November 06, 2014

Information Security: How Data Breaches are Communicated

Quick, can you name a few data breaches that have made headlines in recent years? 

Target, eBay, and Adobe probably come to mind.

These were all highly publicized incidents – and they are a good example of how people learn about information security and data breaches.

The Adobe, eBay, and Target incidents, each with well over 100 million personal records breached, received lots of attention and are on top data breach lists such as this infographic posted by Bloomberg.com.

But for every data breach that attracts media attention, there are many others that don’t. This article at Forbes.com examined five information security breaches in particular that somehow dodged the bullet and shouldn’t have.  

  • In February, security researchers discovered a self-replicating malware (a worm virus) that is thought to have affected millions of Linksys/Cisco home routers around the world.
  • The Nuclear Regulatory Authority was reported to have been the victim of email hacks.
  • Universities in Maryland, Wisconsin and Iowa were victims of security breaches that exposed Social Security and credit card numbers as well as health records and intellectual property.
  • The restaurant chain PF Chang's suffered a breach affecting credit card information.

Of course, whether or not a data breach incident is picked up and publicized by a news agency doesn’t make it any less important – or damaging – especially for the person whose private information has been breached and for the company that is responsible.

At the same time, there are privacy laws and legislation that include breach notification requirements. Furthermore, breach notification laws are tightening due to the broadening of the definition of personally identifiable information (PII) and protected health information (PHI).

On the flipside of all this, a trade journal editor makes a great point about how companies should be communicating their good security track record.

“The best marketing approach a brand could take these days is to promote how secure they make their customer’s data, according to a panel examining recent hack attacks,” states the article.

The article cites research that has shown people give their business to companies with ‘good data hygiene’, and that many consumers today seek out companies that will protect their information.

Here’s a quick checklist of corporate safeguards and how to prevent identity theft in the workplace:

  • Create a comprehensive data security policy.
  • Appoint a CISO (Chief Information Security Officer).
  • Conduct a security audit to identify issues.
  • Ensure internet protection on all computers.
  • Limit access to confidential records to a need-to-know basis.
  • Keep information only for as long as needed. Implement secure document disposal including a shred-all policy for paper and electronic documents.
  • Have an incident response plan in place as well.

Learn more about implementing security policies and procedures in your workplace.