Data Breaches: Who’s Ultimately Responsible?

In 0.27 seconds, these were the top headlines that Google pulled from 67,500 results highlighting the latest data breaches around the globe. We are bombarded on a daily, sometimes even an hourly basis with media reporting on this data breach or that data breach until we’re almost numb to it. We hear about it, we see it, we learn all the details, but at the end of the day, who is held responsible when data gets breached?

Pondering and seeking the answer to this question, I stumbled upon Absolute Software Corporation, a company that specializes in technology and services for the management and security of mobile computers, netbooks and smartphones. And, of course, it didn’t hurt that one of the executives is from my hometown of Plano, Texas. I arranged a meeting to discuss how they go about recovering stolen computers, remotely deleting sensitive files and keeping data safe overall.

The mission: To find the answer to where the responsibility lies for data security.

The location: Sip and Stir Coffee Shop in downtown Dallas, Texas.

Who: Tim Williams, director of product management for Absolute Software and Stephen Treglia, legal counsel, Absolute Software.

When: At 1330 hours.

The Men and the Company

It’s a little discombobulating having never met these men before to swing open the door to the coffee shop and play detective, attempting to discern them from the crowd of afternoon coffee sippers. But, once I discovered Tim and Steve sitting in a booth chatting and laughing, I was welcomed with firm hand shakes, two huge smiles and an invitation to sit down.

“A lot has changed since the 90’s when it comes to technology,” explained Williams. (Think back to the 90’s to the all-mighty bag phone. Can you imagine trying to text on that?) “Customers now need data.”

With such a demanding need for data, the risk of breaches runs rampant to which Absolute Software has responded with their core technology, Absolute Computrace. A piece of code is embedded at the manufacturer level, whether Windows, Samsung or Droid. Once this code is activated, it’s an unbreakable tether to the device and data, meaning that Absolute Computrace allows the ability to physically locate who is using the device, determine if and what data has been accessed, wipe all data and retrieve certain files.

By way of example, Williams mentioned a Veterans Administration data breach that occurred a few years ago, where an employee lost his laptop that contained sensitive data. Had Absolute perisistence technology been embedded in and activated on the laptop, the company would have been able to use the audit trail to retrieve the laptop—and the data.

“Absolute Software has partnered with over 17,000 law enforcement agencies around the world and we have recovered over 30,000 devices from over 100 countries,” said Williams.

Investigative services, headed by Treglia, are offered by Absolute Software to retrieve stolen or lost hardware. After retiring in 2010, this no-nonsense, former NY prosecutor, began working for Absolute Software , and has uncovered things in chatrooms like buying a baby online as well as a plot to kill a spouse. But, he claims that it’s with his team of about 40 former law enforcement officers and ex-Feds that they are so successful in tracking and recovering stolen devices.

“We do forensics after we get the devices back to see who had it, where it was touched and so on,” explained Treglia.

The Big Dogs Step In

There are a lot of internal threats that are not necessarily malicious, but they are harder to get a hold of due to bureaucracies.

“HIPAA, for example, has regulatory laws that protect our data,” said Treglia. “This is just the tip of the ‘data’ iceburg.”

Speaking of bureaucracies, in 2009, HIPAA corrected their deficiencies when it came to data security and expanded who could be sued. As of about 5 years ago, a business association could be sued. This was and still is huge. The banking industry, however, seems to be very proactive in data security, but other industries are falling a bit behind.

“Regulatory agencies are gearing up to come down on people,” warned Treglia. “Agencies are getting on board, so it is necessary that all industries be careful.”

Hot Topics in Data Security

When it comes to data breaches, people can never act fast enough because there are so many tasks to be done. Identifying victims immediately, knowing all local and federal laws and how they apply to the breach and knowing exactly what agencies to notify are among the first that must take place.

“There’s going to be data breaches at some point, and afterwards, the company will be standing in front of a judge to prove that things were in place to prevent it,” explained Williams. “The proof is an audit trail, providing that data was accessed and when. The responsibility is on the company to prove that the business can self-recover from the breach.”

Even if the company’s data was encrypted, the burden of proof still remains on the company to know if it was active at the time of the breach.

“It’s great to have tools,” said Treglia. “Absolute Software offers a patented protected process, so even if the hardware is switched, it’s still there because it’s not a software solution. But, companies also need to be persistent.”

A semi-new trend that companies are embracing is BYOD (bring your own device), which enables technology and management to come together and learn how to coexist.

