Protecting Data Assets, Part 1 (of 3)
Without the ability to use electronic data, most organizations would come to a grinding halt.
Given the role electronic data plays in business today, it is now one of the most valuable assets a company owns or controls. Through state-of-the-art information systems, almost every company now stores, communicates and exchanges vast amounts of data.
Yet many organizations fail to protect their electronic data from internal and external threats. The 2000 Computer Security Institute (CSI)/FBI Annual Review of more than 680 businesses and governmental organizations reported that over 90 percent of the respondents detected computer security breaches during the prior 12 months. Seventy-four percent of the respondents acknowledged financial losses due to computer breaches. The loss was not inconsequential--273
respondents quantified their losses at a total of $265,589,940--an average loss of slightly less than $1 million per respondent.
Actual financial loss associated with security breaches described by the CSI/FBI Annual Review is only part of the story. An even larger threat exists in the form of lawsuits that are waiting to be filed by customers, business partners, employees, individuals and/or classes claiming damages due to system disruption, disclosure of data and loss of privacy. The damages from these sorts of suits have the potential to far exceed damages from pure economic loss of data.
So what is being done to address these enormous risks? In many cases surprisingly little. Company inaction is not the result of a lack of interest or care. Rather, many organizations have failed to take affirmative steps due to their inability to recognize the problem, the lack of any accepted standards and methodology for ensuring data integrity and confidentiality, and the oftentimes erroneous assumption that such loses are covered by insurance policies.
Know Your Assets
To understand the scope of the problem, electronic data within your organization must first be located and identified. Because this data is in an electronic format, it can be especially difficult to find. Therefore, as with any asset, an inventory must be conducted. Similar to the inventories done for Y2K remediation, an organization should itemize all electronic data it uses, stores or maintains. Most companies will be surprised at the amount of data they have and what little protection it is afforded.
Once your organization inventories all electronic data it stores, uses and maintains, the list may include confidential, proprietary, sensitive and trade-secret data. For example, most organizations maintain in electronic format all of their existing and future business processes. As Microsoft learned when hackers broke into the company's system and accessed the source code for Windows and future Office products, disclosure of trade secrets can have major consequences. Additional examples of trade secrets include business and marketing plans, customer lists and prospects. Keep in mind that the majority of trade-secret information a company owns is not protected by patents or copyrights. Instead, it is only protected so long as it is kept secret, or out of the public domain.
Other types of electronic data may be proprietary financial data. This can include electronic data about payments, receivables and reimbursements. Most companies maintain all of their internal accounting information in an electronic format. Companies also store confidential information about
former and prospective employees.
Track Your Data
Another aspect of an electronic data inventory is how the data is stored. Is the data kept on someone's hard drive or is it networked locally or through the Internet? No matter how the data is kept, there exists a risk of improper use or disclosure from an infinite number of sources.
The next step in identifying a company's electronic data assets is to trace the transmission of the data, both internally and externally. Where does the data go when it is used by the organization or externally? Keeping track of this information will help identify the vulnerabilities that data faces from various sources.
Once your data is identified and inventoried, the next step is to decide what security measures the data should be afforded. As mentioned above, one of the greatest risks a company faces is from lawsuits filed by customers, business partners, employees, individuals and/or classes claiming damages due to system disruption, disclosure of data and loss of privacy. These suits will be premised on the notion that an organization failed to adhere to a standard of due care and thus acted negligently.
In the area of electronic data security, there are some standards that are
beginning to emerge that prescribe what protection or due care data must be afforded. Most of these standards are, however, strictly voluntary. The only mandatory ones are in the areas of health data security, as imposed by the Health Insurance Portability and Accountability Act and personal records held by federal government contracts, under the Privacy Act.
Security standards that are available include: Generally Accepted
Principles and Practices for Securing Information Technology Systems; NIst Sept. 1996, An Introduction to Computer Security; NIst Special Publication 800-12; British standard 7799, published by the British standards Institute; and Office of Management and Budget Circular A-130, that establishes policy for federal
information resource management. These documents, by themselves or collectively, are an excellent source for any organization to look for best practices for information security.
Finally, establish a compliance program. Many of the existing compliance program models can be adapted for security. For example, the Federal Sentencing Guidelines identify seven elements for an effective plan to mitigate violations of law. Organizations that implement these elements are eligible for a reduction in their federally imposed fine or penalty. Compliance with the basic elements of a compliance program will demonstrate that your organization adheres to a standard of due care when it comes to the protection of data. More important, if an action is filed against your organization, compliance will likely reduce the chance of a court finding negligence in performance of your company's duties.
As a general matter, a security plan should be implemented through written policies and procedures that provide the basis for an assessment of the organization's compliance with standards and requirements as well as the authorization and consent requirements.
A security program is, in essence, prima facie evidence of an organization's compliance with good business practices or an industry standard of due care for the protection of information. A security program will ultimately reduce the cost of handling data through lower liability costs and enhanced public reputation.
This column is intended as a guide to general business practices and should not be misconstrued or acted on as legal advice or comprehensive instruction.