information, including Social Security numbers, credit history and FICO scores. He had just completed a vulnerability assessment of his network and was briefing the results to the executive team, which weren’t pretty.
Further investigation revealed a folder deep in the system created four months earlier that had a pretty informative name: “You’ve been hacked.” Sadly, there was no way to truly know what information had been compromised, but the CEO had to assume the worst.
Surprisingly, Nevada companies are not obligated to disclose to anyone – much less the customers affected – that this type of breach has occurred. What many Nevada companies don’t seem to realize is that this is about to change.
New Years Day, 2006. Do You Know Where Your Data Is?
Gov. Guinn recently signed into law Senate Bill 347, a comprehensive information privacy bill sponsored by Senators Valerie Wiener, Dina Titus, Bill Raggio and Randolph Townsend. SB 347 includes the public, private and higher education sectors. Among other things, SB 347 addresses:
Stiff sentencing penalties for individuals engaged in identity theft, identity fraud or creating fraudulent documentation for financial gain.
Clear definitions of personal identifying information.
Requirements for destruction of personal information, whether paper or electronic.
Implementation of security measures to protect records from unauthorized access, destruction, use, modification or disclosure.
Requirement to disclose any breach of security systems that results in the unauthorized release of personal information.
Encryption standards for electronically transmitted information.
For Nevada businesses, this means access to customer information must be based on defined role and need, not access merely to ease workflow or support. Appropriate audit controls must be put in place.
When disposing of computers and other media, companies must ensure that all traces of information are overwritten or destroyed, not merely deleted. Reformatting the hard drive is not sufficient. Organizations must also have appropriate security policies and technical safeguards in place to show due diligence in protecting customer information.
Company A has a software application that is supported by an outside vendor. The vendor has unfettered access to the organizational systems to provide that support. The vendor fires one of its support staff and doesn’t notify Company A or change the access password. The disgruntled ex-staffer logs in and steals consumer info. Company A must disclose this breach. Any vendor-authorized access to your information must be managed just like employee access. By the way, who’s your janitor?
Company B upgrades all its computer workstations and decides to be charitable and donate the old computers to schools. It takes a small step and reformats the hard drives. Thinking they are empty, it hands them over. A curious 12-year-old playing with data recovery tools finds all the deleted files and sends them around the Internet to impress his buddies. The school system notifies Company B. It must investigate and disclose this very embarrassing breach.
Security a Business Process, Not an Afterthought.
While this bill clearly has the potential to cause night sweats for Nevada business leaders, it’s really an opportunity to fold security into business processes, and make it a business enabler that also protects assets. As an added bonus, you won’t wind up “above the fold” of the newspapers heralding bad news about your company.