Information Security Breaches Can Be Low-Tech Too

With all the media attention focused on high-tech hackers (such as the Russian teen who reportedly perpetrated the Target mega-breach), it might be easy to forget that information security breaches are often distinctly low-tech.  They frequently occur simply because of dishonest or inept employees and contractors.


credit: dullhunk

This week, Duke Energy disclosed an information security breach of the low-tech variety.  A former contract worker was stopped by police outside Atlanta, and found to be in possession of credit card and checking account numbers of Duke Energy customers.  The suspect had worked in a call center and had handled accounts of customers whose information was found in the car.  Upon learning of the incident, Duke did the right thing by reporting and offering free credit monitoring to affected customers.  Duke also reported it would be reviewing its internal controls and procedures.

The Duke Energy incident isn't the only local (N.C.) breach arising from employee theft of data already this year.  According to the Identity Theft Resource Center's 2014 breach list, an employee of the Alamance County Department of Social Services whose job had been to investigate claims of abuse and neglect against minors and disabled adults, stole and then sold the personal information of abuse victims.  The Greensboro News & Record reported that the DSS employee sold personal information to two tax return preparers in Greensboro, who listed them on their client's returns in order to claim inflated tax refunds on the clients’ behalf.   The preparers paid the DSS employee $200 to $300 per identity. 

The lesson here is fairly straightforward: Even the best software will not protect an organization from a breach at the hands of a dishonest (or foolish) employee or contractor.  Therefore, it is important to focus not only on preventing hackers from penetrating your organization's computer systems, but also to recognize the very real possibility of a breach and establish a response plan that complies with the law and mitigates the liability and reputational risk to the organization.

When an employee obtains unauthorized access to customer information about N.C. residents, the employer must quickly determine the following:

1. Which laws apply?  (North Carolina's general ID theft statute and/or industry-specific statutes, such as federal financial institution law or healthcare law)
2. Does the information accessed include protected information?
3. Has a "breach" actually occurred as defined under the applicable law(s)?
4. Does the law require a notice to customers?
5. What must, or should, the customer notice include?
6. Does the law require a report to authorities?  If so, which authorities?
7. What must, or should, the report to authorities contain?
8. What steps can be taken to mitigate losses?
9. What immediate steps can be taken to prevent similar incidents?
10. What steps does any existing breach response policy require?
11. What steps do existing contracts require, if any?
12. Who will be responsible to take these steps?

Addressing these issues in a well-crafted policy and procedures prior to a breach can help limit losses and provide much-needed direction in the event of a breach.