New Indiana Security Law
Is Your Customer Data
Safe
From the Bad Guys?
By Mark Clausman
Technology. It’s a blessing and a curse.
Yes, it makes the workday more efficient – high speed copiers, mass e-mail systems, PDAs, laptops and the list goes on. But these business systems also mean sensitive customer data can be easily shared without knowledge or intent.
If your company hasn’t thought about how to protect sensitive data and the implications to your business, now is the time. Indiana-based Public Law 125 (www.in.gov/legislative/ic/code/title24/ar4.9), effective July 1, 2006, requires it for certain businesses.
The law states if computer systems are not appropriately secured, and an Indiana resident’s personal information is compromised, a business could be held responsible for significant liabilities and fines up to $150,000. That’s in addition to the costs incurred to notify customers, not to mention the harm done to a business’ reputation.
What is PL 125 all about?
While I’m writing this from the perspective of an information technology professional, not an attorney, here are the basics. This is a state law affecting businesses that maintain customers’ personal information on computerized databases. It requires appropriate measures to protect personal information, and in the event of a security breach, officially notifying customers of the breach. If more than 1,000 Indiana residents are affected, that business must notify each credit-reporting bureau via separate letter about each incident (meaning a letter for each customer affected to the three bureaus). Keep in mind; you should consult your attorney for legal details if this law affects your business.
Indiana is now one of about 40 states with such a law. Organizations that reside in one of the remaining states without a security law are not necessarily immune. If they do business with other states that have a security regulation (such as Indiana), then those out-of-state businesses are held to the same standard and liability.
What makes this Indiana law unique is that it affects industries and businesses that handle Indiana residents’ personal information. In addition, it requires disclosure to each of those residents if there is a breach. Previous regulations had no such disclosure requirement; it was up to the business to determine if it was in their interest to disclose the bad news to their customer.
The cost of an unintentional security breach can be staggering. Let’s add it up. Let’s say there are 25,000 customers with personal information that has been inadvertently put at risk. The hard cost of postage to mail letters would be close to $10,000. Since more than 10,000 customers were affected, each credit bureau must receive a letter about each customer. That’s another 30,000 letters or $30,000. Those costs don’t include printing, paper and manpower to get notices into the mailbox. And, of course, there’s the intangible cost of an organization’s reputation. A company also could incur legal fees for the breach (again fines up to $150,000). Finally identity theft affects each of us whether directly or through increased consumer costs, so there’s the overall cost to the business community at large.
Protecting information
With the explosion of new technology, we are faced with the reality of identity thieves – the bad guys – who are poised, ready and able to take advantage of your technology system vulnerabilities. It’s interesting where we find sensitive information that many organizations don’t think about. For example, many business owners are surprised when our firm finds sensitive data stored on “non-computing devices,” such as copiers and fax machines. These devices store scanned information – your customer’s private information, as an example. These devices often go out for servicing or are simply replaced with customer sensitive data still on them.
So what’s a business owner to do?
The first step in combating the bad guys is to implement a security program. If you’ve already got one in place, how often is it reviewed? Not only will implementation and review help your organization meet government regulations, but it is simply good business.
The end goal of the process we enlist with clients is to implement and document best security practices. The process is as follows:
Determine risk potential. We accomplish this by performing a risk assessment that provides a snapshot of the organizations’ current risk status by identifying sensitive data, what systems contain it, where it resides, where it’s transferred and what current controls are in place.
Create a gap analysis. This shows the disparity between current status and where the organization needs to be to meet security standards. Included are specific recommendations and an action plan to move the organization to the appropriate level of security.
Implement data protection standard practices. This could include:
Enforce corporate security policy and procedures
Implement passwords on computers, especially on laptops that are frequently used at home or in outside business meetings
Encrypt sensitive data, especially on portable devices
Erase or destroy data storage devices before transferring them or throwing them away
Create an incident response procedure within your crisis plan that includes a disclosure policy
Document all of the above and have it available if the bad guys hack or there’s an audit
If this process sounds daunting, just revisit the previous paragraph in which we outlined potential costs of more than $200,000 to a company that is hit by the bad guys. Then think about this fact – the cost to protect yourself by setting up systems and processes now is less than 10% of that figure. Technology is a blessing or a curse. The choice is yours.
Author: Mark Clausman is president of The Sterlyn Group, specializing in information security solutions. He can be contacted at (317) 439-0849 or www.sterlyn-group.com
New Indiana Security Law