“There is a convergence of technology and management,” said Treglia. “A well-managed device is more secure. Case-in-point, if you don’t run a Windows update, then your device is more likely to get breached.”

Most employees who use their own devices to perform work-related duties are not trying to be malicious; they just need access to certain data to do their job. Companies need to focus on empowering their employees to use company data responsibly and be productive with their own devices.

“If a company is embracing BYOD, have access to the company’s data automatically set up so it’s easy for the user,” said Williams. “That way, the workers have to just simply log in to work. This also makes IT become the path of least resistance as they are actively involved in the process.”

The key is to ensure that company data always comes from the company to the firmware to the employees. As we have seen, though, played out time and time again, even with all the “bells and whistles,” if a company is not paying attention, they can be totally wiped out because of a data breach.

“It’s shockingly easy to find cybercriminals,” said Treglia, “because people still to go Facebook and actually use it. We never listen in real time, which is why what we do is perfectly legal and is not eavesdropping."

Treglia’s staff has over 1000 years of combined law enforcement experience, and he won’t cross any privacy boundaries when investigating.

“I want to reiterate the point that it’s coming,” said Treglia. “The company is being held responsible for data breaches, so companies need to get prepared… now!”

This article originally appeared in the September 2014 issue of Security Today.

Featured

  • Gaining a Competitive Edge

    Ask most companies about their future technology plans and the answers will most likely include AI. Then ask how they plan to deploy it, and that is where the responses may start to vary. Every company has unique surveillance requirements that are based on market focus, scale, scope, risk tolerance, geographic area and, of course, budget. Those factors all play a role in deciding how to configure a surveillance system, and how to effectively implement technologies like AI. Read Now

  • 6 Ways Security Awareness Training Empowers Human Risk Management

    Organizations are realizing that their greatest vulnerability often comes from within – their own people. Human error remains a significant factor in cybersecurity breaches, making it imperative for organizations to address human risk effectively. As a result, security awareness training (SAT) has emerged as a cornerstone in this endeavor because it offers a multifaceted approach to managing human risk. Read Now

  • The Stage is Set

    The security industry spans the entire globe, with manufacturers, developers and suppliers on every continent (well, almost—sorry, Antarctica). That means when regulations pop up in one area, they often have a ripple effect that impacts the entire supply chain. Recent data privacy regulations like GDPR in Europe and CPRA in California made waves when they first went into effect, forcing businesses to change the way they approach data collection and storage to continue operating in those markets. Even highly specific regulations like the U.S.’s National Defense Authorization Act (NDAA) can have international reverberations – and this growing volume of legislation has continued to affect global supply chains in a variety of different ways. Read Now

  • Access Control Technology

    As we move swiftly toward the end of 2024, the security industry is looking at the trends in play, what might be on the horizon, and how they will impact business opportunities and projections. Read Now

Featured Cybersecurity

Webinars

New Products

  • EasyGate SPT and SPD

    EasyGate SPT SPD

    Security solutions do not have to be ordinary, let alone unattractive. Having renewed their best-selling speed gates, Cominfo has once again demonstrated their Art of Security philosophy in practice — and confirmed their position as an industry-leading manufacturers of premium speed gates and turnstiles. 3

  • Mobile Safe Shield

    Mobile Safe Shield

    SafeWood Designs, Inc., a manufacturer of patented bullet resistant products, is excited to announce the launch of the Mobile Safe Shield. The Mobile Safe Shield is a moveable bullet resistant shield that provides protection in the event of an assailant and supplies cover in the event of an active shooter. With a heavy-duty steel frame, quality castor wheels, and bullet resistant core, the Mobile Safe Shield is a perfect addition to any guard station, security desks, courthouses, police stations, schools, office spaces and more. The Mobile Safe Shield is incredibly customizable. Bullet resistant materials are available in UL 752 Levels 1 through 8 and include glass, white board, tack board, veneer, and plastic laminate. Flexibility in bullet resistant materials allows for the Mobile Safe Shield to blend more with current interior décor for a seamless design aesthetic. Optional custom paint colors are also available for the steel frame. 3

  • Connect ONE’s powerful cloud-hosted management platform provides the means to tailor lockdowns and emergency mass notifications throughout a facility – while simultaneously alerting occupants to hazards or next steps, like evacuation.

    Connect ONE®

    Connect ONE’s powerful cloud-hosted management platform provides the means to tailor lockdowns and emergency mass notifications throughout a facility – while simultaneously alerting occupants to hazards or next steps, like evacuation. 3