Why do you need to protect customer sensitive data from unauthorized users?
In a world where some businesses are regulated and enforced by laws, it is our job to make sure we are always at compliance. As data breach continues to emerge and attacks happening daily we must secure our network with multiple layers of security to prevent unauthorized access from the outside. Unfortunately, attacks usually come from within and are usually made by an employee.
In the financial services industry
Big organizations often spend tons of money on network and data security and some even performed penetration tests with the intention of finding holes to reinforce the access. Organizations in the financial institutions are regulated by the FTC, the division of financial practices, and monitored by internal auditors to achieve effective and efficient governance of legal and regulatory compliance.
Access control to systems and customers data is audited, by the department to ensure that only authorized users can get access to these data. You might still be asking yourself ok Richard but “Why do you need to protect customer sensitive data from unauthorized users?” Well if you don’t, your business is at risk and the fines could even be in the millions of dollars. Once these data leaves your company network by these unauthorized employees, you have no control and don’t know where it’s going to end up. This information could be sold in the black market and your institution could be found liable. After all, there is a reason why access was not granted to begin with.
In the healthcare industry
HIPAA (Health Insurance Portability and Accountably Act) regulates the protection of patient’s personal information. Although some employees at the practice might need access to the patient’s personal information, it doesn’t mean all employees require the same amount of access. It is the administrator’s responsibility to ensure that proper access to the system is privileged. Compromises to the system and vulnerability to the medical record can happen in many different ways, like the incident we had based on a 2010 report involving The New York and Presbyterian Hospital (NYP) and Columbia University (CU). You can read more about it here and this is just one of many.
In the law practice industry
Competent representation and confidentiality are at the foundation of the attorney-client relationship. “ABA Model Rule 1.6 generally defines the duty of confidentiality and significantly, it broadly extends that duty to “information relating to the representation of a client.” It’s now commonly accepted that this duty applies to client information in computer and information systems as well.
It is also important that lawyers recognize their own competence limitations regarding computer security measures and take the necessary time and energy to become competent or alternatively consult available experts in the field.
The opinion discusses specific safeguards for lawyers to consider, such as secure socket layer (SSL) protocol, firewalls, password protection, encryption and antivirus measures, but it also cautions that:
As technology advances occur, lawyers should periodically review security measures in place to ensure that they still reasonably protect the security and confidentiality of the clients’ documents and information.
As the business owner or person in charge of the computer network, the right approach should be taken when it comes to security. Delegating the right resources and responsibility to monitor security, find holes, and provision the correct access to the system will ensure that your customer data will be safe.