United States: The Most Overlooked Component of Data Security: Your Employees

Data security practices in the private sector are under growing scrutiny by the Federal Trade Commission, state attorneys general, and other state and federal regulatory agencies, as evidenced by the fines imposed on companies such as Tower Records, Barnesandnoble.com, Microsoft, and Victoria’s Secret. According to a recent survey by PricewaterhouseCoopers, nearly half of the fastest growing companies in the United States have suffered a breach of data security in the past couple of years.¹ California now requires companies to provide written notice to California residents who may be affected by certain data security breaches. Similar legislation has been proposed at the US federal level, and the new Japanese Data Protection law will have a similar obligation. The potential ramifications of a data security breach have never been greater, and will only continue to grow.

While focusing on the technological aspects of data protection, companies often neglect the most critical component of any data security program: their employees. A company’s investment in firewalls, encryption, password protections, and other security measures can be completely undermined, even accidentally, by a single employee. At the same time, employees can be one of the company’s best lines of defense against internal or external data security breaches. This article will analyze the real-world risks to the security of your data, and then describe how to create a data security program that capitalizes on your company’s investment in its employees, as well as in technical data safeguards.

Data security practices tend to focus on the risks posed by a computer hacker, while overlooking the risks posed by a colleague in the next cubicle. The vast majority of employees may be trustworthy, but a moment of haste, anger, or greed may transform an employee into a serious threat to the company’s data. There are countless stories in the media about data security breaches caused by employees, such as the following real-life examples:

• an employee of a financial institution left a laptop computer containing customer data in an unlocked car, and the laptop was stolen;
• a former employee gained access into the company’s personnel database and deleted records of compensation, promotions and awards, and employee transfers;
• a support center employee at an Internet access company secretly downloaded personal information of half a million subscribers and threatened to post it on the Internet unless the company paid millions of dollars in ransom.

These examples demonstrate the broad range of employee actions, from unintentional to unlawful, that can compromise the security of an employer’s data. That being said, the risk of intentional theft or misuse of data by employees should not be underestimated. According to a new study, up to 70% of identity theft in the United States starts with data theft by an employee.² As much as a company trusts its employees, it must protect its data against the type of "worst-case scenario" that can be caused by a disgruntled or careless employee. A fundamental principle of data security is to grant access only to the data that an individual actually needs to perform his or her work for the company. As an illustration, imagine that a manager decides to compile a master spreadsheet of the top 500 customers and all of their key purchasing statistics, in order to distribute it to the executive committee of the company. The manager accidentally mistypes the name of one of the recipients, thus sending the spreadsheet to an employee in a different company, who shares it with others. This situation would be embarrassing enough if the spreadsheet only included the customers’ names. But what if the spreadsheet also included other personal facts about the buyers at each customer (i.e., name of spouse and ages of kids as well as home telephone numbers). In that case, this single misaddressed spreadsheet could expose large numbers of customers to the risk of identity theft or other problems. This extra risk could have been avoided by granting the manager access only to the data that he actually needed to perform his job. (After all, why would the manager have needed access to the personal information about the customers in the first place?) There would have been no downside to limiting the manager’s access, and it would have greatly reduced the damage accidentally caused by this single individual. Moreover, while this illustration involved customer data, the same principle also applies to payroll data or any other type of confidential data: limiting access to confidential data is one of the best ways to reduce the odds of a data-security disaster.

In the scenario we just considered, the manager did have a legitimate need to access certain types of customer data (e.g., who top customers were) but did not really need access to other types of data (e.g., notes about particular contacts). Rather than giving the manager unlimited access to the database, the company should have granted the manager access to only the categories of data that he actually needed. Different categories of data, even within the same database, often require very different levels of confidentiality. As databases grow larger and more detailed, it is no longer sufficient to label an entire database as "confidential" and purport to treat all information in that database in the same manner. For instance, the names and addresses of customers who are common knowledge in the industry are much less confidential than the terms of the company’s transactions with those customers or suppliers. Other types of contact information about a publicly-known customer may be confidential, however, such as the identity of a key decision-maker who works behind the scenes. Treating all customer data as equally confidential is likely to result in unnecessary restrictions on publicly-available data, and inadequate protection of the most valuable and proprietary types of data. Thus, in order to apply the appropriate safeguards, a company must identify the degree of confidentiality that should apply to each category of data.

Aside from minimizing potential data breaches, assigning different levels of confidentiality is essential in preserving trade secret or other applicable legal protections. Trade secret protection requires the company to prove: (1) that certain data is economically valuable because it is not known to others, and (2) that the company has taken reasonable measures to protect its secrecy. The greater the number of employees with access to the alleged trade secret data, the greater the difficulty of proving that the company has taken reasonable measures to maintain its secrecy. In general, there instead should be an inverse relationship between the value of certain data and the number of employees with access to that data. Otherwise, a court may be reluctant to recognize the data as a trade secret, and thus deprive the company of remedies available under the Uniform Trade Secrets Act or similar laws prohibiting the misappropriation of trade secrets.

