Tag: data security

The Data Security and Breach Notification Act of 2015

Jackson Lewis P.C.

On March 25, 2015, the United States House of Representative, Energy and Commerce Subcommittee on Commerce, Manufacturing, and Trade approved draft legislation which would replace state data breach notification laws with a national standard.  This draft legislation comes on the heels of the President’s call for a national data breach notification law.  The proposed legislation is identified as the “Data Security and Breach Notification Act of 2015.”

The overview of the draft provides that “Data breaches are a growing problem as e-commerce evolves and Americans spend more of their time and conduct more of their activities online. Technology has empowered consumers to purchase goods and services on demand, but it has also empowered criminals to target businesses and steal a host of personal data. This costs consumers tens of billions of dollars each year, imposes all kinds of hassles, and can have a lasting impact on their credit.”  Like many existing state laws, the proposal would require companies to secure the personal data they collect and maintain about consumers and to provide notice to individuals in the event of a breach of security involving personal information.

The draft legislation contains several key provisions:

  • Companies would be required to implement and maintain reasonable security measures and practices to protect and secure personal information;

  • The definition of personal information is more expansive than most state breach notification laws, including home address, telephone number, mother’s maiden name, and date of birth as data elements;

  • Companies are not required to provide notice if there is no reasonable risk of identity theft, economic loss, economic harm, or financial harm;

  • Companies would be required to provide notice to affected individuals within 30 days after discovery of a breach;

  • The law would preempt all state data breach notification laws;

  • Enforcement would be by the Federal Trade Commission (FTC) or state attorneys general; and

  • No private right of action would be permitted.

The measure must now be formally introduced in the House of Representatives before further action can be taken.  Notably, similar measures introduced in the past in an effort to nationalize data breach response have all failed.  However, given the number of individuals affected by, or likely to be affected by, a data breach and the fact identity theft has topped the FTC’s ranking of consumer complaints for the 15th consecutive year, support for a national data breach notification law has never been stronger.

ARTICLE BY

Jason C. Gavejian
Jackson Lewis P.C.
Workplace Privacy Blog

New Data Security Bill Seeks Uniformity in Protection of Consumers’ Personal Information

Morgan, Lewis & Bockius LLP.

Last week, House lawmakers floated a bipartisan bill titled the Data Security and Breach Notification Act (the Bill). The Bill comes on the heels of legislation proposed by US President Barack Obama, which we recently discussed in a previous post. The Bill would require certain entities that collect and maintain consumers’ personal information to maintain reasonable data security measures in light of the applicable context, to promptly investigate a security breach, and to notify affected individuals of the breach in detail. In our Contract Corner series, we have examined contract provisions related to cybersecurity, including addressing a security incident if one occurs.

Some notable aspects of the Bill include the following:

  • Notification to individuals affected by a breach would generally be required within 30 days after a company has begun taking investigatory and corrective measures (rather than based on the date of the breach’s discovery).

  • Notification to the Federal Trade Commission (FTC) and the Secret Service or the Federal Bureau of Investigation would be required if the number of individuals whose personal information was (or there is a reasonable basis to conclude was) leaked exceeds 10,000.

  • To advance uniform and consistently applied standards throughout the United Sates, the Bill would preempt state data security and notification laws. However, the scope of preemption continues to be discussed, and certain entities would be excluded from the Bill’s requirements, including entities subject to existing data security regulatory regimes (e.g., entities covered by the Health Insurance Portability and Accountability Act).

  • Violations of the Bill would be enforced by the FTC or state attorneys general (and not by a private right of action).

ARTICLE BY

Michael L. Pillion
A. Benjamin Klaber
Morgan, Lewis & Bockius LLP

New State Privacy Laws Go Into Effect on Jan. 1, 2015 (California and Delaware)

State legislators have recently passed a number of bills that impose new data security and privacy requirements on companies nationwide. The laws include new data breach notification requirements, marketing restrictions, and data destruction rules. Below is an overview of the new laws and amendments that will go into effect on January 1, 2015.

