Data Breaches: Who’s Ultimately Responsible?

  • By Ginger Hill
  • Sep 01, 2014

In 0.27 seconds, these were the top headlines that Google pulled from 67,500 results highlighting the latest data breaches around the globe. We are bombarded on a daily, sometimes even an hourly basis with media reporting on this data breach or that data breach until we’re almost numb to it. We hear about it, we see it, we learn all the details, but at the end of the day, who is held responsible when data gets breached?

Pondering and seeking the answer to this question, I stumbled upon Absolute Software Corporation, a company that specializes in technology and services for the management and security of mobile computers, netbooks and smartphones. And, of course, it didn’t hurt that one of the executives is from my hometown of Plano, Texas. I arranged a meeting to discuss how they go about recovering stolen computers, remotely deleting sensitive files and keeping data safe overall.

The mission: To find the answer to where the responsibility lies for data security.

The location: Sip and Stir Coffee Shop in downtown Dallas, Texas.

Who: Tim Williams, director of product management for Absolute Software and Stephen Treglia, legal counsel, Absolute Software.

When: At 1330 hours.

The Men and the Company

It’s a little discombobulating having never met these men before to swing open the door to the coffee shop and play detective, attempting to discern them from the crowd of afternoon coffee sippers. But, once I discovered Tim and Steve sitting in a booth chatting and laughing, I was welcomed with firm hand shakes, two huge smiles and an invitation to sit down.

“A lot has changed since the 90’s when it comes to technology,” explained Williams. (Think back to the 90’s to the all-mighty bag phone. Can you imagine trying to text on that?) “Customers now need data.”

With such a demanding need for data, the risk of breaches runs rampant to which Absolute Software has responded with their core technology, Absolute Computrace. A piece of code is embedded at the manufacturer level, whether Windows, Samsung or Droid. Once this code is activated, it’s an unbreakable tether to the device and data, meaning that Absolute Computrace allows the ability to physically locate who is using the device, determine if and what data has been accessed, wipe all data and retrieve certain files.

By way of example, Williams mentioned a Veterans Administration data breach that occurred a few years ago, where an employee lost his laptop that contained sensitive data. Had Absolute perisistence technology been embedded in and activated on the laptop, the company would have been able to use the audit trail to retrieve the laptop—and the data.

“Absolute Software has partnered with over 17,000 law enforcement agencies around the world and we have recovered over 30,000 devices from over 100 countries,” said Williams.

Investigative services, headed by Treglia, are offered by Absolute Software to retrieve stolen or lost hardware. After retiring in 2010, this no-nonsense, former NY prosecutor, began working for Absolute Software , and has uncovered things in chatrooms like buying a baby online as well as a plot to kill a spouse. But, he claims that it’s with his team of about 40 former law enforcement officers and ex-Feds that they are so successful in tracking and recovering stolen devices.

“We do forensics after we get the devices back to see who had it, where it was touched and so on,” explained Treglia.

The Big Dogs Step In

There are a lot of internal threats that are not necessarily malicious, but they are harder to get a hold of due to bureaucracies.

“HIPAA, for example, has regulatory laws that protect our data,” said Treglia. “This is just the tip of the ‘data’ iceburg.”

Speaking of bureaucracies, in 2009, HIPAA corrected their deficiencies when it came to data security and expanded who could be sued. As of about 5 years ago, a business association could be sued. This was and still is huge. The banking industry, however, seems to be very proactive in data security, but other industries are falling a bit behind.

“Regulatory agencies are gearing up to come down on people,” warned Treglia. “Agencies are getting on board, so it is necessary that all industries be careful.”

Hot Topics in Data Security

When it comes to data breaches, people can never act fast enough because there are so many tasks to be done. Identifying victims immediately, knowing all local and federal laws and how they apply to the breach and knowing exactly what agencies to notify are among the first that must take place.

“There’s going to be data breaches at some point, and afterwards, the company will be standing in front of a judge to prove that things were in place to prevent it,” explained Williams. “The proof is an audit trail, providing that data was accessed and when. The responsibility is on the company to prove that the business can self-recover from the breach.”

Even if the company’s data was encrypted, the burden of proof still remains on the company to know if it was active at the time of the breach.

“It’s great to have tools,” said Treglia. “Absolute Software offers a patented protected process, so even if the hardware is switched, it’s still there because it’s not a software solution. But, companies also need to be persistent.”

A semi-new trend that companies are embracing is BYOD (bring your own device), which enables technology and management to come together and learn how to coexist.

“There is a convergence of technology and management,” said Treglia. “A well-managed device is more secure. Case-in-point, if you don’t run a Windows update, then your device is more likely to get breached.”

