It's Raining PII in New York
On November 25, 2012, the front page of the New York Post blasted the headline, “Drop Secret. Shred Alert! Covert cop files used as parade confetti.” The Post reported that shredded files appearing to contain material from Long Island’s Nassau County Police Department were dropped during this year’s Thanksgiving Day parade. The confetti reportedly contains the names and social security numbers of detectives as well as other confidential information. An anonymous law enforcement source indicated that the documents were to have been shredded and then burned. The Police Department is investigating and has vowed to conduct a review of its procedures “for the disposing of sensitive documents.” Although most data breaches don’t result in PII being strewn throughout the streets of New York, they can and often do become front page news and can have serious legal, regulatory, financial and reputational consequences. Notably, the most common cause of data breaches is not sophisticated professional cyber-attacks, but simple human error.
Regardless of how the confetti investigation plays out, this incident should serve as a reminder to all organizations to consider their own risk management plans, including the following factors:
- Review your internal policies and procedures and make sure they’re up to date. The statutory and regulatory framework governing confidential information is constantly evolving and must be incorporated by your organization. Federal statutes such as HITECH, HIPAA and Gramm-Leach Bliley must be considered, and the 46 state laws seem to always change with respect to notification and security requirements. If your organization conducts business outside of the US, requirements of foreign laws must be incorporated into your policies and procedures. Remember, having a policy your company does not follow is worse than not having a policy at all; therefore, ensure that your policies are distributed to, and followed by, employees.
- Review your incident response plan regularly and ensure that the team members are prepared to jump in when an incident occurs.
- Hire a consultant to conduct a yearly security risk assessment to identify any vulnerability in your processes and procedures for handling confidential data. Some laws, such as HIPAA, require periodic risk assessments. And, it is good practice as organizational risks change with changing practices.
- Education of employees is critical to the success of any compliance program. Make sure all employees are educated and trained concerning those policies and procedures and any laws and regulations that apply to your business. There are laws, such as the Massachusetts Data Protection Law 201 CMR 17.00, that mandate these types of training programs.
- Work closely with your business partners to ensure that they are properly handling your confidential data. Vendors are the cause of at least 1/3 of all data security incidents.
- Cyber insurance can help organizations respond to and mitigate the harmful consequences of a data breach. Indeed, the SEC wants companies to consider insuring these risks. Insurance should be considered an important piece of your risk management plan.