Data Breaches: Who’s Ultimately Responsible?

In 0.27 seconds, these were the top headlines that Google pulled from 67,500 results highlighting the latest data breaches around the globe. We are bombarded on a daily, sometimes even an hourly basis with media reporting on this data breach or that data breach until we’re almost numb to it. We hear about it, we see it, we learn all the details, but at the end of the day, who is held responsible when data gets breached?

Pondering and seeking the answer to this question, I stumbled upon Absolute Software Corporation, a company that specializes in technology and services for the management and security of mobile computers, netbooks and smartphones. And, of course, it didn’t hurt that one of the executives is from my hometown of Plano, Texas. I arranged a meeting to discuss how they go about recovering stolen computers, remotely deleting sensitive files and keeping data safe overall.

The mission: To find the answer to where the responsibility lies for data security.

The location: Sip and Stir Coffee Shop in downtown Dallas, Texas.

Who: Tim Williams, director of product management for Absolute Software and Stephen Treglia, legal counsel, Absolute Software.

When: At 1330 hours.

The Men and the Company

It’s a little discombobulating having never met these men before to swing open the door to the coffee shop and play detective, attempting to discern them from the crowd of afternoon coffee sippers. But, once I discovered Tim and Steve sitting in a booth chatting and laughing, I was welcomed with firm hand shakes, two huge smiles and an invitation to sit down.

“A lot has changed since the 90’s when it comes to technology,” explained Williams. (Think back to the 90’s to the all-mighty bag phone. Can you imagine trying to text on that?) “Customers now need data.”

With such a demanding need for data, the risk of breaches runs rampant to which Absolute Software has responded with their core technology, Absolute Computrace. A piece of code is embedded at the manufacturer level, whether Windows, Samsung or Droid. Once this code is activated, it’s an unbreakable tether to the device and data, meaning that Absolute Computrace allows the ability to physically locate who is using the device, determine if and what data has been accessed, wipe all data and retrieve certain files.

By way of example, Williams mentioned a Veterans Administration data breach that occurred a few years ago, where an employee lost his laptop that contained sensitive data. Had Absolute perisistence technology been embedded in and activated on the laptop, the company would have been able to use the audit trail to retrieve the laptop—and the data.

“Absolute Software has partnered with over 17,000 law enforcement agencies around the world and we have recovered over 30,000 devices from over 100 countries,” said Williams.

Investigative services, headed by Treglia, are offered by Absolute Software to retrieve stolen or lost hardware. After retiring in 2010, this no-nonsense, former NY prosecutor, began working for Absolute Software , and has uncovered things in chatrooms like buying a baby online as well as a plot to kill a spouse. But, he claims that it’s with his team of about 40 former law enforcement officers and ex-Feds that they are so successful in tracking and recovering stolen devices.

“We do forensics after we get the devices back to see who had it, where it was touched and so on,” explained Treglia.

The Big Dogs Step In

There are a lot of internal threats that are not necessarily malicious, but they are harder to get a hold of due to bureaucracies.

“HIPAA, for example, has regulatory laws that protect our data,” said Treglia. “This is just the tip of the ‘data’ iceburg.”

Speaking of bureaucracies, in 2009, HIPAA corrected their deficiencies when it came to data security and expanded who could be sued. As of about 5 years ago, a business association could be sued. This was and still is huge. The banking industry, however, seems to be very proactive in data security, but other industries are falling a bit behind.

“Regulatory agencies are gearing up to come down on people,” warned Treglia. “Agencies are getting on board, so it is necessary that all industries be careful.”

Hot Topics in Data Security

When it comes to data breaches, people can never act fast enough because there are so many tasks to be done. Identifying victims immediately, knowing all local and federal laws and how they apply to the breach and knowing exactly what agencies to notify are among the first that must take place.

“There’s going to be data breaches at some point, and afterwards, the company will be standing in front of a judge to prove that things were in place to prevent it,” explained Williams. “The proof is an audit trail, providing that data was accessed and when. The responsibility is on the company to prove that the business can self-recover from the breach.”

Even if the company’s data was encrypted, the burden of proof still remains on the company to know if it was active at the time of the breach.

“It’s great to have tools,” said Treglia. “Absolute Software offers a patented protected process, so even if the hardware is switched, it’s still there because it’s not a software solution. But, companies also need to be persistent.”

