During the past few years, the media has highlighted a variety of examples of the loss of private information by large companies either by theft or misuse.
One of the reasons for the increased media attention is the renewed focus on establishing and enforcing data breach notification laws which apply to companies that own, lease or store private, personally identifiable information. If that data is exposed to unauthorized use either by accident, cyber attack, employee misconduct, or other causes, most states require companies responsible for protecting that data to announce the data breach and individually notify everyone affected. Some states require that credit agencies are also notified.
For clarification, private data means any information that can be used to identify an individual, including sensitive information such as a credit card number, social security number, or health related data.
There are a few exceptions to having to report the data breach. If the compromised files were encrypted while in transit across the Internet or stored on stolen backup tapes, for example, it is unlikely that the files could be unencrypted, so the individuals’ privacy isn’t as likely to be compromised.
A company that finds itself dealing with a data breach learns quickly that the process is not just embarrassing and costly (sending notifications, providing free credit reports, etc.), it can also damage the company’s hard-earned reputation resulting in the loss of customers. The point is that companies are responsible – and legally liable — for the information that is in their hands.
Securing File Transfers
Most companies use FTP (file transfer protocol) to send data files back and forth to their trading partners, vendors, remote employees, etc. Most often, FTP is used to send files that are too large to email.
However, file transfers like these are captured and compromised by data thieves on the Internet every day — unless security procedures have been put into place to safeguard the files’ data.
Companies need to implement procedures that secure both an in-motion process (files in transit over the Internet) and an at-rest process (files stored on servers or backup tapes). SFTP and FTPS protocols both secure the file while in motion by encrypting the communication link between two systems during the file transfer. PGP encrypts the file itself, protecting it while at rest on the server or backup tapes.
When addressing the challenge of sending ad-hoc files that are too big to email, finding a managed file transfer solution that includes a secure mail feature can mean the difference between an accidental data breach and a successfully delivered file.
Implementing these security procedures is a significant step organizations can take to greatly reduce their risk of data breach, and therefore their exposure to the financial liability and the loss of confidence of their customers and trading partners.