A few weeks back a company’s watch list containing nearly 2.5 million individuals and entities considered “high-risk” for its clients was mistakenly leaked to the public. A “high-risk” entity in this circumstance was one potentially linked to organized crime or terrorism. The leak resulted from an unsecured and incorrectly configured company database.
Typically in the news, we hear of data breaches involving a leak of personal information including social security numbers, medical information or credit card numbers. Moreover, state data breach notifications and reasonable safeguard laws generally create an affirmative obligation to protect against and respond to a data breach involving personal information. For example, under California data security law a business that owns, licenses or maintains personal information must implement and maintain reasonable security procedures and practices appropriate to the nature of the information. Similarly, under New Jersey data breach notification law, any business that conducts business in New Jersey, or any public entity that compiles or maintains computerized records that include personal information, shall disclose any breach of security of those computerized records following discovery or notification of the breach to any customer who is a resident of New Jersey whose personal information was, or is reasonably believed to have been, accessed by an unauthorized person. The definition of personal information under state data breach notification and reasonable safeguard laws commonly includes the following types of data: (i) Social Security number; (ii) driver’s license number or state issued ID card number; or (iii) account number, credit card number or debit card number combined with any security code, access code, PIN or password needed to access an account. Moreover, some states have broader definitions of personal information which can include other types of data such as biometric data, passport numbers or medical information. Note that this type of data is unlike the information involved in the “watch list” incident mentioned above.
Despite media and legislative focus on data breaches of personal information, there are other types of sensitive data that when breached can have a detrimental impact on an organization. An organization can face a data breach involving leaked confidential business information, trade secrets, organizational strategies or financial information, just to name a few. As a result it is important for an organization to have safeguards in place to protect any data it deems of value, whether personal information or otherwise, even if there is no affirmative obligation under the law to do so. Strong IT safeguards are part of the solution, but not a silver bullet. Administrative and physical safeguards also are needed, such as access management policies, awareness training, equipment inventory, and vendor assessment and management programs. No organization is immune to a data breach, and preparedness can make all the difference in both preventing a breach, and responding if one does occur.