Data Breaches: Who’s Ultimately Responsible?

In 0.27 seconds, these were the top headlines that Google pulled from 67,500 results highlighting the latest data breaches around the globe. We are bombarded on a daily, sometimes even an hourly basis with media reporting on this data breach or that data breach until we’re almost numb to it. We hear about it, we see it, we learn all the details, but at the end of the day, who is held responsible when data gets breached?

Pondering and seeking the answer to this question, I stumbled upon Absolute Software Corporation, a company that specializes in technology and services for the management and security of mobile computers, netbooks and smartphones. And, of course, it didn’t hurt that one of the executives is from my hometown of Plano, Texas. I arranged a meeting to discuss how they go about recovering stolen computers, remotely deleting sensitive files and keeping data safe overall.

The mission: To find the answer to where the responsibility lies for data security.

The location: Sip and Stir Coffee Shop in downtown Dallas, Texas.

Who: Tim Williams, director of product management for Absolute Software and Stephen Treglia, legal counsel, Absolute Software.

When: At 1330 hours.

The Men and the Company

It’s a little discombobulating having never met these men before to swing open the door to the coffee shop and play detective, attempting to discern them from the crowd of afternoon coffee sippers. But, once I discovered Tim and Steve sitting in a booth chatting and laughing, I was welcomed with firm hand shakes, two huge smiles and an invitation to sit down.

“A lot has changed since the 90’s when it comes to technology,” explained Williams. (Think back to the 90’s to the all-mighty bag phone. Can you imagine trying to text on that?) “Customers now need data.”

With such a demanding need for data, the risk of breaches runs rampant to which Absolute Software has responded with their core technology, Absolute Computrace. A piece of code is embedded at the manufacturer level, whether Windows, Samsung or Droid. Once this code is activated, it’s an unbreakable tether to the device and data, meaning that Absolute Computrace allows the ability to physically locate who is using the device, determine if and what data has been accessed, wipe all data and retrieve certain files.

By way of example, Williams mentioned a Veterans Administration data breach that occurred a few years ago, where an employee lost his laptop that contained sensitive data. Had Absolute perisistence technology been embedded in and activated on the laptop, the company would have been able to use the audit trail to retrieve the laptop—and the data.

“Absolute Software has partnered with over 17,000 law enforcement agencies around the world and we have recovered over 30,000 devices from over 100 countries,” said Williams.

Investigative services, headed by Treglia, are offered by Absolute Software to retrieve stolen or lost hardware. After retiring in 2010, this no-nonsense, former NY prosecutor, began working for Absolute Software , and has uncovered things in chatrooms like buying a baby online as well as a plot to kill a spouse. But, he claims that it’s with his team of about 40 former law enforcement officers and ex-Feds that they are so successful in tracking and recovering stolen devices.

“We do forensics after we get the devices back to see who had it, where it was touched and so on,” explained Treglia.

The Big Dogs Step In

There are a lot of internal threats that are not necessarily malicious, but they are harder to get a hold of due to bureaucracies.

“HIPAA, for example, has regulatory laws that protect our data,” said Treglia. “This is just the tip of the ‘data’ iceburg.”

Speaking of bureaucracies, in 2009, HIPAA corrected their deficiencies when it came to data security and expanded who could be sued. As of about 5 years ago, a business association could be sued. This was and still is huge. The banking industry, however, seems to be very proactive in data security, but other industries are falling a bit behind.

“Regulatory agencies are gearing up to come down on people,” warned Treglia. “Agencies are getting on board, so it is necessary that all industries be careful.”

Hot Topics in Data Security

When it comes to data breaches, people can never act fast enough because there are so many tasks to be done. Identifying victims immediately, knowing all local and federal laws and how they apply to the breach and knowing exactly what agencies to notify are among the first that must take place.

“There’s going to be data breaches at some point, and afterwards, the company will be standing in front of a judge to prove that things were in place to prevent it,” explained Williams. “The proof is an audit trail, providing that data was accessed and when. The responsibility is on the company to prove that the business can self-recover from the breach.”

Even if the company’s data was encrypted, the burden of proof still remains on the company to know if it was active at the time of the breach.

“It’s great to have tools,” said Treglia. “Absolute Software offers a patented protected process, so even if the hardware is switched, it’s still there because it’s not a software solution. But, companies also need to be persistent.”

