‘Hacktivists’ randomly exposing millions of dollars worth of personal and corporate information may grab media headlines, but more common — and equally disturbing — forms of data breaches relate to everyday carelessness with non-encrypted work data, according to a panel of experts discussing the topic on Apr. 11.
The Chartis-sponsored event, Data Breaches, Coming to a Network Near You, was held in Toronto on Apr. 11. Panelists at the event said companies need to do a better job of creating a “climate of security” regarding the everyday handling of sensitive work information that includes employee and client records.
This means more than making sure IT people plug any holes in the company’s software, observed Jason Straight, managing director of risk consulting company Kroll Inc. “There’s a patch for software, but there’s no patch for stupid.”
In his presentation, Straight observed that companies are still too casual about dealing with their sensitive information, unnecessarily exposing them to potential data breaches.
“I cannot tell you the sheer volume of the cases that we have of laptops that have been left at a supermarket parking lot,” he said. “We had one guy, he worked for the IT department of a major company, he left a laptop in his car when he went into the supermarket. It was stolen. And of course the data was not encrypted.
“You’d be amazed how many times that situation plays out.”
In addition, company employees and IT people can often be lax about passwords at work, caught in that grey area between securing information and simply trying to get their work done quickly.
“People make mistakes,” said Straight. “Sometimes it’s out of frustration of having to remember several passwords, so they just use the word ‘Password.’ Or they don’t change default passwords. I could speak for an hour about password data, but it is a huge issue and we see it again and again and again.”
Also, a weak economy has led to disgruntled employees. This may lead the employees to loot company data for the purposes of vengeance, sabotage or extortion.
Andrea Laing, partner at Osler Hoskin and Harcourt LLP, said encrypting data is crucial.
She noted the federal government introduced amendments to the Personal Information Protection and Electronic Documents Act (PIPEDA) in 2011 that would require companies to disclose a "material breach of security safeguards.”
Part of the notification test is whether “it is reasonable in the circumstances to believe that the breach creates a real risk of significant harm to the individual.”
If data stolen from the company is encrypted, it will be a lot more difficult to prove that it might “harm” someone if stolen, said Laing. “Sometimes it might be unclear as to whether the information could be used in a harmful way, but I would say that whether or not the data has been encrypted is a very, very important consideration.”
Several panelists suggested the urgent need for companies to establish policies about the proper and improper use of data. These policies can be used in court to establish that an employee stealing company information acted as a “rogue,” and clearly contrary to company policy. This can help to mitigate a company’s exposure to liability in the event of a data breach.