Data Breaches: Who’s Ultimately Responsible?
- By Ginger Hill
- Sep 01, 2014
In 0.27 seconds, these were the top headlines that
Google pulled from 67,500 results highlighting
the latest data breaches around the globe. We are
bombarded on a daily, sometimes even an hourly basis
with media reporting on this data breach or that
data breach until we’re almost numb to it. We hear
about it, we see it, we learn all the details, but at the
end of the day, who is held responsible when data gets
breached?
Pondering and seeking the answer to this question,
I stumbled upon Absolute Software Corporation, a
company that specializes in technology and services
for the management and security of mobile computers,
netbooks and smartphones. And, of course, it
didn’t hurt that one of the executives is from my hometown of Plano,
Texas. I arranged a meeting to discuss how they go
about recovering stolen computers, remotely deleting
sensitive files and keeping data safe overall.
The mission: To find the answer to where the responsibility
lies for data security.
The location: Sip and Stir Coffee Shop in downtown
Dallas, Texas.
Who: Tim Williams,
director of product management
for Absolute
Software and Stephen
Treglia, legal counsel,
Absolute Software.
When: At 1330 hours.
The Men and the Company
It’s a little discombobulating having never met these men
before to swing open the door to the coffee shop and play
detective, attempting to discern them from the crowd of
afternoon coffee sippers. But, once I discovered Tim and
Steve sitting in a booth chatting and laughing, I was welcomed
with firm hand shakes, two huge smiles and an
invitation to sit down.
“A lot has changed since the 90’s when it comes
to technology,” explained Williams. (Think back to
the 90’s to the all-mighty bag phone. Can you imagine
trying to text on that?) “Customers now need data.”
With such a demanding need for data, the risk of
breaches runs rampant to which Absolute Software
has responded with their core technology, Absolute Computrace. A piece of code is embedded at the manufacturer
level, whether Windows, Samsung or Droid. Once this code
is activated, it’s an unbreakable tether to the device
and data, meaning that Absolute Computrace allows the ability
to physically locate who is using the device, determine
if and what data has been accessed, wipe all data and
retrieve certain files.
By way of example, Williams mentioned a Veterans Administration data breach that occurred a few years ago, where an employee lost his laptop that contained sensitive data. Had Absolute perisistence technology been embedded in and activated on the laptop, the company would have been able to use the audit trail to retrieve the laptop—and the data.
“Absolute Software has partnered with over
17,000 law enforcement agencies around the world
and we have recovered over 30,000 devices from over
100 countries,” said Williams.
Investigative services, headed by Treglia, are offered
by Absolute Software to retrieve stolen or lost
hardware. After retiring in 2010, this no-nonsense,
former NY prosecutor, began
working for Absolute Software , and has uncovered things
in chatrooms like buying a baby online as well as a
plot to kill a spouse. But, he claims that it’s with his
team of about 40 former law enforcement officers and
ex-Feds that they are so successful in tracking and recovering
stolen devices.
“We do forensics after we get the devices back to
see who had it, where it was touched and so on,” explained
Treglia.
The Big Dogs Step In
There are a lot of internal threats that are not necessarily
malicious, but they are harder to get a hold of
due to bureaucracies.
“HIPAA, for example, has regulatory laws that
protect our data,” said Treglia. “This is just the tip of
the ‘data’ iceburg.”
Speaking of bureaucracies, in 2009, HIPAA corrected
their deficiencies when it came to data security
and expanded who could be sued. As of about 5
years ago, a business association could be sued. This
was and still is huge. The banking industry, however,
seems to be very proactive in data security, but other
industries are falling a bit behind.
“Regulatory agencies are gearing up to come down
on people,” warned Treglia. “Agencies are getting on
board, so it is necessary that all industries be careful.”
Hot Topics in Data Security
When it comes to data breaches, people can never
act fast enough because there are so many tasks to
be done. Identifying victims immediately, knowing
all local and federal laws and how they apply to the
breach and knowing exactly what agencies to notify
are among the first that must take place.
“There’s going to be data breaches at some point,
and afterwards, the company will be standing in front
of a judge to prove that things were in place to prevent
it,” explained Williams. “The proof is an audit
trail, providing that data was accessed and when. The
responsibility is on the company to prove that the
business can self-recover from the breach.”
Even if the company’s data was encrypted, the burden
of proof still remains on the company to know if
it was active at the time of the breach.
“It’s great to have tools,” said Treglia. “Absolute
Software offers a patented protected process, so even
if the hardware is switched, it’s still there because it’s
not a software solution. But, companies also need to
be persistent.”
A semi-new trend that companies are embracing is
BYOD (bring your own device), which enables technology
and management to come together and learn
how to coexist.
“There is a convergence of technology and management,”
said Treglia. “A well-managed device is
more secure. Case-in-point, if you don’t run a Windows
update, then your device is more likely to get
breached.”
Most employees who use their own devices to perform
work-related duties are not trying to be malicious;
they just need access to certain data to do their
job. Companies need to focus on empowering their
employees to use company data responsibly and be
productive with their own devices.
“If a company is embracing BYOD, have access
to the company’s data automatically set up so it’s easy
for the user,” said Williams. “That way, the workers
have to just simply log in to work. This also makes IT
become the path of least resistance as they are actively
involved in the process.”
The key is to ensure that company data always comes
from the company to the firmware to the employees.
As we have seen, though, played out time and time
again, even with all the “bells and whistles,” if a company
is not paying attention, they can be totally wiped
out because of a data breach.
“It’s shockingly easy to find cybercriminals,” said Treglia, “because people still to go Facebook and actually use it. We never listen in real time, which is why what we do is perfectly legal and is not eavesdropping."
Treglia’s staff has over 1000 years of combined law
enforcement experience, and he won’t cross any privacy
boundaries when investigating.
“I want to reiterate the point that it’s coming,” said
Treglia. “The company is being held responsible for
data breaches, so companies need to get prepared…
now!”
This article originally appeared in the September 2014 issue of Security Today.