6
Background What do the above companies along with hundreds of others have in common? When it comes to their technology, there are at least three things. First, they all have or at least profess to have the finest I.T. (information technology) systems available. Second, they purport to have the brightest and finest I.T. technicians available maintaining their I.T. systems to ensure they are adequately protected from outside intrusion. Finally, all of them have experienced unauthorized access to their data and the release of private information of their employees, clients, and customers. The Issue Should unauthorized access and information releases be of concern to PEOs? Clearly the answer is yes! PEOs maintain the personal information of their corporate employees, worksite employees, and warehouse in their databases the information of previous employees, all of which can number from hundreds to millions of records. Yet when the question of unauthorized access to data is posed to PEO owners and officers, the response is often “we have a great computer system and our I.T. technicians have assured me that there is no chance of our data being accessed”. Sound familiar? While there are exceptions, generally Fortune 1000 companies have the most recent advances in I.T.

Privacy

  • Upload
    praxiom

  • View
    324

  • Download
    0

Embed Size (px)

Citation preview

Page 1: Privacy

Background

What do the above companies along with hundreds of others have in common? When it comes to their technology, there are at least three things. First, they all have or at least profess to have the finest I.T. (information technology) systems available. Second, they purport to have the brightest and finest I.T. technicians available maintaining their I.T. systems to ensure they are adequately protected from outside intrusion. Finally, all of them have experienced unauthorized access to their data and the release of private information of their employees, clients, and customers.

The Issue

Should unauthorized access and information releases be of concern to PEOs? Clearly the answer is yes! PEOs maintain the personal information of their corporate employees, worksite employees, and warehouse in their databases the information of previous employees, all of which can number from hundreds to millions of records. Yet when the question of unauthorized access to data is posed to PEO owners and officers, the response is often “we have a great computer system and our I.T. technicians have assured me that there is no chance of our data being accessed”. Sound familiar? While there are exceptions, generally Fortune 1000 companies have the most recent advances in I.T. tools and technicians at their disposal. Yet, as previously noted, unauthorized access to their data still occurs. No firm in today’s world, PEOs included, can safely assume that unauthorized access to their data is not possible. Those who believe otherwise are most likely accepting substantial risk.

According to the Identity Theft Resource Center, through May of 2009 over 12,000,000 records containing personal information have been compromised. The Ponemon Institute, a privacy management research firm, indicates that data breaches cost on average over $197 per personal record compromised. The legal notification requirements of a breach, or even suspected breach, cost $10 to $12 per individual record with the balance being applied to individual credit monitoring services to prevent I.D. theft as well as actual individual I.D. theft resolution expenses. In 2007, a PEO experienced a breach that resulted in the loss of records of 159,000 former and current worksite and corporate employees. Using the numbers previously cited, a conservative

http://www.continental.com/web/en-US/Default.as
https://www.chase.com/
http://www.statefarm.com/index.a
https://my.t-mobile.com/
Page 2: Privacy

loss cost of this incident was over $1,500,000 not to mention the individual prevention and restoration costs.

Loss Drivers

There are three primary areas of data compromise. These are a) unauthorized access to data, b) lost or stolen information, and c) the acts of dishonest employees. We will explore each in more detail.

Unauthorized access to private information through a company’s I.T. system is the most common method of data compromise. Companies that maintain private information on individuals and businesses are obligated to safeguard this information utilizing the most current technology applications and methods available. Many states have enacted laws requiring this private information be encrypted. It is incumbent upon the owners of companies to be sure that this is the case, typically through their I.T. technicians. It is an ongoing evolving process that continually attempts to safeguard the data from unauthorized access.

Loss of Information. The second area of data breaches occurs due to the loss of information. Theft and/or loss of laptop and notebook computers is the leading cause of compromise. This is how the previously cited PEO in 2007 lost the personal records of 159,000 current and former employees.

According to the Ponemon Institute, over 12,000 laptop and notebook computers are lost in U.S. airports every week. Only 33% of these lost machines are ever reclaimed by the owners. As a result, over 400,000 machines are sold at airport auctions annually, intact with all the information in place when they were lost. These numbers do not include machines lost and stolen in other places.

According to employee surveys, over 58% of business laptops and notebooks contain private information of employees and clients on their hard drive. In order to eliminate this risk, PEOs should not allow corporate data to be kept on the laptop/notebook’s local hard drive. Remote data access should be through a secure private network or virtual private network via an internet connection with the data encrypted. Further, rules should be in place that forbids the transferring of corporate data to portable drives. Again, remote access should be granted only through secure networks.

Additional losses of data have occurred due to server theft, lost backup tapes, lost data tapes, and lost shipments containing data.

