This book includes a plain text version that is designed for high accessibility. To use this version please follow this link.
For PRISM’s information management companies, the good news is that trusted, secure information storage and destruction services are more important than ever. And most data breaches can be controlled or at least contained with proper security measures and compliance. “Most data breaches that occur are internal. They’re not malicious. They’re negligent,” Federgreen said.


One myth is that credit card data makes up the majority of breaches. “They are only about 4%. The other 96% have nothing to do with credit cards,” he said. Health records, bank information, and criminal histories are among the broad array of personal and private information getting lost or stolen.


The breach might be due to a lost laptop or flip drive, a file placed on the wrong desk, or even a natural disaster. Whatever the reason, information management companies need to be prepared to deal with lost data by first setting standards to avoid problems. If and when a breach occurs, companies need to be ready to handle reporting swiftly and in compliance with the law. “In client-based companies like records management storage companies, their entire livelihood is driven by their perceived reliability if something goes wrong,” Federgreen said.


Whether dealing with paper, tape, or electronic files,


information management companies face several data security challenges. “It gets complicated, because most of these companies are dealing with four or five types of material movement,” Federgreen said. “When anything is in transit, the vulnerability goes up.”


Another challenge is the increasing number of federal,


state, and agency reporting requirements when a breach or suspected breach occurs. Federgreen says his company has identified more than 300 entities to which a single breach could potentially be reported. “In all of our years, the most reports we’ve had to file for one event is 65,” he said. “On


average, a breach or suspected breach gets reported to about a half dozen authorities or agencies.”


Within each breach report, a number of key questions need to be addressed, such as whether the compromised data were physical or electronic. If the material was electronic, was it encrypted and was the key compromised? How many files were involved, and what is the harm threshold? What is the type of material that has been compromised, and what is the likelihood of a combination of data points being stolen? Also, what are the jurisdictional issues that vary according to state and federal guidelines, depending on the type of data?


The short time frames expected for data breach compliance complicate reporting. The Affordable Care Act, for example, requires that a compromised health record be reported within 72 hours. “That deadline was initially 24 hours,” Federgreen said. “No company, no matter its size, can do this by itself unless it has a dedicated department,” Federgreen said.


In addition to deadline demands, data security departments


are charged with keeping abreast of new and amended data security laws that vary among states, federally, and internationally. Most information management companies are responsible for personal and private information from a number of industries and locations, so the ability to keep up with data security compliance can be daunting. Managing records is the forte of strong information management companies, and having an incident response plan for data breaches is critical.


“Know what you have, know where it is, and know who really has access to it, because most companies don’t,” Federgreen said. “If companies can genuinely and honestly answer those three questions, they’re ahead of 90% of companies out there.” n


Data Breach Costs Skyrocket


On average, companies around the world spend $3.5 million to re- spond to a data breach, according to the Ponemon Institute. The Tra- verse City, MI-based organization conducts independent research on information security, data protection, privacy, and information man- agement. The high cost of data breaches stems from investigations, notifications, and responses companies perform when sensitive infor- mation is lost or stolen, and these costs are expected to continue to rise. The institute’s 2014 Cost of Data Breach Study: Global Analysis reveals other key findings: • The $3.5 million average cost of a data breach represents a 15% increase since the previous year.


• The average cost for each lost or stolen record has reached $145, a 9% increase since the year before.


• The most costly breaches occurred in the United States and Ger- many, at $201 and $195 per compromised record, respectively.


• A strong security posture was critical to decreasing the cost of data breaches. On average, companies that reported having a strong security posture reduced the cost of a breach by as much as $14 per record.


• Only 38% of companies have a security strategy to protect their IT infrastructure. A higher percentage (45%) have a strategy to pro- tect information assets.


Source: Ponemon Institute, 2014 Cost of Data Breach Study: Global Analysis, sponsored by IBM


inFocus | Fall 2014


3


Page 1  |  Page 2  |  Page 3  |  Page 4  |  Page 5  |  Page 6  |  Page 7  |  Page 8  |  Page 9  |  Page 10  |  Page 11  |  Page 12  |  Page 13  |  Page 14  |  Page 15  |  Page 16  |  Page 17  |  Page 18  |  Page 19  |  Page 20  |  Page 21  |  Page 22  |  Page 23  |  Page 24  |  Page 25  |  Page 26  |  Page 27  |  Page 28