Amendments to California’s Data Security and Breach Notification Law

In October 2014, California Governor Jerry Brown signed into law California bill AB 1710, an amendment to California’s existing data security and breach notification law. As a result, the following changes to California’s law will go into effect on Jan. 1:

1. Companies that maintain personal information about Californians will need to implement and maintain reasonable security procedures and practices.

California’s current data security and breach law requires companies that own or license personal information about Californians to “implement and maintain reasonable security procedures and practices appropriate to the nature of the information.”  For purposes of this data security requirement, California defines “personal information” as an individual’s first name (or first initial) and her last name in combination with her social security number, driver’s license or California ID number, any medical information, or a financial account number (such as a credit or debit card number) and the associated access code.

Under existing law, the terms “own” and “license” include personal information retained as a part of a business’s internal customer accounts or for the purpose of using the information in transactions.

As of Jan. 1, California law will require companies that merely “maintain” personal information about Californians (such as cloud providers), but do not own or license the information, also implement and maintain reasonable security procedures and practices appropriate to the nature of the information.

2. Companies that maintain personal information about Californians will be required to immediately notify the owner or licensee of the personal information in the event of a breach.

California currently requires companies that own or license personal information to disclose a data breach where it is reasonably believed that unencrypted personal information about a Californian was acquired without authorization. Current law also provides that such disclosure be made “in the most expedient time possible and without unreasonable delay.”

As of Jan. 1, companies that maintain personal information will be required to notify the owner or licensee of the personal information “immediately” after discovery of a breach if the personal information was, or is reasonably believed to have been, acquired by an unauthorized person.

For purposes of data breach disclosure, “personal information” includes login credentials (“[a] user name or email address, in combination with a password or security question and answer that would permit access to an online account,”) as well as an individual’s first name (or first initial) and her last name in combination with her social security number, driver’s license or California ID number, any medical information, or a financial account number (such as a credit or debit card number) and the associated access code.

As a reminder, other than for user name and password breaches (discussed below), current California law requires that a breach notification must be written in plain language and must include specific types of information about the breach.

Where the security breach involves the breach of online account information and no other personal information, then California law requires a business to provide the security breach notification in electronic or other form, directing the person whose personal information has been breached to promptly change her password and security question or answer, as applicable, or to take other steps appropriate to protect the online account with that business as well as all other online accounts for which the person uses the same name or email address and password or security question or answer.

However, where the security breach involves the breach of login credentials of an email account provided by a business, the business must not send the security breach notification to that email address. Instead, the business may comply with California law by providing notice by hard copy written notice or by clear and conspicuous notice delivered to the individual online when the individual is connected to the online account from an IP address or online location from which the business knows the resident customarily accesses the account.

3. After a breach, companies might be required to provide free identity theft prevention and mitigation services for 12 months.

AB 1710’s co-author stated in a press release that the bill “[r]equires the source of the breach to offer identity theft prevention and mitigation services for 12 months at no cost to individuals affected by a data breach. However, it is not clear whether this position is supported by the text of the bill, which only states that “if any” identity theft prevention and mitigation services are to be provided, then such services must be provided for 12 months at no cost.  An earlier version of the bill had stated that identity theft and mitigation services “shall beprovided” to individuals affected by a data breach.

Given the ambiguity of the requirement to provide free identity theft prevention and mitigation services, whether and how this provision will be enforced in 2015 is something to watch.

4. Companies may not sell, advertise for sale, or offer to sell an individual’s social security number.

The amendment also includes a new prohibition on social security numbers. As of Jan. 1, California law will prohibit the sale, the advertisement for sale, and the offer to sell an individual’s social security number. Businesses that own, license, or maintain information on an individual’s social security number will want to keep this new prohibition in mind when contemplating data transfer or broker agreements, or other transactions involving the personal information of Californians.

