Businesses and consumers around the globe will observe Data Privacy Day on Saturday, Jan. 28, and at least one security expert is urging businesses to assess risk management practices that relate to data security and where they are able to make improvements.
Kevin Kalinich, global practice leader for cyber liability, Aon Risk Solutions, points out that new risks are being discovered constantly. He pointed to recent security breaches at Zappos, Sony, and the Carrier IQ mobile-device privacy controversy.
“What’s the balance you want for your insurance company between offering access to social media and interactive telecommunications vs. protection,” says Kalinich. “You can lock down devices so no one can get into the network, but are you losing sales or some potential new business? How do you balance these against the technology revolution with social media, mobile communications, cloud computing, and converged technology? If youdon’t enable [mobile devices] you are going to fall behind the competition.”
Aon Risk Solutions lists five important steps that companies should consider to safeguard data:
- Understand your obligations under law and applicable standards—Keep educated and aware of local, state, federal, and foreign regulations, as they are constantly evolving.
- Assemble a data security team and assess your data—In addition to determining the type and amount of personal data maintained, it is important to identify how data is collected, stored, used, and transmitted as well as understand potential threats to the company’s security (e.g. third-party vendors, such as cloud computing service providers).
- Develop data protection, privacy policies and procedures—The data security team should review existing policies and make them consistent with industry best practices. Social networking sites and related blogs pose new threats that must be considered.
- Control hardware and software—Laptops, PDAs, and other mobile devices present additional challenges. A data breach prevention program must assess and control exposures related to hardware and software used by company personnel.
- Review contracts—Update and negotiate services agreements to ensure privacy and security protections are embedded within the company’s relationships.
Kalinich believes insurers who have chief privacy officers, privacy offices, and IT security offices completely understand these issues and are well on their way to putting these or similar recommendations into their plans.
The issue, as he sees it, is implementation.
“You just can’t say here are our five steps and everybody needs to follow them,” says Kalinich. “How do you roll them out? How do you train and educate your people? Once you train them, how do you monitor them?”
Insurance carriers and brokers—particularly the bigger ones—have grown through M&A activity and with such growth inevitably comes the issue of legacy systems.
“There are legacy protocols and guidelines that are different [within a company],” says Kalinich. “[Aon Risk representatives] go in to do the due diligence for network risk insurance and most of the companies we visit can’t answer whether 100 percent of their laptops are encrypted.”
There are no magic software solutions to make the issue of data security go away, explains Kalinich.
“Most of these STEPS are in the way of policies and procedures,” he says. “Education and communication are important steps. You need to facilitate the discussion.”
Data Privacy Day began in January 2008 as an extension of Data Protection Day, observed in Europe. Among its many goals, Data Privacy Day promotes privacy awareness and education among businesses and consumers, focusing on privacy issues raised by the use of social networking sites, cloud computing, smartphones and other mobile devices as well as encouraging users to comply with existing privacy laws and regulations. It is sponsored by the National Cyber Security Alliance.