When most people hear of a Data Breach they think of some bad actor on the Internet using sophisticated software to infiltrate online computers. Like Facebook’s recent data breach, these get a lot of press and big Headlines.
However, in reality, these big news stories are only about 25% of the data breaches that occur. The other 75% breaks down into the three types of breaches I describe below:
1. The Former Disgruntled Employee. These employees used to have access to your customer data and are no longer with the company. However, before the company locked them out of their computers, these individuals took a copy of the company’s user data and are now trying to sell that data, use that data or just make big trouble for the company. Any release of the data they stole creates a data breach and expensive headaches for the company.
2. The Current Disgruntled Employee. These are the employees who feel the company never listens to them, that management is a bunch of fools who could be doing so much more if they would only listen to them, and they decide they are going to go into business and make the kind of money they really deserve. Before they leave the company, they take a copy of the company’s client list so they can announce that they have formed a new company to compete with their old company.
3. The Current Employee That Makes A Dumb Mistake. They make a data copy on a thumb drive for legitimate purposes or are working at a Starbuck’s and go to the bathroom without shutting down their computer. They then lose the thumb drive or someone gets on the unwatched computer and a copy of customer data is released.
I am sure you can think of many more scenarios that are either innocent or made by a guilty party. As I said above, these types of data breaches account for the vast majority of data breaches, but don’t make the headlines like the big company breaches do.
I noted above that a data breach is an expensive headache for the company. The headache is the damage to your brand, the ire of your customers, and the steps you need to take to make things right.
Every state and the entire EU now have data breach laws on their books. If even one person whose data is breached (or suspected of having been breached) you will need to contact the Secretary of State’s Office where that person lives and explain that you had a breach and what you are doing about it. Usually, they will expect the company to put some sort of rectifying program in place, such as buying Life Lock for every person affected (not a cheap proposition.) Further, the Secretary of State’s Office will usually levy a fine upon the offending company. It is in the company’s best interest to have these conversations handled by an attorney adding even more costs to the effect of the data breach.
The cost estimates I have seen on data breaches range from two million to six million dollars. The two-million-dollar price tag was for a breach of under 10,000 names. Obviously, a data breach is nothing you ever want to deal with.
Here is a helpful hint: All data breach laws make an exception for encrypted data as long as the encryption key is not part of the breach – so never put the encryption code on a computer. In today’s world, encryption is often just a matter of a few simple keystrokes. Both Windows and Apple operating systems offer encryption to your entire hard drive right in your settings.
Now, you just need to encrypt, keep the key off the computer, and make sure those who have the ability to un-encrypt are trained and monitored for compliance. Even when I make a copy to a thumb drive on my PC the computer will ask if I want to encrypt? – To which I always say yes!
There are many more actions you can take to secure your data. Please feel free to contact me with any questions or comments you may have.