ROT being stored by your company is putting you at risk for a data breach

Financial services firms are intertwined within many industries, which puts these firms among the primary data breach targets because of the perceived value of the data. These CPAs, tax advisers and brokerages may advise clients on how to properly protect vital information, but it’s also important that they focus on their own risks —for example, the unnecessary storage of redundant, obsolete or trivial information (ROT) — to create an internal culture of security and privacy.

“Any risk-based decisions need to be protected,” says Douglas C. Williams, CEO of Williams Data Management. “There are everyday actions and inactions that can put a company at risk for corporate espionage or an unintentional breach of information. The size of the business doesn’t matter. Companies need to focus on what information is carried with or accessed by employees and how it can remain protected at all times.”

Smart Business spoke with Williams about steps financial services firms should take to protect client data from a costly breach of information.

What is the most sensitive information financial firms have?

The most sensitive information is that which has to do with clients. Those personal information sets with traceable numbers — Social Security, financial accounts, date of birth, graduation dates, any and all information that links to that person can open up any door. That adds up to a personal dossier of a client and that’s got to be protected both digitally and on paper.

Do these firms have a blind spot when it comes to security and privacy?

Companies often store ROT too long. On average, 30 percent of data stored are not needed and should be destroyed. Such data may include personal information that can be used to obtain passwords or directly access accounts, which is a costly oversight. For example, Target Corp. reported it had incurred $248 million in expenses in the year that followed its 2013 data breach.

Client information that’s past its useful life — meeting notes, strategies, and customer information — is actionable if discovered by someone else.

Why do organizations still have ROT?

There are lots of ‘what-if’ questions that compel companies to keep ROT around: What if we need it? What if we get sued? What if we can use it for someone else? What if we want to get that customer back, or talk to their heirs and beneficiaries to re-establish a relationship?

There should be a process of identifying what information must be kept, why and for how long. This allows a firm to establish an end point of a document’s lifecycle, which avoids ROT, mitigates risks and reduces storage costs, which have a tendency to multiply exponentially.

How can financial firms create a culture of security and privacy?

It starts with the C-suite setting policies that dictate how data stored on or accessed through mobile devices are protected. Is that information password protected? Encrypted? How is it downloaded or how is it protected from being downloaded?

It’s been found that employees, whether by fraud or fault, account for 85 percent of data breaches. Of that, 75 percent of leaked company information is obtained physically and not through digital hacking — stealing documents from a company’s trash bin or a lost thumb drive, for instance. So any security policy must include methods of protecting all types of sensitive business information.

What can organizations do today to minimize their data and information security risks?

Start by identifying and classifying sensitive information, and put a data disposal policy in place to get rid of ROT.

Scale down accessibility of information through data monitoring, security controls and advanced technologies. Install video surveillance in restricted areas, and use keypad locks and other means of tracking entry to restricted areas.

Insights Compliance & Information Governance is brought to you by Williams Data Management

Health care entities must protect patient data throughout its lifecycle

When referring to the health care industry, it’s assumed that it includes hospitals, health care providers and other frontline services.

What may not be commonly known is that, in the eyes of the law, business associates of the covered entities — vendors, outsourced partners — are also part of the industry, and the retention regulations vary state by state.

That makes it important for health care entities to ensure that their business partners are doing all they can to guard protected health information (PHI) that is exchanged during the normal course of business. Otherwise, there can be significant penalties.

Smart Business spoke with Douglas C. Williams, CEO of Williams Data Management about PHI and guarding it through its lifecycle.

What does the lifecycle look like for the data being managed by these entities?

The lifecycle of PHI is quite long. For instance, pediatric files must be kept until the individual turns 21. Adult medical records must be held for at least 10 years, though subject to the discretion of the physician, it may be held longer.

If a records storage facility is holding boxes of records that contain sensitive or protected information for a hospital, both the federal laws and the internal governance rules of the hospital are at play.

So, essentially the lifecycle is whatever the hospital wants it to be. In this scenario, the records storage facility is the business associate and is subject to identical regulatory conditions as the covered entity, which makes the storage facility subject to the notification protocols in the event of a breach.

What legal consequences are at play when it comes to PHI?

In the event that a company loses PHI through theft, unauthorized disclosure, improper disposal or a hack, the company would need to notify anyone who was affected and disclose what information was lost.

Then the company would need to determine who stole the information and what information was lost, and ascertain how it might be recovered. If that information can’t be recovered, the company must notify those affected that their private information is potentially in the public domain.

In addition to the civil penalties, criminal penalties may be imposed ranging from a fine of $50,000 and a year in prison to fines of $250,000 and up to 10 years in prison. These criminal penalties may be imposed on specific individuals as well as the covered entity.

In addition, the Department of Health and Human Services has the authority to exclude from participation in Medicaid any covered entity that was not compliant with the transaction and code set standards.

What are the challenges related to keeping PHI secure?

Security threats can include hacks, thefts and improper disposal of sensitive information, but also multiple data sources/applications, information silos, inadequate policies and procedures, poor employee training, audits and access controls.

Protections against hacks include breach security and anti-hacking software, firewalls and multi-level passwords. On the physical side, key card readers, biometric scans and security clearance measures are used to limit access to sensitive information.

To protect against human oversight, make sure anyone handling sensitive information understands proper protection protocols. Change the passwords that guard protected information every 60 days and quickly block access of workers who are no longer employed at the company.

What should happen to PHI that reaches the end of its lifecycle?

Destroy all hard copies of the information using a certified shredding service. These providers pulverize documents into unrecognizable pieces. The same thing can be applied to hard drives, CDs and other electronic media storage devices.

Destroying digital information is a little more difficult because of the redundancy that’s often inherent in computer networks. That means it’s up to IT and compliance personnel to locate and permanently delete all sources of the data that’s due to be destroyed.

Should that information get shared outside of a company’s protected network there’s very little anyone can do.

Insights Compliance & Information Governance is brought to you by Williams Data Management.