California’s New Minor Privacy Marketing and Privacy Law

California’s “Privacy Rights for California Minors in the Digital World Law”, SB 568, (1) bars some online operators from marketing certain products and services to minors, and (2) allows minors under 18 to request deletion of certain content from websites on which they have registered (known informally as the “eraser law.”)

1. Restrictions on Marketing to Minors

Operators of websites, online services, online applications, and mobile applications that are directed to minors are prohibited from marketing or advertising the following products and services:

  • Alcoholic beverages

  • Tobacco, cigarette, or cigarette papers, or blunt wraps, or any other preparation of tobacco, or any other instrument or paraphernalia that is designed for the smoking or ingestion of tobacco, products prepared from tobacco, or any controlled substance

  • Electronic cigarettes

  • Salvia divinorum or Salvinorin A, or any substance or material containing Salvia divinorum or Salvinorin A

  • Drug paraphernalia

  • Firearms or handguns, ammunition or reloaded ammunition, handgun safety certificates, BB device

  • Less lethal weapons

  • Dangerous fireworks

  • Aerosol containers of paint capable of defacing property

  • Etching cream capable of defacing property

  • Tanning in an ultraviolet tanning device

  • Dietary supplement products containing ephedrine group alkaloids

  • Tickets or shares in a lottery game

  • Body branding or permanent tattoos

  • Obscene matter

These operators also are prohibited from: (1) knowingly using, disclosing, or compiling a minor’s personal information for the purposes of marketing or advertising any of those prohibited products or services, and (2) knowingly allowing a third party to use, disclose, or compile the minor’s personal information to market or advertise these products or services.

If an operator has actual knowledge that a minor is using the services, the operator may not target marketing or advertising to that minor based on the minor’s personal information.  The operator also may not use, disclose, or compile the minor’s personal information to market or advertise the prohibited products or services, nor may the operator allow a third party to use, disclose, or compile the minor’s personal information for the prohibited products and services.

2. Deletion Requirement

If a minor is a registered user of a website, online service, online application, or mobile application, the operator must allow the minor to remove content and information that the minor had publicly posted on the website, service, or app.  Operators also are required to provide notice of this right to registered minors.

Operators are not required to delete content or information if:

  • Any federal or state law requires the operator to maintain the content or information;

  • The content or information was provided by an individual other than the minor;

  • The content or information is anonymized;

  • The minor did not properly follow the instructions for requesting deletion; or

  • The minor received compensation or consideration for providing the content.

Amendments to California’s Invasion of Privacy Law

California’s Invasion of Privacy law will also receive an update on January 1, 2015. The California Invasion of Privacy law currently prohibits the attempt to capture, in a manner that is offensive to a reasonable person, any type of visual image, sound recording, or other physical impression, when the person is engaged in a personal or familial activity under circumstances where they had a reasonable expectation of privacy. Current California law prohibits the activities described where the attempt to capture is done through a visual or auditory enhancing device. As of January 1, 2015, the above activities will be prohibited when done using any device.

New Delaware Data Destruction Law

Companies conducting business in Delaware will be required to take all reasonable steps to destroy or arrange for the destruction of a consumer’s personal identifying information when those records are no longer retained. Destruction may occur by shredding, erasing, or otherwise destroying or modifying the personal identifying information so as to render the information unreadable or indecipherable.

The Delaware law defines personal identifying information as a consumer’s first name or first initial and last name in combination with one of the following: signature; date of birth; social security number; passport number; driver’s license or state identification card number; insurance policy number; financial services account number, bank account number, credit card number, or other financial information; or confidential health care information.

Entities subject to the Gramm-Leach-Bliley Act, covered entities subject to HIPAA, and consumer reporting agencies subject to the FCRA are exempt from the new law. Other entities, however, may be subject to private enforcement actions, which allow for the recovery of treble damages. These have the potential to add up quickly, as each record unreasonably disposed of constitutes a violation under the statute. In addition, the Delaware Attorney General and Division of Consumer Protection of the Department of Justice may bring suit in certain circumstances.

