As published in Scotsman Guide's Commercial Edition, May 2007.
As head of the privacy-and-information-management practice at law firm Hunton & Williams LLP, Lisa Sotto has seen many unauthorized information disclosures, aka breaches. When it comes to investing in data-security measures, Sotto's advice to mortgage companies is simple: "Pay now or pay through the nose later.
According to Privacy Rights Clearinghouse, more than 100 million records containing personal information have been compromised in some way since February 2005. How can businesses stop this? The difficulty with that number is that while we are hearing about data breaches more now, that doesn't mean that they're happening in bigger numbers. In the past, there were no legal requirements to announce that data were compromised. Businesses can't stop the risk of security breaches entirely. They can conduct a risk assessment of their systems and try to patch any vulnerabilities. Many businesses are crafting instant-response plans so if there is an incident, they'll have a specific procedure for how to proceed.
What are the first steps companies should take if their clients' data have been compromised? The first step is to determine whether in fact there was a compromise, which is not easy, in some instances. Then determine what data were in fact accessed by the unauthorized individual, and determine whether that triggers breach-notification laws (ed. note: At press time, 35 states had these notification laws). If it does [trigger the laws], you need to craft a letter to individuals that data were compromised and determine what offerings you'd like to provide to them, such as a call center to answer any questions they might have or providing credit-monitoring at no charge to the consumer. Of course, a company that suffers a breach also needs to think about public-relations and investor-relations aspects.
What are some of the newest trends in information thievery? We're seeing a lot of inside jobs -- not necessarily within the company that suffers the compromise but within the "trusted insider circle" of service-providers.
How are companies responding to these inside jobs? They are requiring background screening of their service-providers or employees. We're also seeing a deeper dive into background of the individual, not just superficial knowledge.
How much should companies be willing to invest in information technology for privacy and data-security measures? There's no rule of thumb in terms of how much, but that's a question that should be raised on a periodic basis with [a company's] IT group, chief information-security officer and privacy officer. The budget for these things can't be paltry. If it is, there will be a limit in terms of how well data can be protected, and these events tend to be enormously expensive.
Melinda Young is an associate editor at Scotsman Guide. Reach her at (800) 297-6061 or firstname.lastname@example.org.