Most employees who use their own devices to perform work-related duties are not trying to be malicious; they just need access to certain data to do their job. Companies need to focus on empowering their employees to use company data responsibly and be productive with their own devices.

“If a company is embracing BYOD, have access to the company’s data automatically set up so it’s easy for the user,” said Williams. “That way, the workers have to just simply log in to work. This also makes IT become the path of least resistance as they are actively involved in the process.”

The key is to ensure that company data always comes from the company to the firmware to the employees. As we have seen, though, played out time and time again, even with all the “bells and whistles,” if a company is not paying attention, they can be totally wiped out because of a data breach.

“It’s shockingly easy to find cybercriminals,” said Treglia, “because people still to go Facebook and actually use it. We never listen in real time, which is why what we do is perfectly legal and is not eavesdropping."

Treglia’s staff has over 1000 years of combined law enforcement experience, and he won’t cross any privacy boundaries when investigating.

“I want to reiterate the point that it’s coming,” said Treglia. “The company is being held responsible for data breaches, so companies need to get prepared… now!”

This article originally appeared in the September 2014 issue of Security Today.

Featured

  • From Surveillance to Intelligence

    Years ago, it would have been significantly more expensive to run an analytic like that — requiring a custom-built solution with burdensome infrastructure demands — but modern edge devices have made it accessible to everyone. It also saves time, which is a critical factor if a missing child is involved. Video compression technology has played a critical role as well. Over the years, significant advancements have been made in video coding standards — including H.263, MPEG formats, and H.264—alongside compression optimization technologies developed by IP video manufacturers to improve efficiency without sacrificing quality. The open-source AV1 codec developed by the Alliance for Open Media—a consortium including Google, Netflix, Microsoft, Amazon and others — is already the preferred decoder for cloud-based applications, and is quickly becoming the standard for video compression of all types. Read Now

  • Cost: Reactive vs. Proactive Security

    Security breaches often happen despite the availability of tools to prevent them. To combat this problem, the industry is shifting from reactive correction to proactive protection. This article will examine why so many security leaders have realized they must “lead before the breach” – not after. Read Now

  • Achieving Clear Audio

    In today’s ever-changing world of security and risk management, effective communication via an intercom and door entry communication system is a critical communication tool to keep a facility’s staff, visitors and vendors safe. Read Now

  • Beyond Apps: Access Control for Today’s Residents

    The modern resident lives in an app-saturated world. From banking to grocery delivery, fitness tracking to ridesharing, nearly every service demands another download. But when it comes to accessing the place you live, most people do not want to clutter their phone with yet another app, especially if its only purpose is to open a door. Read Now

  • Survey: 48 Percent of Worshippers Feel Less Safe Attending In-Person Services

    Almost half (48%) of those who attend religious services say they feel less safe attending in-person due to rising acts of violence at places of worship. In fact, 39% report these safety concerns have led them to change how often they attend in-person services, according to new research from Verkada conducted online by The Harris Poll among 1,123 U.S. adults who attend a religious service or event at least once a month. Read Now

Most   Popular

New Products

  • A8V MIND

    A8V MIND

    Hexagon’s Geosystems presents a portable version of its Accur8vision detection system. A rugged all-in-one solution, the A8V MIND (Mobile Intrusion Detection) is designed to provide flexible protection of critical outdoor infrastructure and objects. Hexagon’s Accur8vision is a volumetric detection system that employs LiDAR technology to safeguard entire areas. Whenever it detects movement in a specified zone, it automatically differentiates a threat from a nonthreat, and immediately notifies security staff if necessary. Person detection is carried out within a radius of 80 meters from this device. Connected remotely via a portable computer device, it enables remote surveillance and does not depend on security staff patrolling the area.

  • ResponderLink

    ResponderLink

    Shooter Detection Systems (SDS), an Alarm.com company and a global leader in gunshot detection solutions, has introduced ResponderLink, a groundbreaking new 911 notification service for gunshot events. ResponderLink completes the circle from detection to 911 notification to first responder awareness, giving law enforcement enhanced situational intelligence they urgently need to save lives. Integrating SDS’s proven gunshot detection system with Noonlight’s SendPolice platform, ResponderLink is the first solution to automatically deliver real-time gunshot detection data to 911 call centers and first responders. When shots are detected, the 911 dispatching center, also known as the Public Safety Answering Point or PSAP, is contacted based on the gunfire location, enabling faster initiation of life-saving emergency protocols.

  • AC Nio

    AC Nio

    Aiphone, a leading international manufacturer of intercom, access control, and emergency communication products, has introduced the AC Nio, its access control management software, an important addition to its new line of access control solutions.