ARTICLE BY

David N. Fagan
Kurt Wimmer
Jeff Kosseff
Katherine R. H. Gasztonyi
OF
Covington & Burling LLP

FCC: The New Data Security Sheriff In Town

Proskauer Law firm

Data security seems to make headlines nearly every week, but last Friday, a new player entered the ring.  The Federal Communications Commission (“FCC”) took its first foray into the regulation of data security, an area that has been dominated by the Federal Trade Commission.  In its 3-2 vote, the FCC did not tread lightly – it assessed a $10 million fine on two telecommunications companies for failing to adequately safeguard customers’ personal information.

The companies, TerraCom, Inc. and YourTel America, Inc., provide telecommunications services to qualifying low-income consumers for a reduced charge.  The FCC found that the companies collected the names, addresses, Social Security numbers, driver’s licenses, and other personal information of over 300,000 consumers.  The data was stored on Internet servers without password protection or encryption, allowing public access to the data through Internet search engines.  This, the FCC found, exposed consumers to “an unacceptable risk of identity theft.”

The FCC charged the companies with violation of Section 222(a) of the Communications Act, which it interpreted to impose a duty on telecommunications carriers to protect customers’ “private information that customers have an interest in protecting from public exposure,” whether for economic or personal reasons.  Additionally, the companies were charged with violation of Section 201(b), which requires carriers to treat such information in a “just and reasonable” manner.

The companies were determined to have violated Sections 201(b) and 222(a) by failing to employ “even the most basic and readily available technologies and securities features.”  The companies further violated Section 201(b), the FCC found, by misrepresenting in their privacy policies and statements on their websites that they employ reasonable and updated security measures, and by failing to notify all of the affected customers of the data breach.

Commissioners Ajit Pai and Michael O’Rielly dissented, arguing that, among other things, the FCC had not before interpreted the Communications Act to impose an enforceable duty to employ data security measures and notify customers in the event of a breach.  Though now that the FCC has so-interpreted the Act, we can expect the FCC to keep its eye on data security.

The FCC made clear that protection of consumer information is “a fundamental obligation of all telecommunications carriers.”  Friday’s decision also makes clear that the FCC will enforce notification duties in the event of a breach, and will look closely at carriers’ privacy policies and online statements regarding data security.

ARTICLE BY

David A Munkittrick
OF
Proskauer Rose LLP

Trade Secret Misappropriation: When An Insider Takes Your Trade Secrets With Them

Raymond Law Group LLC‘s Stephen G. Troiano recently had an article, Trade Secret Misappropriation: When An Insider Takes Your Trade Secrets With Them, featured in The National Law Review:

RaymondBannerMED

While companies are often focused on outsider risks such as breach of their systems through a stolen laptop or hacking, often the biggest risk is from insiders themselves. Such problems of access management with existing employees, independent contractors and other persons are as much a threat to proprietary information as threats from outside sources.

In any industry dominated by two main players there will be intense competition for an advantage. Advanced Micro Devices and Nvida dominate the graphics card market. They put out competing models of graphics cards at similar price points. When played by the rules, such competition is beneficial for both the industry and consumers.

AMD has sued four former employees for allegedly taking “sensitive” documents when they left to work for Nvidia. In its complaint, filed in the 1st Circuit District Court of Massachusetts, AMD claims this is “an extraordinary case of trade secret transfer/misappropriation and strategic employee solicitation.” Allegedly, forensically recovered data show that when the AMD employees left in July of 2012 they transferred thousands of files to external hard drives that they then took with them. Advanced Micro Devices, Inc. v. Feldstein et al, No. 4:2013cv40007 (1st Cir. 2013).

