Drip, Drip, Drop: Is Your Data Leaking?
BackBy Meagan Polakowski — Nov. 24, 2008
A data leak occurs almost every day in the U.S., and citizen and corporate information is stolen. Some leaks result from hackers gaining illegal access to restricted systems, but others occur because of human error at organizations such as hospitals, insurance companies and universities.
These data leaks range from the small — affecting just a few people — to the colossal — affecting millions, according to the Privacy Rights Clearinghouse’s list of data breaches.
Data breaches on the personal level can have devastating consequences, such as identity theft. But on the enterprise side, data breaches cannot only damage a company’s reputation but also result in the loss of future business, according to Mary Clarke, CEO of Cognisco, a knowledge assessment and learning solutions provider.
“A serious data leakage issue could haunt a business for years by impacting customer confidence and reducing future sales,” she said. “Once trust is lost among customers, it is not easily regained.”
The most recently documented data breach occurred at the University of Florida’s College of Dentistry. In early October, the college discovered that more than 330,000 patient records were compromised due to the presence of rogue software.
“This issue [of data security] affects not just an organization like the University of Florida, but many large organizations, both in the higher education community, as well as in the commercial space,” said Mark Bower, director of information protection solutions at Voltage Security, an enterprise security company specializing in information encryption.
“These days, things like Social Security numbers or any information that can be used to create an identity of a person certainly has value on the open market. And so any large system is going to be a target.”
One solution to the kind of data leakage that occurs as a result of hacking involves implementing technology that allows companies to share information only with business partners. Data-centric encryption allows records to be preserved in just that way.
“So I can encrypt, for instance, a Social Security number. I’ll still get some data that’s now encrypted and protected, but it still looks and feels like a Social Security number,” Bower said. “So even if [the system is] accidentally compromised, it will not have access to the real data.”
Such solutions have become much less complex and easier to implement than in the past, Bower added.
However, the other kind of data leakage — which results from employee error or misunderstanding — is a bit trickier to solve. An August report by research company InsightExpress found that two-thirds of employees have engaged in at least one security-threatening activity, such as failing to log off a work computer at the end of the day or storing a work laptop in an insecure location.
Just earlier this month, a Baylor Health Care System employee in Dallas left a laptop computer in his vehicle and it was stolen, resulting in the Social Security numbers of 7,400 patients being compromised. And in February, Milwaukee County officials in Wisconsin accidentally released a number of court records for posting to a third-party Web site. These records contained details including names and payments made for paternity tests and psychological evaluations.
For this reason, Clarke stressed the need for training and policies on data within the enterprise. Companies should start by assessing employees to find where misunderstanding is occurring, she said. Then, it is important to clarify “the roles and responsibilities of all job levels and [target] employees with responsibility for [data] transfer with additional training.
“Companies and employers may also want to impose stricter consequences for security-risky behaviors,” she noted.
Addressing data leakage through a combination of sound company polices, effective employee development and technology solutions will help industries fight the threat to organizations’ and the general public’s vital information.
– Meagan Polakowski, firstname.lastname@example.org