The end of 2013 has brought a flurry of privacy breaches, some big, some small, each with their own circumstances, each with their own implications. Here are three thoughts from the past few weeks.
Do enough background checks get done?
PCI DSS requirement 12.7 states that background checks be conducted prior to hiring personnel who will have access to cardholder data or the cardholder data environment. With some of the talk surrounding the potential of the Target breach being an inside job, I wonder if enough background checks are being done.
If someone is responsible for software builds for applications that manage cardholder data, is a background check done? How about the team that is responsible for the deployment of the software? How about the IT operations staff? What about the developers themselves?
If someone transfers to a position that has access to the cardholder data or the data environment, either directly or through subordinates, is a background check done?
How about for people with access to other personal information? Are background checks done for all your HR people? How about the IT team that manage the HR software environment?
What’s on your laptop?
The theft of a laptop from the car of an employee of DeLoach & Williamson, a firm contracted to audit the South Carolina Health Insurance Pool, resulted in the loss of personal information. While the type of information contained was known, the data subjects were not. The state is offering identity theft protection services for one year, but who gets the protection?
Might it be less expensive for laptops to be encrypted or, better yet, avoid placing personal information on laptops than having to purchase identity theft protection for a large population?
Given the circumstances above, do your service providers encrypt their laptops?
What’s on your internal, open networks?
A folder containing personal information was improperly stored on Citgo’s internal network allowing inappropriate access to the information. It has since been corrected with impacted individuals contacted.
Using the public space on an internal network is a simple way to transfer a file from one employee to another. I am sure this approach get’s used by many individuals in many different companies (I’ve seen it at some).
Trying to determine why this happens raises some questions:
- Are the processes to share personal information within the company not well known?
- Is it too difficult or time consuming to give access to a protected portion of the network to share information?
- Is encryption technology for files not widely available or not well known?
Addressing questions such as these may avoid the costs of providing identity theft protection in the future.
Is it time for a privacy assessment?
It is difficult for an internal resource to perform an assessment of an organization’s privacy practices. They know what should happen, so may not ask some probing questions. Often the assessors are from the privacy office, so they may be looking for affirmation that things are being done correctly as opposed to looking for non-compliance.
With all of the attention being given to privacy recently, it may be time for a third party privacy assessment for your organization.