On January 14, 2013 the District Court of Massachusetts granted AMD’s ex-parte temporary restraining order finding AMD would suffer immediate and irreparable injury if the Court did not issue the TRO. The TRO required the AMD employees to immediately provide their computers and storage devices for forensic evaluation and to refrain from using or disclosing any AMD confidential information.

The employees did not have a non-compete contract. Instead the complaint is centered on an allegation of misappropriation of trade secrets. While both AMD and Nvidia are extremely competitive in the consumer discrete gpu market involving PC gaming enthusiasts, there are rumors that AMD managed to secure their hardware to be placed in both forthcoming next-generation consoles, Sony PlayStation 4 and Microsoft Xbox 720. AMD’s TRO and ultimate goal of the suit may therefore be to preclude any of their proprietary technology from being used by its former employees to assist Nvidia in the future.

The law does protect companies and individuals such as AMD from having their trade secrets misappropriated. The AMD case has only recently been filed and therefore it is unclear what the response from the employees will be. What is clear is how fast AMD was able to move to deal with such a potential insider threat. Companies need to be aware of who has access to what data and for how long. Therefore, in the event of a breach, whether internal or external, companies can move quickly to isolate and identify the breach and take steps such as litigation to ensure their proprietary information is protected.

© 2013 by Raymond Law Group LLC

When the Sky’s the Limit, Don’t Forget the Basics: Social Media, the Internet and Your Business

The National Law Review recently published an article by Charles H. Gardner of Much Shelist, P.C. regarding Social Media and Businesses:

In today’s diverse marketplace, social media sites, as opposed to a company’s own branded website, are poised to become a primary and potentially first point of contact with current and future generations of consumers. Techrevel.com recently reported that 56% of consumers who use Facebook, as an example, say that they are more likely to recommend a brand after becoming a “fan.” With the number of Facebook users approaching one billion, a strong social media presence has become a de facto mandate for businesses.

In response, start up and established businesses are growing more reliant on the Internet, and social media in particular, for marketing and sales. According to a recent Forrester Research study cited on Statistica.com, social media marketing expenditure is expected to grow to $5 billion in 2016, up from approximately $1.6 billion in 2011.

In this context, you may be exploring the possibility of making your company website more interactive. From a business perspective, creating a user experience on your branded website that is simpatico with social media reanimates the end user’s experience and revitalizes your brand. From a legal perspective, however, you may wonder how to enter (or expand your presence in) this pioneer media. How do you balance the advantages of interactivity with the added burdens of creating, maintaining and updating essential privacy, data security and other policies?

You can start by asking―and answering―the following questions:

Does your website have a privacy policy that is compliant with all federal, state and territorial laws?

Federal law (and several state laws) mandates that companies inform their users about the personally identifiable information (PII) they collect, how the company uses it, with whom the company may share it, and how users may “opt-out” of having their PII collected and shared. PII includes information such as name, social security number, biometric records, etc., that alone or when combined with other information such as date and place of birth, mother’s maiden name, etc., can be used to trace an individual’s identity. Because many states have regulations that are more restrictive than federal regulations, you should seek to comply with the laws of the most restrictive states. These laws may apply not only to information that you collect from your own company website, but also from your company social media pages.

Every company with a presence on the internet should have a privacy policy that is compliant, proactive and forward thinking. If you have a strong international presence, it should address issues of global compliance as well.

If your company website is interactive or likely to become interactive, are you following proper procedures to shield the company from liability?

Consumers are likely to continue their use of third-party social media sites, including Facebook, as an interactive first point of contact with a company. However, as branded company sites begin to mirror the functionality of traditional social media sites, company sites are including interactive features from blogs and community chat rooms to video sharing  and personalized profile pages that allow the posting of user-generated content (UGC). If your website includes these or similar features, then you are, in fact, also an interactive website.

