Digital clutter exposes firms to security risksReprints
If you don’t have it, you can’t lose it.
That’s the word from cyber security experts who say businesses and organizations need to start looking at what information they collect and store, and rethink whether they need the information to begin with.
“If you are collecting information that is not part of your business purpose, you really need to ask yourself, ‘Why am I collecting this and why am I keeping this?’” said Samantha Levine, Denver-based assistant vice president with Aon Risk Solutions’ financial services group.
She gave the example of a mom-and-pop business collecting names and addresses, which fall under personally identifiable information — and thus can fall subject to data breach laws.
“A lot of companies have gotten into the problem where they asked for stuff they didn’t need, didn’t want, or shouldn’t have had,” said Robert Parisi, New York-based cyber product leader for Marsh L.L.C., adding that collecting unnecessary data happens “more often than you would hope.” Experts say that some industries can’t get around collecting personal data — banks, for instance. But other entities can rethink the way they do business to avoid spending the extra money it will cost to protect the data and the money it will cost in the event of a data breach, said David Leigh, Manassas, Virginia-based president of the cyber risk firm Rofori Corp.
Mr. Leigh said he likes to give the example of his dentist’s office, which has access to credit card information and addresses — information the office needs to do business — and has started taking photographs of patients.
“They do this so everybody who works there can know who I am,” he said. “They like to say, ‘Hi David’ when I walk in … in the interest of being friendly. I think they are intending to mean well, but they don’t have an understanding of the consequences and the risk.”
He said he is working on talking to the person running the office, and that this is just one small office doing business as usual in a cyber security climate that has gotten more dangerous.
“I think companies should be moving away from (collecting data) if they can,” he said. “It is in your interest to collect as little information as possible.” While names and addresses are targets of identity theft, the golden ticket is the Social Security number, experts say.
“If a company is asking for a Social Security number, that’s a big red flag,” said Raj Chaudhary, Chicago-based partner and global leader of cyber security solutions with accounting and consulting firm Crowe Horwath L.L.P.
He said certain industries are better off than others in grappling with data collection and storage — weeding out what’s needed and what isn’t.
Most nationwide retailers, for example, have stopped offering paper credit card applications to customers and instead rely on electronic keypads when applying for store credit, thus eliminating the need for a clerk to see the person’s information.
But health systems, Mr. Chaudhary said, are “eight to 10 years behind protecting information compared to banks,” which are heavily regulated.
“There hasn’t been much policing and no enforcement action” for health systems, he said.
He and others, including Ms. Levine of Aon, believe a national identification number is something the medical community ought to consider, given the prevalence and continuing adoption of electronic health records.
“Is that a good end goal? Yes,” said Mrs. Levine, adding that the medical community is likely years away from adopting a system that uses a number other than a Social Security number to identify a patient.
Mr. Chaudhary’s advice is to collect fewer numbers; the last four or five digits of a patient’s Social Security number, for example. He said the stakes are high for hospitals who don’t better protect the data.
For example, the Advocate Health Care network in Chicago recently settled a cyber breach penalty for $5.5 million.
“These are huge penalties for notforprofit health systems,” he added.
“(That industry) will catch up.” Anthony Dagostino, New York-based executive vice president and cyber/error and omissions practice leader for Willis Towers Watson P.L.C., said manufacturing and contractors are another weak spot.
“There are companies that hold on to historic payroll information going back 10 to 20 years and they don’t know where it is,” he said. “Some companies are behind when it comes to purging (data).”
Stephen Ward, New York-based vice president of U.S. East Coast and Europe, Middle East, and Africa for Pinkerton Consulting & Investigations Inc., tells clients to consult with lawyers to see what they need to hold on to and then safely purge the rest.
“Every organization, no matter their size, this is something they need to look at,” he said.