Employees and Paper and Data Breaches
In addition to annual reports on data breaches already prepared by the Ponemon Institute and Verizon, the law firm Baker Hostetler launched their inaugural offering on this subject called “The Baker Hostetler Data Security Incident Response Report 2015.” The scope of the document is limited, as is the length (8 pages) when compared to Ponemon or Verizon. Rather than relying on extensive surveying, the report uses internal data gathered from its privacy and data protection practice area. The report notes that data references more than 200 data breach incidents on which they advised clients in 2004. The document provides a bit more shading to the tricky problem of data breaches and information security – especially in two areas: employee-caused breaches and paper-based data breaches.
There is a common perception that threats to organizations tend to be from external sources – primarily hackers from other countries. The BH report indicates that threat sources are much broader than high profile security incidents would indicate. In the BH report a specific cause could be identified for 139 of the 200 incidents. Of those, 51 incidents (37 percent) could be traced specifically to employee negligence and 22 incidents (16 percent) could be traced to insider theft. That is a total of 53% of incidents that trace back to employee causes.
Another misperception is that data breaches involve only digital information. Of the incidents that Baker Hostetler advised on in 2014, one in five (21%) involved paper. Organizations need to be aware of their hard copy practices as well as data security measures such as encryption and intrusion detection.
The firm offers a number of suggestions regarding proactive steps to mitigate the risks associated with information management. As expected, employee training and the utilization of third parties to identify areas of vulnerability are on the list. Also on the list is adequate due diligence of vendor capabilities and legal protections afforded to information in the hands of vendors. Make sure to review the capabilities of third party information service providers and understand that security enhancements to protect information can be expensive. Operators, like Advanced, who invest in enhanced security may charge more than operators who leave information security to chance. In the long run, the protection of your information and reputation is worth the additional cost of protection.
Advanced implements industry best practices for the storage, transport and management of sensitive information. Call us at (323) 727-7277 or e-mail us at Cartons@advancedrecords.com if you need help in creating a vendor due diligence program, employee information security training, or for assistance in securing your sensitive information.