Employee Actions. Employees are the third largest source of unauthorized data releases. These releases can occur both through the I.T. system as well as through physical records. They can occur due to lax attitudes toward security as well as through dishonest acts. A recent study by the Ponemon Institute found that

Page 3: Privacy

employees are increasingly becoming more lax in their compliance with corporate data security. Consider the following survey responses:

61% download data to unsecured mobile devices 47% share passwords 43% have lost data bearing devices 21% have turned off their mobile devices security tools 57% said their employers data protection policies were ineffective 42% indicated there was poor communication and enforcement of data security

polices 58% said their employer failed to provide adequate data security awareness and

training

Dishonest acts by employees also contribute to this problem. There has been in increase in this area that may be attributable to the current economic conditions, a problem that has increased crime and employee dishonesty for society and businesses on a global basis. Last month, a major insurance company announced that their clients’ files had been compromised by a third party vendor’s employee who had been performing work for them. It could have just as easily been a direct employee. In this case, the employee had copied information from customers’ checks, recreated the checks on his computer, and then used the checks to make purchases. In other instances, employees have stolen the private information to steal identities, have sold the information both in hardcopy and electronic formats to others, and have provided to outsiders access information such as passwords etc. allowing them to steal the private information for dishonest purposes.

Risk Mitigation

What can a PEO do to protect itself from what could be a financially devastating situation including the potential for bankruptcy of the firm?

1. Institute mandatory criminal and credit background checks for all new corporate employees.

2. If you are outsourcing to others that have access to your corporate and worksite employee data, as well as your client companies’ data, ensure that your provider has employee security checks in place. Also make sure they agree contractually to assume responsibility on your behalf any consequences for the acts of their employees that compromise privacy.

3. Establish a corporate data security policy that is under constant review to ensure it remains current. The policy should not only be included in your employee manual and procedures, it must be communicated and training provided on an ongoing basis.

4. Be certain your I.T. technicians are constantly updating and testing your data security systems.

Page 4: Privacy

5. Engage an outside data security firm review to review your data security and test your I.T. system safeguards on a regular basis. This will not only help prove the security of your system, but provide a professional third party opinion on your security based upon their experience with their corporate clients facing the same issues.

Risk Transfer

Insurance may provide some peace of mind as a backup to your company corporate data security policy. The bad news is that the standard insurance purchased by PEOs typically does not provide any coverage for violation of privacy, and in fact most policies specifically exclude coverage for privacy issues. The good news is that insurance is available for such privacy breaches as a mitigation response should your PEO experience unauthorized access to your data. These specialty coverage insurance policies can provide coverage for notification expenses and/or to include the mitigation and restoration expenses associated with a privacy breach.

Closing

Privacy violations can be financially devastating to a PEO for both the immediate costs of an event as well as future revenues lost due to the bad publicity that occurs with these kinds of incidents. It is imperative that a best practices program of preparedness that includes I.T. security, compliance, training, and response be undertaken in order to avoid and limit the potential consequences of this all too often occurring situation.


Privacy notices: An explanation of privacy notices

Privacy notices: An explanation of privacy notices

Documents
Informational Privacy, Privacy Law, Consent, and Norms

Informational Privacy, Privacy Law, Consent, and Norms

Documents
STUDENTI LAVORATORI RIDUZIONE - ER.GO€¦ · studenti lavoratori riduzione identificativo cognome nome idoneità 965497 privacy privacy si 993496 privacy privacy no 1001318 privacy

STUDENTI LAVORATORI RIDUZIONE - ER.GO€¦ · studenti lavoratori riduzione identificativo cognome nome idoneità 965497 privacy privacy si 993496 privacy privacy no 1001318 privacy

Documents
Privacy issues and internet privacy

Privacy issues and internet privacy

Technology
De vijf hoofdvragen van privacy - bestuur.gooisemeren.nl · Lichamelijke privacy Gegevens-privacy Huiselijke privacy Communicatie - privacy Vier soorten privacy Art. 10 Grondwet Art

De vijf hoofdvragen van privacy - bestuur.gooisemeren.nl · Lichamelijke privacy Gegevens-privacy Huiselijke privacy Communicatie - privacy Vier soorten privacy Art. 10 Grondwet Art

Documents
Privacy Legislation Amendment (Enhancing Online Privacy

Privacy Legislation Amendment (Enhancing Online Privacy

Documents
Chap 10: Privacy in Computing. Privacy as an aspect of security Authentication effects on privacy Privacy and the Internet Privacy implications

Chap 10: Privacy in Computing. Privacy as an aspect of security Authentication effects on privacy Privacy and the Internet Privacy implications

