Sam Dekay

An Analysis of the Privacy Rights Clearinghouse “Chronology of Data Breaches” and Implications for Information Security Professionals (pt. 2)

However, breaches caused by inappropriate access to data via the Internet and by hackers may be significantly reduced by the implementation of controls traditionally associated with information security.  A secure network architecture, with installation of firewalls at appropriate points and also procedures that assure the writing of security-conscious firewall access rules, will greatly contribute to the prevention of inappropriate access via the Internet and by hackers.  The implementation of intrusion protection devices will also deter hackers.  However, weak network architecture and hacker activity account for only 32% of all reported breaches.  It seems that information security is only one of many-and not necessarily the most critical-participants in the breach prevention effort.

2.  An organizational culture that promotes the privacy of personally identifiable information, encouraged by federal regulation, is more likely to prevent data breaches than the passage of state breach notification laws.

Health-related organizations have, for many years, been aware that the Health Insurance Portability and Accountability Act mandates the establishment of controls (including electronic controls) for patients’ personally identifiable health information.  Similarly, the Gramm-Leach-Bliley Act and its subsequent regulatory guidance has required that financial services institutions regulated by the Federal Reserve, the Office of the Comptroller of the Currency, the Office of Thrift Supervision, and other controlling agencies, are required to develop programs to protect the privacy of nonpublic personal information.  Interestingly, financial services and health-related organizations have the lowest reported incidents of data breaches.

Although the Privacy Act of 1974 mandates that agencies of the federal government develop controls to protect the privacy of individuals, local and state governments are not similarly protected.  Analysis of the Clearinghouse database indicates that 85% of governmental offices reporting breaches in 2007 were state and local.

Federal regulations do not mandate that educational institutions adopt the types of privacy controls that have been adopted for financial services and health-related organizations.  Private businesses, such as retail establishments, are similarly unregulated by federal authority.  However, educational institutions and private businesses account for the highest frequencies of data breach incidents.

Post a Comment

Your email is never published nor shared. Required fields are marked *