Jeffrey I. Ziplow, MBA, CISA, CGEIT
In the past few years, data breaches at a number of large multi-national corporations—including Target, Anthem and Sony, to name just a few—have put consumers’ personal information at risk and caused worldwide concern. Every day, hackers who wish to compromise personal information explore new methods of injecting chaos into the lives of people and businesses, often causing widespread panic.
There is good news, though. There are proactive steps that can be taken to protect sensitive data from outside harm. Furthermore, this year the Connecticut State Legislature has taken positive and appropriate action to provide protection to consumers from contractors working with state agencies that have access to confidential information.
Although we hear about cybersecurity issues relatively frequently these days, the truth is that this problem has only become worse in recent years. Not much more than a decade ago, people didn’t think much—or know much—about how their personal information could be stolen for someone else’s illegal gain. In fact, the term “data security” was barely on people’s minds at the beginning of the 21st century.
Times have changed.
It starts with the simple fact that so much commerce takes place these days online and digitally, without direct human interactions. Bank information and credit card numbers are shared online for purchases and other financial transactions. Social Security numbers and other vital personal information are offered up to outside parties without much thought or consideration of who actually has these critical pieces of information.
For better or for worse, this is how we do business in 2015. Without taking the necessary protective steps, it can leave us all incredibly vulnerable. Cyber-criminals and hackers work at a breakneck pace to find new ways to steal information. They are the modern cat burglars in their own way, only their targets are much bigger and more valuable. Instead of burglarizing a single house/business at a time, these “cat-hackers” can harvest millions of records at a time causing data breaches that significantly impact hundreds of thousands of people and causing billions of dollars in harm.
So what can be done about it?
One critical step that businesses can take to protect both themselves and their customers is data encryption, which is basically a tool that scrambles information so that it can only be read by someone who knows the encryption key; this makes data worthless to people looking to steal it. Businesses and organizations which store confidential information—such as someone’s name, social security number, bank account information and credit card information, for example—need to identity where the key information exists and figure out ways to encrypt it so that it cannot be used by outside parties.
This goes beyond transactions and financial transfers (information in motion)—it includes the all-important storage of information (information at rest), as that must be encrypted too. It is one more safeguard against the unfortunate but very real possibility of this information falling into the wrong hands. With encryption properly in place, if the information does get out, it will not be usable.
Additionally, the Connecticut State Legislature this year did a good job of passing sound, meaningful legislation designed to protect consumers against data breaches. This law includes one year of identity theft protection for anyone whose personal information has been breached, and also requires businesses to let people know of a data breach within
90 days of the occurrence. There are penalties for businesses that fail to comply with this new law, and it’s important to know this applies to all Connecticut-based businesses, regardless of size. If the business collects personal consumer information, it must comply.
There are a number of effective ways that exist to help businesses protect the personal information that they capture. The key is finding the one that works best for them and provides appropriate layers necessary to keep personal information secure. Businesses can consult with professionals to determine which system works best, but something must be put in place if this information is to remain safe.
We are living in a vast new world of digital information with the need and obligation of protecting and securing it. The actions taken this year by Connecticut lawmakers, coupled with other responsible actions all business owners should take, can provide all parties with the peace of mind they need in knowing that their personal information is safe from those who wish to steal it.
Jeffrey I. Ziplow, MBA, CISA, CGEIT, is a partner with BlumShapiro, the largest regional business advisory firm based in New England, with offices in Connecticut, Massachusetts and Rhode Island. The firm, with over 400 professionals and staff, offers a diversity of services that includes auditing, accounting, tax and business advisory services. In addition, BlumShapiro provides a variety of specialized consulting services such as succession and estate planning, business technology services, employee benefit plan audits and litigation support and valuation. The firm serves a wide range of privately held companies, government and non-profit organizations and provides non-audit services for publicly traded companies.