Recently, another massive data breach was caused, reportedly at least in part, by employee error. Georgia Secretary of State Brian Kemp disclosed that an employee committed “a clerical error” and compromised the personal information of over 6 million voters. To date, this is one of the largest, if not the largest, data breaches suffered by a state.
In case you missed the details of this latest breach, the Georgia Secretary of State distributes voter registration rolls and monthly updates to news media outlets and political parties, who are able to purchase this information under present Georgia law. The rolls, which are distributed via mail on unencrypted computer CDs, are only supposed to contain limited personally identifiable information (“PII”) – specifically, a voter’s name, residence, mailing address, race, gender, registration date, and last voting date. According to Secretary of State Kemp’s November 19, 2015 press release, an employee in the IT department also included additional and more sensitive PII, including dates of birth, social security numbers, driver’s license numbers, voter registration numbers, phone numbers, and voter precinct information. The employee who committed the error has since been terminated.
Kemp’s office is now faced with a public relations black eye, a class action lawsuit, and, perhaps, millions of dollars in credit monitoring services for Georgia voters. For example, in 2012, South Carolina spent $50 million on credit monitoring for the data breach of 5.7 million individuals after hackers accessed unencrypted tax returns stored by the Department of Revenue.
The silver lining? The Georgia voter data breach provides a great teachable moment from which private employers can learn several important lessons about data security:
-
See something, say something. Stress the importance of prompt notification when an employee suspects a data security incident. According to a subsequent press release from Georgia Secretary of State Kemp, the employee in the Georgia voter data breach knew of his “clerical error,” but did not report it. In the world of cyber incidents, early detection is key to mitigating exposure and winning the war of public opinion. As such, it is worthwhile to consider incentivizing early reporting. This is particularly important because many employees will be hesitant to come forward if their own error or negligence is to blame. Especially in the age of BYOD and other sources of portable media, it is essential that companies receive prompt notification when an employee has lost any device that contains or can access company systems, so that the device can be wiped clean remotely and/or any data breach notification requirements can begin in a timely fashion in accordance with applicable data breach notification laws.
-
Don’t be a hoarder. Only collect PII that you have a reasonable business purpose to use. The more data you collect, the more data you can lose in the event of a breach. Similarly, only keep PII for the length of time that there is a business necessity to do so. In the Georgia voter data breach, for example, the Georgia Voter Registration Form only requests the last four digits of a voter’s Social Security number. Therefore, arguably, they may not have needed to collect and store full Social Security numbers in the first place. It is also worth considering whether the Secretary of State needed to even retain Social Security numbers once voter information was successfully verified.
-
Be exclusive. Promote practices so that employees can only access sensitive data if they have a business need to do so. Explore ways to segregate sensitive PII from other data so that an employee who only needs access to certain PII does not also have access to more sensitive PII, like Social Security numbers and dates of birth.
-
Promote a “Sucker-Free” Zone. Conduct data security training so that employees are well versed in the markers of social phishing and other data mining efforts. While not the culprit in this Georgia voter data breach, 60% of cyber incidents experienced by the manufacturing sector in 2014 were associated with cyber-espionage, according to Verizon’s 2015 Data Breach Investigations Report (“DBIR”). Of this subset, for the second year in a row, more than two-thirds of these incidents involved phishing. Similarly, the Verizon DBIR noted that large scale data breaches involving point-of-sale intrusions (e.g., those involving Target and Home Depot), are beginning to show the trend of hackers first infiltrating an authorized user’s credentials and then going on to hack and harvest data. Point-of-sale intrusions were the top type of data breach for multiple industries in 2014, such as accommodation (91%), entertainment (73%), and retail (70%). So, it is important that employees are trained about practicing email “street smarts,” such as using complex passwords, not clicking on links from untrustworthy senders, not providing sensitive information without verifying the recipient, and verifying that the sender of an email is who he or she claims to be (instead of just having the sender’s name in the “from” field, which can easily be fabricated).
While companies often give the most thought to preventing hackers from getting in, companies would be wise to also pay attention to whether their own employees are leaving the door open. The Ponemon Institute’s most recent report blames 19% of the 2014 U.S. data breaches on employees or other unintentional insiders. This number, however, is likely much higher when one takes into account the portions of the other breach categories that are also attributable to employees, such as attacks carried out by malicious employees or when outsiders exploit security gaps created by employees. The precautions described above can make the difference between a secure system and a scenario where one of your employees causes the next data breach headline.
