EPSILON ‘MASSIVE’ DATA BREACH: THE QUICK & DIRTY ON DATA BREACHES
Data in possession of email marketing leader Epsilon has been compromised. Epsilon Marketing holds close to 2,500 brand clients, according to Security Week, including seven of the Fortune 10 giants. The compromise was initially disclosed late Friday and reports of affected companies have continued to trickle in. Companies’ Written Information Security Plans (WISP) are actively in effect, launching notification to consumers of the data breach, the extent of information compromised and of any possible complications that may arise as a result of the breach. Known companies that have been affected by Epsilon’s breach are:
- Capital One
- US Bank
- JP Morgan Chase
- New York & Co.
- The College Board
- Home Shopping Network
- McKinsey & Co.
- Ritz Carlton Rewards
- Marriott Rewards
Epsilon has attempted to calm fears by notifying the companies that the only data compromised was names and emails; however, the real threat will come in the form of phishing emails that will be specifically targeted to consumers. Please be aware of such phishing emails.
The real questions at hand are: How do these breaches occur? What are the consequences for such a breach? How can we effectively prevent a breach in security or mitigate the risks associated with a data breach?
How do these breaches occur?
Companies often turn to third party vendors to fulfill their direct marketing needs. In doing so, certain risks are assumed. Companies aim to implement contractual relationships which mandate safeguards, certain levels of security and response programs in the instance of a breach. From a marketing standpoint, strategically speaking, it would be in a company’s best interest to have a third party vendor who has invested a considerable amount of time, effort and money to hone their craft, perform the very technical function of direct mail marketing. That standpoint, however, disregards the cautions of risk management. Without in-house direct marketing departments, certain risks are assumed when your company’s data is in the care of a third party. That vendor may, in violation of their contractual obligations, fail to safeguard the data with proper firewalls, proper levels of encryption and limited access. Often, the independent contractors that the third party vendor works with may not be held to the same level of confidentiality or security. Data breaches may occur during a ‘data scrubbing’ process where the data was released to a third party vendor for ‘scrubbing’ and was not adequately encrypted. Often data is sent overseas for ‘scrubbing’ which may further expose the data to compromise. The physical location of the data gives great bearing as to the applicable law. Often, direct marketing agencies use third party publishers to perform various marketing campaigns. Without an exclusive relationship or a role as an in-house publisher, the direct marketing agencies often lose control over the actual activities of the third party publishers. Given the necessity for control in preventing a data breach, the further outsourced direct marketing activities become, the larger the risk of a potential data breach.
What are the consequences of such a breach?
The average cost of a corporate data breach is $7.2 million. (Symantec)
Massachusetts state is law the most aggressive and inclusive state privacy law developed to date. Massachusetts state privacy law reaches not only nationally, but internationally. Effective March 1, 2010, the Massachusetts state law “apply[ies] to all persons that own or license personal information about a resident of the Commonwealth [of Massachusetts].” 201 CMR 17.00 The law takes an aggressive approach to data security and prevention requiring each company to, in addition to other regulations, implement a Written Information Security Plan (WISP) outlining the scope of a company’s business, the type of data utilized, the proper safeguards in place to prevent a breach and the action responses and plan to mitigate damage in the event of a breach. Companies across America who are failing to implement such a plan are placing themselves at serious risk. The Massachusetts Attorney General is responsible for the enforcement of this law and has noted that enforcement will not be contained merely to data breaches, but investigations will also be launched into companies whom the Attorney General has been notified are not compliant. [READ: Angry employees may tip off the Attorney General to such non-compliance.]
In addition to penalties, fines and damages imposed by administrative bodies, private civil actions may also be sought against the company. California does recognize the right of private action in regards to data breaches.
To analyze your company’s data breach risk, consult the Ponemon Institute Data Breach Risk Calculator.
How can we effectively prevent a breach in security or mitigate the risks associated with a data breach?
Data breaches and privacy concerns do not only affect large scale companies. Small to mid-size businesses who store and utilize PII must invest in implementing proper safeguards and infrastructure to minimize their liability and mitigate the damage caused in the event of a breach. To effectively prevent possible data breaches or to in the least, mitigate the damage from a breach, proper planning and infrastructure must be implemented and well settled.
Third party contractual relationships should:
- Impose a strong duty of confidentiality with ex-parte injunctive relief as a remedy to breach;
- Create a duty to impose certain security levels within a company;
- Ensure any marketing practices are in compliance will all applicable local, administrative, state and federal rules and regulations, including but not limited to the Gramm Leach Bliley Act and CAN-SPAM ACT;
- Ensure complete encryption of all data;
- Ensure proper firewalls, employee security, password protection, server protection ect.;
- Impose restrictions on the geographical location of the data or state the location of the data;
- Limit the number of additional third party consultants or independent contractors who will have access to the data;
- Outline restrictions and safeguards to be extended to any other third parties working with the data;
- Outline and approve who is responsible for any data ‘scrubbing’;
- Include a right to audit the third party’s procedures for handling data and security integrity;
- Mandate an annual review to determine any necessary upgrades in security measures to maintain data integrity.
Other safeguards to minimize such risk are:
- Implementation of a Written Information Security Plan;
- Implementation of a Security Breach Response Plan to be activated in the event of a data breach;
- Implementation of ongoing employee training (i.e. seminars, handbooks, newsletters) for both full-time and temporary/contract employees;
- Strict employment contracts outlining employee’s obligation to ensure data security and imposing restrictions on various activities in an effort to maintain security (i.e. ban on external storage devices);
- Implementation of an infrastructure for detecting and preventing system failures;
- Maintaining a strict policy on the exit of terminated employees and their access to PII;
- Development of an internal privacy/security program with employee enforcement for violations;
- Limitation and/or restriction to physical access to any data or PII by employees.
Technical safeguards to minimize such risk are:
- Encryption of all transmitted files and records containing PII;
- Reasonable monitoring of systems for unauthorized use;
- Secure user authentication protocols;
- Secure user IDs and a reasonably secure method of selecting/accepting passwords;
- Control of data security passwords to ensure passwords are kept in a place and manner that does not compromise their security;
- Use of unique identifiers for highly sensitive data such as biometrics, retina scanners;
- Restricted access to data and systems containing PII to those who need to have access to carry out their job function;
- Encryption of all personal information, PII, stored on laptops or individual storage devices (i.e. blackberries, portable hard drives, flash drives);
- Continual updates of aggressive firewalls and technical infrastructure to protect from external intrusion;
- Up-to-date operating system security patches and system security agent software, including malware protection and virus protection;
- Blocking of users who have repeatedly failed to properly authenticate their credentials and access PII or other secured data.
The cost of data breaches is only going to gain velocity and become increasingly more expensive. As we continue to see growth in technology, we will continue to see privacy breaches and data security concerns rise to the forefront. The FTC has not only pledged to continue to vigilantly enforce the rules and laws concerning privacy and data security, but is gaining momentum in a more aggressive approach to enforcement.
Consult with your internet privacy counsel to receive advisory on your risks, liabilities and the potential safeguards you could implement to better protect your business.