In a prior column, we discussed the inevitability of technology-related accidents occurring at virtually every company. One particularly common mishap is the loss of customer, client or employee data. These data breaches may present a substantial problem for organizations, as the number of discrete records lost often runs into the hundreds, thousands or millions. Even if there is no evidence of actual misuse of the lost data, the costs to provide legally required notice, together with the potential cost of mitigation efforts such as providing credit monitoring, quickly mount. If the breach is sufficiently serious to interest regulators such as the Federal Trade Commission or a state’s attorney general, then costs associated with investigation, defense and, potentially, future mandatory compliance and fines further add to the data loss burden.
Many people think of data loss as the work of hackers, offshore data thieves and other external threats. But, as Pogo once said, “We have met the enemy, and he is us.” The vast majority of data loss events are an inadvertent, or sometimes intentional, “inside job.” If your organization experiences data loss, it will most likely be an employee, not an external actor, who caused the loss.
In a recent Forrester Research survey, respondents cited external attacks as the causal event in only 25 percent of data loss cases. Other causes, such as employee loss of data, employee misuse of data or malicious insider activity combined to pose a far greater threat to organizations’ information assets. We recently provided counsel with respect to data losses arising from a laptop stolen from an employee’s car, and a professional data thief who moved from company to company as a human resources employee, stealing employee personal information at each stop. Regulatory authorities pursue enforcement actions arising from, for example, data losses arising out of the theft of an employee’s briefcase, and employees ignoring company disposal rules for sensitive data.
Focusing on several key elements of a company’s data flow and storage can mitigate this internal threat. Start by asking questions regarding employee access, transmission and storage/disposal of company-held data.
Key access questions include:
- In what ways can employees access data?
- What security measures are in place to guarantee only authorized access?
- Is access allowed to persons beyond those who reasonably need it?
- What measures are in place to log employee access?
- Is access limited to on-site means, or can employees remotely access data?
- What gateways to sensitive data are available via smartphone or other mobile device?