Documents
How Privacy Relates to Security Privacy Symposium Privacy Certificate Program Training August 2008

How Privacy Relates to Security Privacy Symposium Privacy Certificate Program Training August 2008

Documents
Towards privacy preserving social recommendation under ...jundongl/paper/Towards privacy preserving social recommendation under personalized privacy settings ... privacy-preserving

Towards privacy preserving social recommendation under ...jundongl/paper/Towards privacy preserving social recommendation under personalized privacy settings ... privacy-preserving

Documents
Introduction to privacy protection Part 3 - Privacy

Introduction to privacy protection Part 3 - Privacy

Documents
Privacy Implications of Privacy Settings and Tagging in ...zannone/publication/... · Privacy Implications of Privacy Settings and Tagging in Facebook 1 Privacy Implications of Privacy

Privacy Implications of Privacy Settings and Tagging in ...zannone/publication/... · Privacy Implications of Privacy Settings and Tagging in Facebook 1 Privacy Implications of Privacy

Documents
E-Privacy – Privacy in the Electronic Society

E-Privacy – Privacy in the Electronic Society

Documents
PRIVACY COMPLIANCE An Introduction to Privacy Privacy Training

PRIVACY COMPLIANCE An Introduction to Privacy Privacy Training

Documents
15-744: Computer Networking L-23 Privacy. 2 Overview Routing privacy Web Privacy Wireless Privacy

15-744: Computer Networking L-23 Privacy. 2 Overview Routing privacy Web Privacy Wireless Privacy

Documents
Privacy and Privacy Rights

Privacy and Privacy Rights

Documents
EPIC - Electronic Privacy Information Centerepic.org/privacy/body_scanners/Mobile_Body_Scanner...EPIC - Electronic Privacy Information Center

EPIC - Electronic Privacy Information Centerepic.org/privacy/body_scanners/Mobile_Body_Scanner...EPIC - Electronic Privacy Information Center

Documents
Privacy statement and privacy management plan

Privacy statement and privacy management plan

Documents
NIST Privacy Framework: A Tool for Improving …...3 – Privacy privacy

NIST Privacy Framework: A Tool for Improving …...3 – Privacy privacy

Documents
Privacy engineering, CyLab privacy by design, privacy

Privacy engineering, CyLab privacy by design, privacy

Documents
The Privacy Symposium/HIPAA Summit Healthcare Privacy: The Perspective of a Privacy Advocate

The Privacy Symposium/HIPAA Summit Healthcare Privacy: The Perspective of a Privacy Advocate

Documents
Privacy Amendment (Enhancing Privacy Protection) Act 2012

Privacy Amendment (Enhancing Privacy Protection) Act 2012

Documents
Privacy Year in Review: Privacy Impact Assessments

Privacy Year in Review: Privacy Impact Assessments

Documents
PRIVACY AND RELATED ISSUES IN IT. Main points What is privacy? Privacy harms and benefits Privacy right Protecting privacy: Technology, markets,

PRIVACY AND RELATED ISSUES IN IT. Main points What is privacy? Privacy harms and benefits Privacy right Protecting privacy: Technology, markets,

Documents
Lecture 19 Page 1 CS 236 Online Privacy Privacy vs. security? Data privacy issues Network privacy issues…

Lecture 19 Page 1 CS 236 Online Privacy Privacy vs. security? Data privacy issues Network privacy issues…

Documents
IAPP Privacy Certification Web Privacy & Security Ruth Nelson Director and Co-leader, Privacy Practice Certified Information Privacy Professional

IAPP Privacy Certification Web Privacy & Security Ruth Nelson Director and Co-leader, Privacy Practice Certified Information Privacy Professional

Documents
Privacy Today Privacy Day January 28, 2008 International Association of Privacy Professionals

Privacy Today Privacy Day January 28, 2008 International Association of Privacy Professionals

Documents
Class 13 Internet Privacy Law European Privacy

Class 13 Internet Privacy Law European Privacy

Documents
Privacy Resources Resources Oct06 Column.pdf · COTSE-Privacy Resources - Privacy Watch Creating an Online Privacy Policy Cryptography and Security

Privacy Resources Resources Oct06 Column.pdf · COTSE-Privacy Resources - Privacy Watch Creating an Online Privacy Policy Cryptography and Security

Documents
Library privacy and the privacy audit

Library privacy and the privacy audit

Technology
A Random Matrix Approach to Differential Privacy and ... · privacy preserving models, Di erential privacy provides the strongest privacy guarantees. In this paper we propose a privacy

A Random Matrix Approach to Differential Privacy and ... · privacy preserving models, Di erential privacy provides the strongest privacy guarantees. In this paper we propose a privacy

Documents