Incident response and breach management are concerns for all businesses today, and in our wired society, there are opportunities for data loss in surprising places. Take for example the recent Sony breach where the information of millions of gamers was compromised, or that iPhones were tracking where you went, and don’t even get me started on Facebook and Twitter. The legal landscape is no less complex. The first regulatory requirement for breach notification was the California Financial Information Privacy Act. It became law in July 2004. That law required that companies that lose the personal information of California citizens must notify the affected residents. Within a few years, most U.S. states had followed their example and had passed their own data breach notification laws. While most state laws were modeled after the California law, each state may differ on how and when notification must occur. Naturally, this can make the incident response process complicated.
The Federal Government is now looking into the breach notification landscape and may come out with its own law that could supersede the various state laws and create a more uniform environment when it comes to breach notification. Senator Patrick Leahy has introduced the Personal Data Privacy and Security Act of 2011 that includes both notification requirements as well as penalties for failure to provide adequate notification. I have to tell you, I am not one who typically favors more government regulation, but in this case, having a unified law and set of practices, I believe would be an excellent thing. It may not be until 2012 or 2013 that Congress passes some form of breach notification, but it seems likely that it will be addressed.
Regardless of what laws may apply, safeguarding sensitive information should be a priority for businesses and users alike. Common principles for safeguarding sensitive information include:
- Do not store information you do not need
- Do not store information longer than needed
- Where possible, encrypt sensitive data
- Have proper policies and controls around access to sensitive data
- Have an incident and breach management policy
- Invest in training and security awareness
- Routinely audit and validate your controls and policies
Data protection and management has simply become a reality for our world today. At inContact, we work closely with our customers to develop solutions that minimize the data handled and the risk associated.