There are two important legal protections for operators of interactive computer services. The Communications Decency Act (CDA) provides safe harbor (immunity from liability) for Internet Service Providers (ISPs). This shields an ISP from liability arising out of civil causes of action such as defamation, invasion of privacy, trade libel, etc. As a very general rule, as long as the provider is not a publisher of the content (importantly, they merely provide a place to post the content; they do NOT contribute to or edit it), they will not be held liable for the original posting of the offending UGC. While the term ISP is traditionally applied to services such as Yahoo!, Google, and AOL, recent case law suggests that if you operate an interactive computer service, you should, for the practical purpose of maintaining safe harbor protection, consider yourself a sort of ISP.

The Digital Millennium Copyright Act (DMCA) also contains important safe harbor provisions. Under the DMCA, “an operator of interactive computer services” is immune from liability for intellectual property (primarily copyright) infringement by a third party using the service provided that the provider follows certain registration, compliance and procedural guidelines.

Do you post and require users to agree to your company website’s terms of use?

One of the most valuable policies for a website owner is a terms of use policy (sometimes called “house rules” or a “user agreement”). Your terms of use tell your users what they can reasonably expect when using your site. For example, you may prohibit certain activities, such as hate speech, personal attacks, posting materials to which the user does not have the requisite legal rights, etc. By setting the ground rules of what you will allow on your site, you can monitor UGC for violations of the policy and remove or refuse to post such material objectively based upon your site’s posted terms and preserve your safe harbor protection. Remember, if an ISP edits or modifies content, it is treated as a publisher of content and can lose safe harbor protection. However, if an ISP removes content in its entirety for violating a documented policy, the ISP is not considered a publisher and is protected under the CDA for example.

A well-crafted terms of use policy, if correctly written and agreed to, also forms a “contract” between the end user and the website operator. For example, arbitration clauses can minimize the likelihood of class action lawsuits and the potentially negative publicity of high-profile trials. A transparent policy can also set reasonable expectations, engender goodwill and protect the company website owner.

Do you have internal procedures and policies in place to address data security, data breaches and personnel practices?

As soon as reasonably possible, before or after your site goes live, you should discuss data security with your attorney and a qualified information technology (IT) representative. Like privacy policies, data security policies should comply with federal law and regulations, as well as the laws of the most restrictive U.S. state or territory. It is wise to have written procedures for data protection and breaches, which should be provided to any personnel who will be dealing with the company’s electronically stored information (ESI), particularly to the extent that the ESI contains end users’ PII.

You should also have a separate personnel policy that educates your employees and contractors about the use of company technology, social media and the Internet, and that protects your company without unreasonably or illegally restricting your employees’ activities.

As a practical matter, social media is no longer merely an optional business tool. It is a primary source of communication, information and advertising. Developing sound social media and technology policies as early as possible can reduce your liability and exposure and allow your company room to grow in this new online world.

© 2012 Much Shelist, P.C.

Data Security Breach Alert: 1.5 Million Credit Card Customers Affected

The National Law Review recently published an article regarding A Recent Security Breach written by Adam M. Veness of Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C.:

Global Payments, Inc. (NYSE: GPN) (“Global”) has reported a significant data security breach for approximately 1.5 million credit card customers.  According to astatement that Global released on Sunday, their investigation has revealed that “Track 2 card data may have been stolen, but that cardholders’ names, addresses and social security numbers were not obtained by criminals.”  Using Track 2 data, a hacker can transfer a credit card’s account number and expiration date to a fraudulent card, and then use the fraudulent card for purchases.

As a result of the breach, Visa has removed Global from its list of companies that it considers to be “compliant services providers.”  In an effort to calm consumers, Global issued a press release today assuring that “[b]ased on the forensic analysis to date, network monitoring and additional security measures, the company believes that this incident is contained.”