A semi-new trend that companies are embracing is BYOD (bring your own device), which enables technology and management to come together and learn how to coexist.

“There is a convergence of technology and management,” said Treglia. “A well-managed device is more secure. Case-in-point, if you don’t run a Windows update, then your device is more likely to get breached.”

Most employees who use their own devices to perform work-related duties are not trying to be malicious; they just need access to certain data to do their job. Companies need to focus on empowering their employees to use company data responsibly and be productive with their own devices.

“If a company is embracing BYOD, have access to the company’s data automatically set up so it’s easy for the user,” said Williams. “That way, the workers have to just simply log in to work. This also makes IT become the path of least resistance as they are actively involved in the process.”

The key is to ensure that company data always comes from the company to the firmware to the employees. As we have seen, though, played out time and time again, even with all the “bells and whistles,” if a company is not paying attention, they can be totally wiped out because of a data breach.

“It’s shockingly easy to find cybercriminals,” said Treglia, “because people still to go Facebook and actually use it. We never listen in real time, which is why what we do is perfectly legal and is not eavesdropping."

Treglia’s staff has over 1000 years of combined law enforcement experience, and he won’t cross any privacy boundaries when investigating.

“I want to reiterate the point that it’s coming,” said Treglia. “The company is being held responsible for data breaches, so companies need to get prepared… now!”

This article originally appeared in the September 2014 issue of Security Today.

Featured

  • Cloud Adoption Gives Way to Hybrid Deployments

    Cloud adoption is growing at an astonishing rate, with Gartner forecasting that worldwide public cloud end-user spending will approach $600 billion by the end of this year—an increase of more than 21% over 2022. McKinsey believes that number could eclipse $1 trillion by the end of the decade, further underscoring the industry’s exponential growth. Read Now

  • AI on the Edge

    Discussions about the merits (or misgivings) around AI (artificial intelligence) are everywhere. In fact, you’d be hard-pressed to find an article or product literature without mention of it in our industry. If you’re not using AI by now in some capacity, congratulations may be in order since most people are using it in some form daily even without realizing it. Read Now

  • Securing the Future

    In an increasingly turbulent world, chief security officers (CSOs) are facing a multitude of challenges that threaten the stability of businesses worldwide. Read Now

    • Guard Services
  • Security Entrances Move to Center Stage

    Most organizations want to show a friendly face to the public. In today’s world, however, the need to keep people safe and secure has become a prime directive when designing and building facilities of all kinds. Fortunately, there is no need to construct a fortress-like entry that provides that high level of security. Today’s secured entry solutions make it possible to create a welcoming, attractive look and feel at the entry without compromising security. It is for this reason that security entrances have moved to the mainstream. Read Now

Featured Cybersecurity

New Products

  • AC Nio

    AC Nio

    Aiphone, a leading international manufacturer of intercom, access control, and emergency communication products, has introduced the AC Nio, its access control management software, an important addition to its new line of access control solutions. 3

  • HD2055 Modular Barricade

    Delta Scientific’s electric HD2055 modular shallow foundation barricade is tested to ASTM M50/P1 with negative penetration from the vehicle upon impact. With a shallow foundation of only 24 inches, the HD2055 can be installed without worrying about buried power lines and other below grade obstructions. The modular make-up of the barrier also allows you to cover wider roadways by adding additional modules to the system. The HD2055 boasts an Emergency Fast Operation of 1.5 seconds giving the guard ample time to deploy under a high threat situation. 3

  • Luma x20

    Luma x20

    Snap One has announced its popular Luma x20 family of surveillance products now offers even greater security and privacy for home and business owners across the globe by giving them full control over integrators’ system access to view live and recorded video. According to Snap One Product Manager Derek Webb, the new “customer handoff” feature provides enhanced user control after initial installation, allowing the owners to have total privacy while also making it easy to reinstate integrator access when maintenance or assistance is required. This new feature is now available to all Luma x20 users globally. “The Luma x20 family of surveillance solutions provides excellent image and audio capture, and with the new customer handoff feature, it now offers absolute privacy for camera feeds and recordings,” Webb said. “With notifications and integrator access controlled through the powerful OvrC remote system management platform, it’s easy for integrators to give their clients full control of their footage and then to get temporary access from the client for any troubleshooting needs.” 3