Regulations and compliance: The business justification for data security

What is more of a concern is both large corporations and small business owners are being held accountable. How does a company justify the cost? Before we answer this question, let’s take a look at two recent examples of new compliance regulations, one concerning Personal Information (PI) the second concerning Protected Health Information (PHI). These examples will provide you with insight into some of the reasons why it is justified for businesses to implement a data security solution.

Forty-five states, the District of Columbia, Puerto Rico and the Virgin Islands have enacted legislation requiring notification of security breaches involving personal information. A national trend by several states has expanded the protection of individuals/consumer personal information to a new level. For example, Massachusetts Office of Consumer Affairs and Business Regulation (“OCABR”) has proposed new and extensive regulations 201 CMR 17.00: M.G.L. c. 93H requiring any entity who “owns or license’s personal information regarding any resident within Massachusetts” comply with strict guidelines. The rule specifies the encryption of all transmitted records and files containing personal information that will travel across public networks, be transmitted wirelessly, or stored on laptops or other portable devices, on or before March 1, 2010. The regulations also apply to entities outside of Massachusetts, but doing business inside the Commonwealth.

What happens if a breach occurs? In Massachusetts, the comprehensive identity theft legislation signed by the Governor on August 3, 2007, specifies when a breach occurs and personal information is lost or acquired by an unauthorized person or used for an unauthorized purpose, notification must be sent to those affected, the attorney general and the director of consumer affairs and business regulation.

How is this enforced? The attorney general may bring an action against a business to remedy any violations. As more states require companies to comply with tight security regulations, companies will be hit with fines if they don’t implement solutions that specifically prevent the leakage of sensitive data.

As for the second compliance example, as of September 23, 2009, the Health and Human Services (HHS) issued an interim final rule concerning procedures and notification of breaches of unsecured PHI under the Health Information Portability and Accountability Act of 1996 (HIPAA). The new rule depicts the process for notifying victims of a breach and also expands the accountability of a data leak to include “business associates” of the entity holding the PHI. The rule also clearly specifies what constitutes “protected PHI” in which case notification to the affected party is not necessary. If the PHI is encrypted per the guidelines of National Institute of Standards and Technology, then notification is not required. If however, your PHI is unprotected then the following must occur:

1. Within 60 days of the discovery, affected parties must be notified of the breach in clearly understood language. Furthermore, prominent media must be contacted when over five hundred people are affected.

2. The notification must explain the specifics of what occurred; what type of PHI was leaked; and the steps the individual can take to protect themselves.

3. The responsible party must specify the steps they are taking to avoid harm to the individual affected such as contact procedures and information for those needing help.

With the advent of the Health Information Technology for Economic and Clinical Health Act (HITECH); part of the American Recovery and Reinvestment Act of 2009 (ARRA), special incentives are accelerating the adoption of electronic record systems and exchanges between providers. The government is investing $20 billion in health information technology infrastructure and Medicare and Medicaid incentives to encourage doctors and hospitals to use HIT to electronically exchange patients’ health information. However, with more electronic records, comes more PHI needing protection. The Act requires that an individual be notified if there is an unauthorized disclosure or use of their health information. This can be a costly process. These new regulations and compliance issues provide businesses with a reason for implementing data security solutions.

According to Ponemon Institute, data breaches have serious financial consequences on an organization. Costs can also include direct expenses such as engaging forensic experts, outsourced hotline support, free credit monitoring subscriptions and discounts for future products and services. According to this year’s Ponemon Institute Annual Cost of a Data Breach study, the average cost of a data breach has risen to $202 from last year’s $197 per customer record. In addition, they found that 75% of large corporations surveyed have suffered data leakage, with an average cost of $5 million per incident. With these huge sums of money associated with data loss and new regulations being implemented on a regular basis, the need for data protection has become top of mind for businesses. With the implementation of a DLP solution, a business is less likely to be non-compliant and more data will be secure.

Back to our original question, how does a company justify the cost of data protection solutions? In analyzing a regional hospital with 500 beds, 1,000 employees and 200 laptops, the hospital serves a population of 100,000 and has one laptop stolen every six months on average. If 1,000 patient records were located on the stolen laptop and the hospital had to notify each patient at a cost of $202 per record, the hospital would be better off paying $4,000 for the encryption of the laptops and avoid spending $202,000 on the disclosure.

As the workforce continues to rely and expand its use of mobile devices (i.e. Smartphones and laptops), opportunity for data leakage of sensitive information increases. Let’s explore a real life example; a business executive using his laptop from an airport lounge is communicating via Skype to his family and child’s soccer team coach. He accidently attaches a customer list instead of the soccer team registration. An effective data protection system will warn and block the transfer. This type of accident is fairly common. A recent report from the Ponemon Institute suggests that the most common breaches (64%) occur from company insiders. In the January 2009 study, they found more than 88% of all cases involved insider negligence.

A comprehensive data protection solution can lower these statistics in several ways. First, it can assist organizations in identifying sources of unsecured PHI and PI. For example, advanced discovery tools are capable of quickly locating sensitive data no matter where it resides on your system. Several of our customers have been shocked to learn that their sensitive data resides on endpoints. Second, an effective data protection and leakage prevention system comes bundled with extensive ready to use templates containing policies that “out of the box” will provide effective protection and encryption with little to no user intervention. The more automatic and transparent the system, the better.

Since the majority of leaks occur from an employee’s lack of awareness, educating users is a top priority. Education may occur in the traditional sense, however, a data protection system that includes sophisticated dialog prompts provides “on the job training” of compliance and security policies. This unanticipated side benefit can both prevent a breach as well as train users. If an employee is about to send sensitive data unknowingly, he might be notified through a prompt such as found below:

When data is appropriately protected, encrypted and secured, federal and state breach notifications can be avoided. In the long run, organizations can save a significant amount of money and avoid embarrassment and lack of public/consumer trust by deploying the right data protection and leakage prevention solution. The goal for all holders of sensitive data should be to pay a few dollars now, to avoid paying much, much more later. Dollars, customers, credibility and potential lawsuits are all at stake. Look for a comprehensive solution that is transparent and provides the right balance between productivity and protection.

biography
Gil Sever is the founder and CEO of Safend, a provider of endpoint data protection solutions that protect against corporate data loss via physical, wireless and removable media ports while ensuring compliance with regulatory data security and privacy standards. For additional information on Safend visit, www.Safend.com.