A semi-new trend that companies are embracing is BYOD (bring your own device), which enables technology and management to come together and learn how to coexist.

“There is a convergence of technology and management,” said Treglia. “A well-managed device is more secure. Case-in-point, if you don’t run a Windows update, then your device is more likely to get breached.”

Most employees who use their own devices to perform work-related duties are not trying to be malicious; they just need access to certain data to do their job. Companies need to focus on empowering their employees to use company data responsibly and be productive with their own devices.

“If a company is embracing BYOD, have access to the company’s data automatically set up so it’s easy for the user,” said Williams. “That way, the workers have to just simply log in to work. This also makes IT become the path of least resistance as they are actively involved in the process.”

The key is to ensure that company data always comes from the company to the firmware to the employees. As we have seen, though, played out time and time again, even with all the “bells and whistles,” if a company is not paying attention, they can be totally wiped out because of a data breach.

“It’s shockingly easy to find cybercriminals,” said Treglia, “because people still to go Facebook and actually use it. We never listen in real time, which is why what we do is perfectly legal and is not eavesdropping."

Treglia’s staff has over 1000 years of combined law enforcement experience, and he won’t cross any privacy boundaries when investigating.

“I want to reiterate the point that it’s coming,” said Treglia. “The company is being held responsible for data breaches, so companies need to get prepared… now!”

This article originally appeared in the September 2014 issue of Security Today.

Featured

  • 12 Commercial Crime Sites to Do Your Research

    12 Commercial Crime Sites to Do Your Research

    Understanding crime statistics in your industry and area is crucial for making important decisions about your security budget. With so much information out there, how can you know which statistics to trust? Read Now

  • Boosting Safety and Efficiency

    Boosting Safety and Efficiency

    In alignment with the state of Mississippi’s mission of “Empowering Mississippi citizens to stay connected and engaged with their government,” Salient's CompleteView VMS is being installed throughout more than 150 state boards, commissions and agencies in order to ensure safety for thousands of constituents who access state services daily. Read Now

  • Live From GSX: Post-Show Review

    Live From GSX: Post-Show Review

    This year’s Live From GSX program was a rousing success! Again, we’d like to thank our partners, and IPVideo, for working with us and letting us broadcast their solutions to the industry. You can follow our Live From GSX 2023 page to keep up with post-show developments and announcements. And if you’re interested in working with us in 2024, please don’t hesitate to ask about our Live From programs for ISC West in March or next year’s GSX. Read Now

    • Industry Events
    • GSX
  • People Say the Funniest Things

    People Say the Funniest Things

    By all accounts, GSX version 2023 was completely successful. Apparently, there were plenty of mix-ups with the airlines and getting aircraft from the East Coast into Big D. I am all ears when I am in a gathering of people. You never know when a nugget of information might flip out. Read Now

    • Industry Events
    • GSX

Featured Cybersecurity

Webinars

New Products

  • AC Nio

    AC Nio

    Aiphone, a leading international manufacturer of intercom, access control, and emergency communication products, has introduced the AC Nio, its access control management software, an important addition to its new line of access control solutions. 3

  • QCS7230 System-on-Chip (SoC)

    QCS7230 System-on-Chip (SoC)

    The latest Qualcomm® Vision Intelligence Platform offers next-generation smart camera IoT solutions to improve safety and security across enterprises, cities and spaces. The Vision Intelligence Platform was expanded in March 2022 with the introduction of the QCS7230 System-on-Chip (SoC), which delivers superior artificial intelligence (AI) inferencing at the edge. 3

  • Mobile Safe Shield

    Mobile Safe Shield

    SafeWood Designs, Inc., a manufacturer of patented bullet resistant products, is excited to announce the launch of the Mobile Safe Shield. The Mobile Safe Shield is a moveable bullet resistant shield that provides protection in the event of an assailant and supplies cover in the event of an active shooter. With a heavy-duty steel frame, quality castor wheels, and bullet resistant core, the Mobile Safe Shield is a perfect addition to any guard station, security desks, courthouses, police stations, schools, office spaces and more. The Mobile Safe Shield is incredibly customizable. Bullet resistant materials are available in UL 752 Levels 1 through 8 and include glass, white board, tack board, veneer, and plastic laminate. Flexibility in bullet resistant materials allows for the Mobile Safe Shield to blend more with current interior décor for a seamless design aesthetic. Optional custom paint colors are also available for the steel frame. 3