If you are really into keeping up with the Kardashians, then you might know that not too long ago they each released their own apps and then matching websites. Shortly after the release, though, some drama occurred that might not make their show, but which is just as juicy: a developer, while exploring Kylie Jenner’s site, found a code flaw that allowed him to access other user’s data. In fact, it allowed him access to 600,000 other users’ data on Kylie’s site, and the other sites had a similar issue.
Luckily for the Kardashians, this glitch was discovered by an honest developer and not a hacker. Things could have turned out a lot differently if a less scrupulous individual had been the one to find the flaw.
Doing the Math on Data Breaches
According to the ID Theft Center, as of November 3, 2015, 641 year-to-date breaches have occurred already in 2015, effecting more than 175,000,000 individuals.
Think about the ones you might be able to name just off the top of your head:
- Ashley Madison
- BlueCross BlueShield
- Office of Personnel Management
And going even farther back in time, who can forget about last holiday season’s Sony hack after the whole The Interview debacle.
And according to an IBM and Ponemon Institute study done earlier this year, the average breach costs a company $3.79 million. In addition to the cost, it can open you up to lawsuits (just ask Sony who a year later is still irking through theirs) and severe reputational loss. Plus, when personal information lost belongs to your employees, it can be hard to recover the workplace morale.
Other than the embarrassment caused by not being prepared, leaving yourself open to a data breach is putting yourself at risk for a myriad of legal issues:
- Privacy issues
- Security issues
- Data breach notification laws
So unless dealing with all of the above sounds fun to you, and you have a few million to spend to clean up the mess, it is actually wise of you to take steps to mitigate risk of a breach and properly handle it if one does occur.
Following the below steps can help save you time, money, and legal repercussions, just for starters.
4 Steps to Reducing the Risk of Data Breaches
- Test Your Site.
When you open a new site, and periodically throughout, you should be running tests to check how data is being captured, used, and accessed. There are many services out there that basically let you act as a hacker on yourself to see how easy it is to gain access to behind the scenes data.
The same should be done for any apps that you may have, as those contain personal information as well. Here, it is important that you use application threat modeling to figure out just what your security risks are.
The more you test, the more likely it is that you will catch vulnerabilities (and thus fix vulnerabilities) before a hacker catches them. In other words, it is vital that you keep up with the testing.
- Keep Personal Information Personal.
This seems like a no-brainer. If no personal information is breached, then no personal information is affected. However, how can you do this?
Depending on the nature of your business and site, it is probably not realistic to say that you simply refrain from collecting personal information (meaning things like social security numbers, health records, and other information that, if a hacker were to access it, you’d most likely need to report it under a state notification law).
However, when you do collect that information, what you do with it becomes important. Many notification laws only pertain to information taken that was unencrypted, un-redacted, or not somehow rendered unusable. So the more you do to make the information coded, the less likely it is to be taken.
Just in case, let’s define what these terms mean:
- Encrypted information has been recorded in a way that is only readable with a special key or password. If encrypted information is taken, you often don’t need to give notice about this unless the key or password were breached too.
- Redacted information has been recorded in a way that makes it censored, such as removing all but the last four numbers of a social security number.
- Take Proper Security Measures.
If you really want to protect yourself, then you will make sure you are using proper cybersecurity measures. There are a lot of things you can do to protect yourself.
They say that hindsight is 20/20, but that doesn’t mean the hindsight has to be yours. When you are breached, you should use that as a lesson to look back and see what you could have been doing better. But you don’t have to wait until you have a problem. When you read about other data breaches, see what they did wrong – this is especially useful if they are in the same industry as you. Are you doing similar things? If so, stop!
Of course, that’s only one step you should be taking. Consider all of the following as well:
- Only collect personal information that you actually need, and only take it when you need it.
- Invest in proper security systems or professionals. Remember, the money you spend on protection now can help you save millions later on.
- Train and monitor your employees. You’d be surprised how often an attack comes from within, whether intentional or not.
- Catch Problems Early.
In case I haven’t given you enough examples yet, let’s look at that major Target breach that occurred in 2013. Here’s a scary fact: in August of this year, the company settled with Visa for $67 million over this breach and is working on a similar deal with MasterCard. Yikes!
Do you want to know what the worst part was? They fully admit they had seen early warning signs of the problem, but they hadn’t done enough about it since they hadn’t taken it that seriously.
This is not uncommon. In fact, a recent survey conducted by Ponemon shows that it takes over 198 days (which is more than half a year) for most retailers to spot a breach.
That’s a lot of damage that could be fixed if people just learned to spot signs early and then act on them.
So here are some ways you can do that:
- Always keep track of your own analytics. It’s like getting to know your website. If you know what is normal for you (and normal changes all the time, which is why this is a continuous method), then you will know what isn’t normal for you, and you’ll be able to see that irregular activity right when it happens.
- Pay attention to inbound and outbound traffic because both give you signs when something isn’t right.
- If something doesn’t seem right, never ignore it. It doesn’t hurt to investigate, but it could hurt not to.
How to Handle a Breach When One Does Occur
Even when you do everything right, something can slip through the cracks or a hacker can just be that good. When this does happen, there are things you will need to do.
Almost every state in the country has their own data breach notification laws that you must follow if you do not want to face potentially severe consequences. In fact, only Alabama, New Mexico, and South Dakota don’t. So you will need to follow the specific laws that effect you. However, many laws are fairly similar, so to give you an idea of what might need to be done, let’s look at California’s.
California’s Data Breach Protection Law
In California, if you collect unencrypted personal information, and your system is breached then you must notify effected residents through written or electronic means.
The notification must be clearly written in English and should include at least the following:
- Name and contact information for the reporting business or agency;
- Types of information that might have been taken;
- When known, the date, estimated date, or date range of the breach;
- Whether a police investigation caused a delay in giving notice;
- A general description of the breach; and
- The toll-free numbers and addresses of major credit reporting agencies when the breach included Social Security Numbers, driver’s license numbers, or state identification numbers.
You can also add what you are doing to protect people and advice on steps they can take to secure their information.
If notifying people individually would cost more than $250,000 or more than 500,000 people were effected, then substitute notice may be given in place of notification. This means that instead of telling individual people about the problem, you can just put a general notification in major state media outlets; send the notice to email addresses of those affected, when known; and, if you have one, post it on your site.
If more than 500 residents are affected, then you need to also alert the office of the Attorney General. And if the breach was your fault, then you must cover the costs to mitigate the damage.
The After Effects of a Breach
When you do catch a breach, stopping the damage, getting a police investigation, and sending notification should be your first concerns. But when all that is over, use the experience as a teaching moment.
What should you have done differently?
The Kardashians were lucky. Their “hacker” just came out and told them exactly how they had accessed the site. If you get breached, you probably won’t have the same experience. So make sure you end this trying time with honest reflection.
Figure where, if anywhere, you went wrong. Then fix it.
Get breached once is bad enough, don’t let your business get hacked again.