The TJX Companies, Target, and AT&T are just three of the big names to have been victims of massive data breaches in which sensitive personal and financial information was compromised. Although it might seem that large companies are the only potential victims, the risk is shared by any organization that houses or transmits such information.
If you think about it, the data necessary for ongoing administration of employee benefit plans is enough to make an identity thief’s mouth water—names, social security numbers, birth dates, addresses—pretty much everything except mother’s maiden name, favorite pet and name of first grade teacher.
With the rapid evolution of technology and the sophistication of the bad guys who wish to exploit it to their advantage, it is increasingly critical that we take steps to prevent them.
Rules of the Road
All but three states have enacted laws restricting when and how sensitive information can be electronically stored and transmitted, even for employers dealing with employee information. If you do business in Europe, the EU has enacted the Directive on Privacy and Electronic Communications.
In some of the strictest states, there are monetary penalties imposed on any party that does not take affirmative steps to protect certain information. For example in Massachusetts, sending unencrypted personal information over the internet can result in civil penalties of up to $5,000 per violation. That means e-mailing an employee census file for 10 employees without some form of password protection or encryption could result in hefty fines even if there is no actual theft of the data.
In addition, both the SEC and FINRA have standards that investment professionals must follow to protect client records, and the SEC’s Office of Compliance Inspections and Examinations recently announced that it will begin examining broker-dealers and registered investment advisors with an eye on cybersecurity governance.
Protect Yourself and Your Data
While there are plenty of high tech methods of protecting your data, there are some simple and inexpensive steps you can also take.
Create a Data Usage Policy
For starters, create a company policy that describes how sensitive information can and cannot be used and by whom. This can be as simple as indicating that all personal information is to be held in the strictest of confidence at all times or as robust as breaking down the entire who, what, why, when and where. Note that data can be stolen in very low tech ways such as dumpster diving on trash day. So do not overlook something as obvious as requiring discarded hard copies to be shredded rather than just tossed in the trash can.
Once the policy is in place, be sure to communicate it to all employees. Consider including it in your employee handbook or otherwise making it a condition of employment, similar to other company policies and procedures. Highlighting it creates awareness at all levels of the organization and can make data security a part of the company culture.
Have a Rhyme and Reason for Data Accessibility
Start by asking whether all employees need to access all information all the time in order to effectively do their jobs. If not, consider restricting their system permissions to only that data or those systems they need. This could be determined by employee, title, job classification, location, etc.
It is also critical to review and understand how various systems handle passwords. At a bare minimum, a password should be required to access all systems that contain sensitive information. However, many systems include settings that can easily enhance security by:
- Preventing common, easily-guessed passwords such as “1234” or even “password”
- Setting passwords to expire at regular intervals such as every 90 days
- Prohibiting previously used passwords or those that are too similar to either the company name or an individual’s user ID
- Requiring passwords to be a certain length or include certain types of characters such as upper and lower case letters, numbers and/or punctuation marks
Assess the risks and burdens of these different options to determine which, if any of them, make sense for you.
Evaluate Data Transmission Methods
When transmitting sensitive information over the internet, try to use secure portals to upload or download information in lieu of e-mailing it. For example, our client portal employs leading edge password protection and encryption to ensure our clients’ connections to our system are secure and direct. That means employee census files are uploaded directly to our secure site and not transferred over the unprotected internet. Many professional firms and service providers that work with protected information have similar portals.
If a secure connection is not available, files should, at a minimum, be password protected prior to transmission via e-mail or other means. Even the most ubiquitous desktop applications (Microsoft Office, Adobe Acrobat, etc.) allow this functionality with only a couple of additional clicks when saving files.
Of course, the recipient will need the password in order to open the file, but be sure you send it via a follow up e-mail or alternative means rather than including it in the message that contains the protected file. After all, sending both the file and the password in the same message does not offer much protection if it gets hacked.
Still another option is to implement logic on your e-mail server that automatically encrypts outbound messages that include sensitive information. Many e-mail setups, including cloud-based Microsoft Exchange services, offer this functionality at a nominal additional cost, and most include a setting designed to detect and encrypt strings of numbers that follow conventional formats such as social security numbers, credit card numbers, etc. Even if a user forgets to take precautions with the data, the server will do it for them.
Even if you have taken the necessary security measures, you could still be vulnerable if your business partners have not.
For all of the aforementioned reasons, do not forget to consider how mobile devices factor into the equation. Some high profile data breaches have occurred when employees took unprotected laptops on business trips only to have them stolen. If employees can access sensitive data from their laptops, tablets and/or smartphones, make sure:
- Those devices are password protected
- Mobile access is limited to only the data the employee would be able to see while in the office
- You can remotely erase the device if lost/stolen or at least disable/reset that user’s login information
All are important considerations as today’s notion of “the workplace” is much broader than it once was.
Work With Professionals
Data security is a big deal. In the same way that you work with professionals for other critical yet complex business needs, it is also important to work with data security professionals. That might mean making sure your internal IT staff has the necessary training and experience to address your data security needs or hiring an outside consultant to evaluate your systems.
If you are located or do business in a state with particularly strict laws, this might mean hiring an attorney to review your policies and procedures to ensure you are in compliance. If you do not have the expertise yourself, work with someone who does.
Select Partners That Take Data Security Seriously
Even if you have taken the necessary security measures, you could still be vulnerable if your business partners have not. There is a saying that a chain is only as strong as its weakest link, and the same is true with the data transmission chain. Anyone with whom you share sensitive information should have systems and procedures in place designed to ensure its protection. If you are unsure about a current or prospective partner’s data protection policies, ask them.
We are not data security experts, but we have worked with outside professionals and implemented procedures to provide secure transmission and protect the sensitive information in our possession. Although technology creates an ongoing game of cat-and-mouse between those who wish to misappropriate data and those who wish to protect it, following the steps described in this article can be a great start to making sure your data does not have a target on it.