PREVENTING PRIVACY AND SECURITY

DISASTERS

by Daniel J. Solove

We’re in the midst of a crisis in privacy and data security . Billions of passwords stolen. . . Mammoth data breaches. . . Increasing threats. . . Malicious hackers . . . Damaging privacy violations. . . The numbers keep rising. How should organizations be responding?

PREVENTING PRIVACY AND SECURITY DISASTERS

www.teachprivacy.com

Second, significant attention must be given to addressing human behavior, which is the biggest data security risk. The best way to address human behavior is through effective training.

A study by Forrester that reveals that internal threats are the “leading cause” of data breaches.1 90% of malware requires a human interaction to infect.2 95% of data security incidents involve human error. 3 Because so many employees don't receive sufficient training, they engage in all sorts of risky data security practices.

The recipe can be summed up in a simple rhyme:

The C-Suite must care The workforce must be aware

After reviewing countless data breaches, I’ve come to the conclusion that there are two things that can most help prevent data breaches.

First, upper management (often called “the C-Suite”) must truly understand the risks, the law, and the importance of good data security and privacy.

Strong data protection comes from both the top and the bottom. From the top, upper management understands the risks and provides the appropriate resources. From the bottom, all employees at every level know how to do their part to ensure strong data protection. Much more work needs to be done at both the top and the bottom. At the top, the C-Suite needs a better understanding of the risks and the law. And much more can be done to improve workforce awareness.

www.teachprivacy.com

Data Protection Must Be Part of an Organization’s Culture

Ultimately, these two things are really about one thing: Data protection must be part of the culture of an organization. Data protection must be felt in the bones of an organization. I say “data protection” because the term encompasses both security and privacy. Both are essential and go hand-in-hand.

From the Top and the Bottom

PREVENTING PRIVACY AND SECURITY DISASTERS

After an incident, the lawsuits will start coming. Win or lose, these cases can cost millions to litigate. One study found that the average settlement award in these cases was approximately $2,500 per plaintiff, with mean attorneys’ fees reaching $1.2 million.5

Under HIPAA, big fines are being issued. Fines can be up to $1.5 million per provision of HIPAA violated. When there’s a breach, HHS’s investigation often turns up quite a number of HIPAA violations, and the fines for these add up. State Attorneys General can enforce HIPAA as well as their own state’s law. There are big state fines. The FCC has been stepping up enforcement and issuing big fines.

Although the FTC can only issue fines for some of the laws it enforces, its consent decrees last 20 years and require ongoing auditing and reporting to the FCT – and that can be very expensive! The FTC can issue fines when consent decrees are violated.

www.teachprivacy.com

The Need for More Attention to the Risks and Costs

According to a recent survey, at most organizations, only a very small percent of the IT budget goes to data security. 19% spent less than 1% .4 These facts indicate the C-Suite needs to pay a lot more attention to data security officials. Indeed, I think that the C-Suite needs to pay more attention to privacy officials too, because privacy and security go hand-in-hand.

There are three big costs of an incident that the C-Suite often fails to appreciate: money, time, and reputation.

MONEY

PREVENTING PRIVACY AND SECURITY DISASTERS

Reputation

www.teachprivacy.com

Time

Incidents are not just solved by writing a check. They take time and sweat. These things are tremendously costly not just in terms of money but also in terms of time.

A significant number of important personnel will be tied up dealing with these issues. And even the C-Suite might be tied up too, as they need to deal with the PR fallout and might need to address the matter themselves.

TIME

REPUTATION

PREVENTING PRIVACY AND SECURITY DISASTERS

Privacy and data security incidents can tarnish an organization’s reputation. Even if the general public isn't paying attention, an entity’s reputation can suffer with other organizations, which might not share personal data with that entity. And all the regulators will now be paying more attention – the various federal agencies, state AGs, state agencies, international regulators, and so on. Just like having a prior criminal record won't help future encounters with the police, the same is true with having a regulatory violation rap sheet.

Soiled Reputation

A recent study found that more than 90% of data breaches could have been avoided.6

There’s a story I see replayed again and again. An organization doesn't take security (or privacy) risks seriously enough. The organization gets burned, and that is the wake up call. The organization then gets serious.

There are those who must burn before they learn and those who learn rather than burn. For some, despite all warnings, they just won't step it up until after they get burned. The costs of getting burned are enormous. The cost of preventative measures are minimal in comparison.

www.teachprivacy.com

1. Grant Hatchimonji, Biggest Data Security Threats Come from Inside, Report Says, PC World (Oct. 13, 2013) http://www.pcworld.com/article/2054462/biggest-data-security-threats-come-from-inside-report-says.html

2. Ponemon Institute, 2013 Cost of Data Breach Study: Global Analysis, https://www4.symantec.com/mktginfo/whitepaper/053013_GL_NA_WP_Ponemon-2013-Cost-of-a-Data-Breach-Report_daiNA_cta72382.pdf

3. Marcos Colón, "Human Error" Contributes to Nearly all Cyber Incidents, Study Finds, SC Magazine (June 16, 2014) http://www.scmagazine.com/human-error-contributes-to-nearly-all-cyber-incidents-study-finds/article/356015/

4. 6th Annual HIMSS Security Survey (Feb.19, 2014 ) http://himss.files.cms-plus.com/2013_HIMSS_Security_Survey.pdf

5. Sasha Romanosky, David A. Hoffman, and Alessandro Acquisti, Empirical Analysis of Data Breach Litigation, 11 Journal of Empirical Legal Studies 74 (2014), http://ssrn.com/abstract=1986461

6. Online Trust Alliance, 2015 Data Breach and Readiness Guide (Feb. 13, 2015), https://otalliance.org/system/files/files/resource/documents/dpd_2015_guide.pdf

PREVENTING PRIVACY AND SECURITY DISASTERS

Burn Before You Learn or Learn Rather than Burn

Sources

About the Author

TeachPrivacy was founded by Professor Daniel J. Solove. He is deeply involved in the creation of all training programs because he believes that training works best when made by subject-matter experts and by people with extensive teaching experience. According to Professor Solove: "Great training isn’t about slickness or tricks. It is about teaching. The goal is to make people understand, care, and remember. Great training must made with genuine passion. " TeachPrivacy provides privacy awareness training, information security awareness training, phishing training, HIPAA training, FERPA training, PCI training, as well as training on many other privacy and security topics.

In addition to creating enterprise-wide training, TeachPrivacy has teamed up with the American Health Information Management Association (AHIMA) to produce a series of more advanced courses on the HIPAA Privacy and Security Rules: http://www.ahima.org/education/onlineed/Programs/hipaa

Professor Daniel J. Solove is the John Marshall Harlan Research Professor of Law at the George Washington University Law School. One of the world’s leading experts in privacy law, Solove has taught privacy and security law for 15 years, has published 10 books and more than 50 articles, including the leading textbook on privacy law and a short guidebook on the subject. His LinkedIn blog has more than 890,000 followers: http://www.linkedin.com/today/post/articles/2259773

Professor Solove organizes many events per year, including the new Privacy + Security Forum, Oct. 21-23, 2015 in Washington, DC: http://privacyandsecurityforum.com

About TeachPrivacy

www.teachprivacy.com