Even with respect to data that do not qualify as a trade secret, a company must take measures to create and preserve legal protections for its confidential data. Companies should consider creating a contractual obligation for its employees to maintain the confidentiality of its data. This contractual protection can be created by requiring each employee to sign a confidentiality (also known as a nondisclosure) agreement. The confidentiality agreement can include a broad definition of information that is considered confidential, and also should provide specific examples of confidential data (such as formulas, inventions, and customer lists). Additionally, the company can bolster the confidentiality agreement by requiring new employees to sign new-hire certificates and requiring departing employees to sign termination certificates confirming their obligations to maintain the company’s data in confidence. The confidentiality obligations contained under these agreements create legal protections for the company’s data, even if it does not qualify for trade secret protection. Regardless of the data’s legal status, maintaining appropriate levels of confidentiality is integral for preserving any type of legal protection against disclosure of the data.

As we have seen, any company with confidential data needs an integrated data security policy that covers risks arising from both technical failures and human foibles. This policy should include a data classification system for identifying confidential data, access controls to limit internal and external access to data, and employee training.

Creating a Data Classification System

To lay the foundation for any data security program, it is necessary to assess the various forms in which data are maintained. It is not uncommon for data security policies to contain state-of-the-art protections for computerized data, while failing to impose any restrictions on the creation or handling of printed copies of the same data. Employees also may transport data in other forms, such as files saved on the hard drives of their laptop computers or spreadsheets stored in their personal data assistants (PDAs). A company may find that its employees are storing and transporting data in new ways that have not been considered or approved by management. Unless these practices are identified and evaluated, however, there inevitably will be gaps in the coverage of the data security program.

After assessing the forms in which its data are maintained, the company should begin evaluating the level of confidentiality protection that should apply to each type of data. This classification process requires balancing of the company’s aim of keeping all of its data confidential against its real-world operational needs. It does little good to classify all customer data as uniformly confidential, if the same confidentiality safeguards will not be followed in practice. In fact, this type of automatic classification of all data as confidential may be counterproductive, as it may give the impression that the company is failing to comply with its own data security policy. It also may increase the difficulty of enforcing trade secret or confidentiality protections, because the employee could argue that the company’s noncompliance with its data security policy is evidence that the company does not actually treat the data as secret or confidential. Consequently, a company needs to approach its confidentiality classifications in a realistic manner and avoid setting standards that it cannot meet.

In classifying the level of confidentiality that should apply to each category of data, companies will generally find that different data fields or data sets within a single database require different levels of confidentiality. For instance, employee compensation is generally treated as confidential, but employee Social Security numbers should be subject to an even greater degree of confidentiality due to the risk of identity theft. Thus, again, managers may be granted access to compensation data from the company’s payroll database, while not being allowed access to the Social Security numbers contained in the same database. Just because the various types of data are contained in the same database does not mean such data should be accorded identical treatment.

After structuring this type of data classification system, the company can coordinate appropriate access controls for each classification. Access controls take a variety of forms, but serve the general purpose of controlling internal and external access to data. Beyond imposing standard controls based on the level of confidential information, access controls also should be used to limit an employee’s access to the subsets of confidential information that he or she actually needs. Technical access controls can include — but certainly are not limited to — firewalls, encryption, masking, suppression, and a password.

Access Controls Aren’t Just for Computers Anymore

Aside from placing controls on systems to limit access, companies should place controls on other devices used to store confidential information. PDAs are increasingly used to store customer contact information, data files, and other confidential information. PDAs are also easy to misplace or lose, due to their small size. At a minimum, companies should place password protections on laptops, PDAs, and other devices containing confidential information. Companies that allow employees to store confidential data on their personal laptops, home computers, or PDAs should reconsider this practice. Not only is it difficult to ensure that personally-owned devices are equipped with appropriate access controls, but also it is nearly impossible to ensure that all company data is permanently deleted from the device when the employment relationship ends. Ideally, the company should have ready access to all laptops, PDAs, and other devices used to store confidential company data.

Passwords also should be used to protect individual files or documents containing highly confidential information. Considering that a single mistyped letter in an email address can send it to an entirely different recipient, password protection is more than worth the extra bit of effort. Thus, an organization should consider adopting a policy that any documents that contain highly sensitive information should be password-protected.

