Personally, I find the daily announcement of a company losing control of their employees’, partners’, or customers’ data depressing. My home state, California had 259 formally reported breaches in 2018 alone! It doesn’t matter where in the world you are, many companies are not properly protecting your data and hackers are very good at seeking those companies out. How can this be such a problem in this day and age? Simple, it comes down to a business decision.
Most companies make a risk calculation based on the odds of their data being breached and the impact on their business. There are many models out there, but I personally appreciate the work from the FAIR Institute. (You can learn a little more about what FAIR and the Open Group are doing in this regard in one of my previous blogs). The fact is that many of the companies that we work for and vendors that we share our data with don’t highly value our data. But times are changing as regulations with steep fines are increasingly being enforced and lawsuits are favoring the injured.
We have heard a lot about recent imposed fines on Uber ($148M), Yahoo! ($85M), Tesco Bank ($16M) and Anthem who paid $16M in fines on top of the $115M class action lawsuit settlement.(And the class action suit was seven times that of the fine). That makes for a prominent entry into a risk model. Civil lawsuits cost time and money to fight, can be terrible for brand image and are expensive to settle (not to mention the cost if you lose the case).
This is what happened in Pennsylvania last week. Small news, but possibly an important precedent across the United States and Pennsylvania for sure. The Pennsylvania Supreme Court determined that an employer has a common law duty to use reasonable care to safeguard employees’ personal information stored on an internet-accessible computer system (Dittman v. UPMC, No. 43 WAP 2017, Pa., Nov. 21, 2018). The court held that failure to do so can be negligent, and employees may recover damages that are solely economic in nature (without physical injury or property damage).
You can read more here.
In short, it means that the Pennsylvania courts have determined that our PII data has value and if a company compels you to share your PII information they have as much responsibility to protect this data as they have to protect your health and safety at work. We all know it’s considered negligence if something dangerous in the workplace caused you to slip, fall and hurt yourself. In other words, the company is negligent if they don’t create a safe working environment for your personal data as well.
The bean counters responsible for calculating an organization’s risk should think about sharpening their pencils and evaluate the cost of reasonable data security care versus the increased cost of losing control of PII data. Encryption, tokenization and data masking are data security technologies that have long been recognized as best practices that meet the definition of taking reasonable care to protect data. Interestingly enough, many breach notification and privacy laws, like GDPR, allow organizations to demonstrate that data has been protected through these technologies and, as a result, companies do not have to officially announce that there has been a security breach.
At Thales we have experts and architects that can work with your IT staff and application teams to streamline the process of adding data security in your environments. Give us call.