The incident reinforces the importance of maintaining adequate data security.  Companies must take ample precautions to secure their customers’ data, and if they fail to do so, they may be vulnerable to a serious security breach that could adversely affect their bottom line.  As of the time of this post, Global’s stock price has fallen approximately 12% since the data breach news was announced.  Even when following best practices in data security, companies still may face data security breaches.  Despite these inevitable risks, companies should do everything reasonably required to protect against data breaches.  If a company can show that it has taken the proper precautions, then this may mitigate or reduce potential liability in the event of a breach.  After a breach, companies should ensure that they follow all of the strict legal requirements for notifying customers of the breach and remedying the effects of the breach.  Doing so may greatly reduce a company’s exposure to customer lawsuits and government action against the company.

©1994-2012 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C.

The Anatomy of Data Risk Management

An article by Risk and Insurance Management Society, Inc. (RIMS) recently found in The National Law Review focused on Data Risk Management:

Think of data as a living organism.

Just like a human body, data has various components and life support systems that must be maintained to ensure the whole thrives and survives. You can think of a data risk specialist as a doctor trying to keep the organism healthy through its various life stages.

Data, our hypothetical patient, (you’re welcome Star Trek fans) needs a safe and healthy environment, a supportive lifestyle and good hygiene. Just as a doctor has to consider external threats (“do you smoke?”) so does the data risk manager.

Let’s look at what this all means, and how this philosophy can be applied to your businesses policies and practices.

Data, our hypothetical patient, has three basic forms: paper, electronic and human memory.  A good data risk management plan must consider all three.

Controlling paper and electronic data is what we think of most when considering data security. This is your standard (or what should be standard) security policy, access controls procedures, system audits, and the like. It’s where security planning meets IT.

Human memory is a little more elusive. Education, security training and a reward-demotion plan can help control human errors, as can confidentiality agreements, and project-specific security contracts. These are the tools of teachers and lawyers. Generally speaking, there are four key rules to protecting data in all its forms:

  1. Be stingy with sensitive data, internally and externally;
  2. Provide access to data on a need-to-know basis;
  3. Provide access only to that specific data, rather than entire data sets;
  4. Be deliberate in how data is handled, used and shared.

Data has a life cycle. If your data doesn’t, it should. Whether it’s government secrets or an online shopper’s credit card number, data is received or created within your company’s computer systems. It is used, maintained and stored. It is archived or destroyed. That data, in all cases, has three basic states: in action, in motion or at rest. Take the credit card number example: that information can be used, the card charged, or moved to another computer system, or archived. Use, motion, rest.

There are four fundamental rules regarding the life cycle of data:

  1. If the organization doesn’t need it, don’t collect it.
  2. If data must be collected, collect only what is needed.
  3. If data is needed, control it and encrypt it.
  4. When data is no longer needed, get rid of it – SECURELY.

Now that we know what data looks like (paper, electronic, mnemonic) and how it lives (in action, in motion, at rest) we should consider those external threats, namely data breaches. A data breach is an incident (or series thereof) in which sensitive, protected or confidential information has potentially been viewed, stolen or used with unauthorized access. This can be a hacker attack, an internal company mistake that results in exposed information or, in some cases, corporate or government espionage. A data breach can be anything that jeopardizes data.

These threats range from simple user negligence, operating or systemic issues, all the way to highly complex criminal attacks launched against your organization. As anyone who follows the tech news knows, sensitive consumer and business information has become a criminal commodity.

With this hostile environment in mind, it is imperative for the business to plan and prepare not only for the protection of their information, but also for the response and recovery of their data and business in the event of a data breach. For a data manager or security professional to fail to issue such a warning would be akin to that doctor not asking about smoking.

At the end of the day, data as an organism is more than an extended metaphor. It’s a means to look at your company’s data products in an abstract way and understand how it operates. This, in turn, will allow you to develop the proper health plan. Just like with our health, there is no single wonder pill. But there are data doctors out there who can analyze your businesses’ risk posture and recommend ways to get it in shape.

Brian McGinley, senior vice president of data risk management at Identity Theft 911 offers this well-written piece on the timely topic.

Risk Management Magazine and Risk Management Monitor. Copyright 2012 Risk and Insurance Management Society, Inc.