The New "Added Value" of Encryption

Encryption deserves special discussion, due to the new California security breach notification statute. This statute, codified as Section 1798.82 of the California Civil Code, requires any person or business conducting business in California to provide notice in the event of a security breach of computerized data containing unencrypted "personal information." "Personal information" means an individual’s first name or initial and last name in combination with one or more of the following, if any of these data elements are unencrypted: (a) Social Security number, (b) driver’s license number or California identification card number, or (c) account number or credit or debit card number, along with any required security code, access code, or password that provides access to that account. If the security of this data is breached, the company is required to provide written notice to every California resident whose personal information may have been accessed. Similar legislation has also been proposed at the federal level and will soon be the law in Japan. The costs of notifying your customers of a security breach are not solely monetary, but can include reputation and relationship damage as well. As a consequence, companies should reevaluate whether it is truly necessary to maintain Social Security numbers or other types of personal information that may trigger a notice obligation. This California notice statute also provides a significant new incentive for companies to encrypt the personal information that they do maintain, thus limiting or avoiding this notice obligation entirely. In Japan, several companies have recently given notice to customers as a result of significant security breaches. The new data protection law, which goes into effect in April 2005, contains an obligation to notify individuals and the appropriate government ministries in the event of a security breach.

Taking Special Precautions in Providing Data to Vendors

Companies that provide their confidential information to vendors or other third parties should implement a uniform policy of requiring the vendor to sign a nondisclosure agreement. At a minimum, the nondisclosure agreement should prohibit the vendor from disclosing your data without written permission, or from using your data for any purpose other than performing the terms of the contract. It is also common to require the vendor to represent that it will implement appropriate technological and procedural safeguards to protect your data, and that these safeguards will be at least equal to the safeguards that the vendor uses to protect its own data. Some companies also require vendors to represent that each of their employees has signed a confidentiality agreement that would cover the company’s data.

Additionally, companies may negotiate an indemnification provision that requires the vendor to reimburse the company for any losses or expenditures that result from a breach of the data maintained by the vendor. This type of indemnification provision is likely to become more common due to the potential expense of providing notice of a security breach under the new laws. The California data security breach notification statute also may lead more companies to require vendors to encrypt the transferred personal information, in order to avoid triggering this notice obligation.

Identifying a Process Owner

Establishing a data security policy is not a one-time project, but requires continual administration and periodic evaluation and updating. Companies generally should identify a particular individual or group as the owner of this process. The process owner should be responsible for ensuring that each category of data is appropriately classified and protected. Additionally, the process owner would take more long-term responsibility for proposing modifications to the data security policy based on the company’s evolving needs and practices.

Adopting a Written Data Security Policy

The steps described above will culminate in a written data security policy, which needs to strike a workable balance between the company’s security needs and its operational requirements. A data security policy is of little use if it would prevent employees from having access to information needed to perform their jobs, or if it is too general to impose any specific limitations on an employee’s access to data. As a result, the policy must be tailored to the company’s individual needs and practices.

The written data security policy should describe the company’s data classification system, mandatory and recommended uses of access controls, and restrictions on transfer or use of confidential information. It also may address related issues, such as the requirement for each employee to sign a confidentiality agreement and required elements of nondisclosure agreements with vendors. Finally, the policy should identify the process owner and encourage employees to direct questions or concerns to the process owner or delegate. Companies also may want to consider providing a means for employees to report concerns anonymously, or assure employees that the company will not permit any reprisal against an employee for raising a good-faith concern about data security practices.

The ultimate purpose of the data security policy is to improve and standardize security practices throughout the company. This will only happen if employees know about and understand the policy. Generally, it is insufficient merely to email a copy of the policy to all employees, assuming that they will have time to read and absorb the policy. The best way to reinforce the policy is to provide employees with training that covers both the basic and more advanced aspects of data security practices. Employees should be reminded of the importance of everyday precautions, such as deleting or shredding confidential information once it is no longer needed, password-protecting confidential files, and exercising caution in using the public Internet outside the company’s firewall. Beyond the basics, employees should be trained about how to handle a worst-case scenario, in which there has been a data security breach. All employees should know whom to call if a security breach is suspected, and employees with IT responsibilities also should be trained in taking actions to stop or minimize unauthorized access upon learning of a breach. In jurisdictions requiring notice of a data security breach, including California and Japan, management should be prepared to contact knowledgeable attorneys to discuss the company’s legal obligations and whether to involve law enforcement. A data security breach requires a rapid response and, by the time such a breach occurs, it is too late for this type of planning.

The importance of informing and training employees about data security practices cannot be underestimated. Without active employee involvement and follow-through, a data security policy is little more than a piece of paper or a page on an intranet site.

Concluding Thoughts

Not long ago, Human Resources departments handled employee issues, and IT departments handled technology issues, with little overlap or interaction. Today, the growing risk of data security breaches, combined with our new understanding that most of these breaches begin internally, compels an entirely different approach. Companies must take precautions against both inadvertent and intentional breaches or disclosures of data by employees. At the same time, companies must train and empower their employees to protect the confidential data that provides their livelihood. Only by capitalizing on their investment in their employees, as well as their investment in technological solutions, can companies successfully protect their data against the growing number of internal and external threats to their security.

Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Morrison & Foerster LLP. All rights reserved