Data Privacy Micc PresentationPresentation Transcript
DATA PRIVACY Ashish S. Joshi, Esq. Lorandos & Associates Trial Lawyers Michigan – New York – Washington, D.C. – India
Businesses collect and store sensitive information: social security numbers, credit card and bank account information, medical and personal data.
Businesses have a legal obligation to protect this information.
Failure to exercise due diligence in protecting sensitive data could lead to fraud and identify theft – and expose a business to serious legal liability.
Exposure to Legal Liability
Federal Law : The Federal Trade Commission (FTC) enforces several laws that have information security requirements: The Gramm-Leach-Bliley Act, the Fair Credit Reporting Act, and the Federal Trade Commission Act.
State Law : Michigan law requires immediate notification of a security breach with ancillary measures. Failure to provide a required notice may subject a person to a civil fine up to $750,000 and/or a prosecution by the State Attorney General. Majority of states have similar laws.
Private Lawsuits : Lawsuits filed by victims of identity theft and/or fraud can involve a business in a long and expensive litigation.
Peer-To-Peer File Sharing
P2P technology is a way to share music, video and documents, play games, and facilitate online telephone conversations.
Popular P2P programs: BearShare, LimeWire, KaZaa, eMule, Vuze, uTorrent and BitTorrent.
P2P Security Risk
If P2P software is not configured properly, files not intended for sharing may be accessible to anyone on the P2P network.
Employees using P2P programs may inadvertently share files.
Instead of just sharing music on a lunch break, an employee may end up “sharing” his or her company’s highly sensitive information.
Once a user on a P2P network downloads someone else’s files, the files cannot be retrieved or deleted.
Create a Policy and Enforce It.
The decision to ban or allow P2P file sharing programs on your company’s network involves a number of factors.
Whether you decide to ban P2P file sharing programs or allow them, it’s important to (a) create a policy, (b) implement it, and (c) enforce it.
Prepare a plan that you can implement – effectively and efficiently - in case of a security breach.
If You Decide to Ban P2P Programs….
Block access from your network to sites used to download P2P programs – especially, the sites that offer free software.
Use scanning tools to find P2P file sharing programs and remove them.
Install tools that create records of file transfers to detect P2P traffic.
Review activity logs on your network to identify traffic volume spikes that may indicate big files (or a large number of small files) are being shared.
Install data loss prevention tools that inspect outgoing files for sensitive information.
If You Decide to Allow P2P Programs…
Review various P2P programs, and select one that is appropriate for your company.
Permit only the approved program.
Provide the approved program directly to authorized users from an internal server, not from a public download site.
Update the approved P2P program from an authorized source to incorporate the latest security patches.
If You Allow Remote Access…
Provide dedicated company computers to employees who work remotely.
These computers should have the same security measures that you use at work.
Remote access should be allowed only through secure connections like VPN or SSL.
Exercise due diligence in permitting who you allow to access your network remotely.
Train Your Employees
Keeping sensitive information secure is responsibility of every employee.
Every employee who has access to sensitive information should be trained about the security risks.
If you allow P2P programs, train your employees on how to limit what other P2P users can view on your network.
Consider what disciplinary measures are appropriate for violation of your company’s policies about data security.
And, most important: make sure that policies have teeth - discipline the rogue employees.
In Case of a Security Breach
Immediately consult an attorney who is an expert in the area of data privacy laws.
Get together a team: attorneys, computer forensic experts, in-house I.T. staff, and Chief of Human Resources.
Take swift action to comply with the state notification laws.