Data Breaches: Who’s Ultimately Responsible?

• By Ginger Hill
• Sep 01, 2014

In 0.27 seconds, these were the top headlines that Google pulled from 67,500 results highlighting the latest data breaches around the globe. We are bombarded on a daily, sometimes even an hourly basis with media reporting on this data breach or that data breach until we’re almost numb to it. We hear about it, we see it, we learn all the details, but at the end of the day, who is held responsible when data gets breached?

Pondering and seeking the answer to this question, I stumbled upon Absolute Software Corporation, a company that specializes in technology and services for the management and security of mobile computers, netbooks and smartphones. And, of course, it didn’t hurt that one of the executives is from my hometown of Plano, Texas. I arranged a meeting to discuss how they go about recovering stolen computers, remotely deleting sensitive files and keeping data safe overall.

The mission: To find the answer to where the responsibility lies for data security.

The location: Sip and Stir Coffee Shop in downtown Dallas, Texas.

Who: Tim Williams, director of product management for Absolute Software and Stephen Treglia, legal counsel, Absolute Software.

When: At 1330 hours.

The Men and the Company

It’s a little discombobulating having never met these men before to swing open the door to the coffee shop and play detective, attempting to discern them from the crowd of afternoon coffee sippers. But, once I discovered Tim and Steve sitting in a booth chatting and laughing, I was welcomed with firm hand shakes, two huge smiles and an invitation to sit down.

“A lot has changed since the 90’s when it comes to technology,” explained Williams. (Think back to the 90’s to the all-mighty bag phone. Can you imagine trying to text on that?) “Customers now need data.”

With such a demanding need for data, the risk of breaches runs rampant to which Absolute Software has responded with their core technology, Absolute Computrace. A piece of code is embedded at the manufacturer level, whether Windows, Samsung or Droid. Once this code is activated, it’s an unbreakable tether to the device and data, meaning that Absolute Computrace allows the ability to physically locate who is using the device, determine if and what data has been accessed, wipe all data and retrieve certain files.

By way of example, Williams mentioned a Veterans Administration data breach that occurred a few years ago, where an employee lost his laptop that contained sensitive data. Had Absolute perisistence technology been embedded in and activated on the laptop, the company would have been able to use the audit trail to retrieve the laptop—and the data.

“Absolute Software has partnered with over 17,000 law enforcement agencies around the world and we have recovered over 30,000 devices from over 100 countries,” said Williams.

Investigative services, headed by Treglia, are offered by Absolute Software to retrieve stolen or lost hardware. After retiring in 2010, this no-nonsense, former NY prosecutor, began working for Absolute Software , and has uncovered things in chatrooms like buying a baby online as well as a plot to kill a spouse. But, he claims that it’s with his team of about 40 former law enforcement officers and ex-Feds that they are so successful in tracking and recovering stolen devices.

“We do forensics after we get the devices back to see who had it, where it was touched and so on,” explained Treglia.

The Big Dogs Step In

There are a lot of internal threats that are not necessarily malicious, but they are harder to get a hold of due to bureaucracies.

“HIPAA, for example, has regulatory laws that protect our data,” said Treglia. “This is just the tip of the ‘data’ iceburg.”

Speaking of bureaucracies, in 2009, HIPAA corrected their deficiencies when it came to data security and expanded who could be sued. As of about 5 years ago, a business association could be sued. This was and still is huge. The banking industry, however, seems to be very proactive in data security, but other industries are falling a bit behind.

“Regulatory agencies are gearing up to come down on people,” warned Treglia. “Agencies are getting on board, so it is necessary that all industries be careful.”

Hot Topics in Data Security

When it comes to data breaches, people can never act fast enough because there are so many tasks to be done. Identifying victims immediately, knowing all local and federal laws and how they apply to the breach and knowing exactly what agencies to notify are among the first that must take place.

“There’s going to be data breaches at some point, and afterwards, the company will be standing in front of a judge to prove that things were in place to prevent it,” explained Williams. “The proof is an audit trail, providing that data was accessed and when. The responsibility is on the company to prove that the business can self-recover from the breach.”

Even if the company’s data was encrypted, the burden of proof still remains on the company to know if it was active at the time of the breach.

“It’s great to have tools,” said Treglia. “Absolute Software offers a patented protected process, so even if the hardware is switched, it’s still there because it’s not a software solution. But, companies also need to be persistent.”

A semi-new trend that companies are embracing is BYOD (bring your own device), which enables technology and management to come together and learn how to coexist.

“There is a convergence of technology and management,” said Treglia. “A well-managed device is more secure. Case-in-point, if you don’t run a Windows update, then your device is more likely to get breached.”

Most employees who use their own devices to perform work-related duties are not trying to be malicious; they just need access to certain data to do their job. Companies need to focus on empowering their employees to use company data responsibly and be productive with their own devices.

“If a company is embracing BYOD, have access to the company’s data automatically set up so it’s easy for the user,” said Williams. “That way, the workers have to just simply log in to work. This also makes IT become the path of least resistance as they are actively involved in the process.”

The key is to ensure that company data always comes from the company to the firmware to the employees. As we have seen, though, played out time and time again, even with all the “bells and whistles,” if a company is not paying attention, they can be totally wiped out because of a data breach.

“It’s shockingly easy to find cybercriminals,” said Treglia, “because people still to go Facebook and actually use it. We never listen in real time, which is why what we do is perfectly legal and is not eavesdropping."

Treglia’s staff has over 1000 years of combined law enforcement experience, and he won’t cross any privacy boundaries when investigating.

“I want to reiterate the point that it’s coming,” said Treglia. “The company is being held responsible for data breaches, so companies need to get prepared… now!”

This article originally appeared in the September 2014 issue of Security Today.