This blog post is for informational and educational purposes only. Any legal information provided in this post should not be relied upon as legal advice. It is not intended to create, and does not create, an attorney-client relationship and readers should not act upon the information presented without first seeking legal counsel.

The information a company collects from its clients is the bedrock of any business. Whether it is a customer’s shopping preference, credit card number, personal details, or information about legal or medical issues, keeping high-value information secure is essential to retaining customer trust and operating a profitable business. Indeed, an organization need not look much further than the recent celebrity account-hacking incident to learn a critical lesson; no matter whom the information is stored with or how large the provider is, protecting critical information requires an understanding of infrastructure limitations and user-level security procedures that address them.

The first step to properly securing information and preventing a breach is a thorough understanding of the technological security available to an organization and its information management systems. This process differs by organization and even within the organization itself if the organization collects a diverse amount of information. Before implementing any system, including hosted solutions, it is important for an organization to vet the technology and protocols after consultation with counsel because different types of information require different protections as required by law and the default security options may not be sufficient. For instance, HIPAA governs medical information, the Gramm Leach Bliley Act governs financial data, while still other laws or regulations address security for credit card information or social security numbers. For companies that contract with a cloud provider for information management services, the review process may be as simple as reviewing the cloud provider’s existing security protocols and perhaps engaging in a dialog with the provider for additional protections as may be required by the laws and regulations for the subject industry. For organizations building their own information management platforms, this step requires careful consideration of the type of information to be retained, how the system will be designed and implemented, and who will be operating and monitoring the system on a daily basis.

Yet, despite the security features employed to secure a particular system, user-level security protocols that address procedures for data use and security are essential because each employee that has access to information is a potential entry point for a hacker. As such, a company’s information is only as secure as the easiest password to crack.  Indeed, one theory for the recent Apple breach is that the hacker gained access through valid user credentials.  The breach highlights the need for employee-level protocols that address passwords and the proper procedures for the accessing information. For instance, a comprehensive Bring Your Own Device Policy (“BYOD”) provides a method for an organization to establish what employees are allowed to access from their personal laptops or cell phones and what level of security or encryption their devices should have for the information that the employee has access to.  In addition, organization wide protocols should require users to have a “strong password,” a password that includes a combination of special characters, numbers, and capital letters. Similarly, organizations would be well served by reviewing their password reset protections as well. Reset options that include “security questions” are typically not as secure as procedures that require the user to follow a link to reset their password or that require password resets to be completed over a phone or other link outside the network. Organizations can also investigate the costs of a protocol for locking out user credentials after a certain number of unsuccessful attempts to log into the network. Finally, organizations may consider a protocol that comprises two-step authentication, a password and changing personal PIN number, for highly sensitive data.

In addition to organization-wide password and device management policies, organizations can protect their information by ensuring that the data is encrypted at rest, before it is stored, especially if the data is stored off-site or with another organization, such as a cloud provider. By encrypting the data before it is stored and retaining the encryption keys in a secure location, an organization can ensure that, in the event of a breach, the only data that a hacker can obtain is in an unusable form. To be sure, encrypting data before it is sent off-site is particularly important, and sometimes required by law or the provider’s terms of use.

In sum, despite the protections offered by cloud providers and the benefit to an organization of relying on a provider’s expertise, an organization’s information is only as safe as the security at its weakest point. The Apple iCloud celebrity photo hack stands as a prime example of the risk of not being vigilant with regard to security. However, a thorough review of available information security technologies, appropriate organization-wide policies, and encryption can often mitigate the risk of a data incident for an organization.

—

By Kenneth N Rashbaum Esq. and Jason M. Tenenbaum of Barton, LLP.