Root out data breach dangers by first implementing common sense

As security breaches of personally identifiable information (PII) make the news, ( an analysis of the breaches may lead you to the conclusion that it is not hackers or malicious employees that are to be feared but just plain stupidity. While you will find data breaches that can be blamed on those things, the vast majority can be lumped under the category of carelessness. Whether it is information inadvertently e-mailed to someone, theft of hardware, loss of a laptop, or paper in the dumpster, the real culprit is a lack of neurons firing and not following procedures.

The usual reaction to these breaches often centers on tighter security, encryption, policies and procedures, encryption, rules and regulations, encryption....I think you get the picture -- encryption is often looked at as a panacea for preventing data loss. However, this belief will end up giving you a false sense of security and stick you with a next-to-impossible task. If you look at the data breaches that I lump under carelessness, you will find that in most cases, the sensitive information, like SSNs, should not have been there in the first place!

Data encryption as a silver bullet to this problem misses the mark by a long shot. While it should be part of a security plan that mitigates losing laptops, there are too many places that PII is being stored for you to encrypt every instance of it. The sad fact of the matter is that many organizations cannot give you an accurate accounting of every place that it collects and stores PII. Those who can either have undergone an intensive self assessment of PII collection and storage, or they are ignorant and are knowingly or unknowingly lying to you.

So the real answer to reducing data breaches is in asking why PII is collected and stored in the first place and then eliminating it, if possible. You might be astounded to find that PII, SSN in particular, is collected and stored primarily to insure that a person can be uniquely identified in a database. Since, SSN is the closest thing we have to a national ID, people's knee-jerk reaction is to collect it because it's the only thing we have to uniquely identify a person. However, unless it is absolutely imperative that an individual can be matched across organizational domains, there is no need to capture it when a unique number can be assigned to a person instead. Again, if you surveyed your organization, I am willing to bet that you can find numerous instances where PII is collected unnecessarily.

Then there are instances when there is a legitimate need to collect PII, but it is inappropriately distributed within the organization. This is especially the case when I see that information has been lost on a laptop. For what purpose does someone need to carry around a database that has thousands of SSNs in it? If that info has to travel, the SSN could easily be translated into another number that is unique and can later be re-translated back into an SSN if necessary.

If you do a risk assessment of your organization, you will find that the needless collection and unnecessary dissemination of PII accounts for probably 70 to 80 percent of your risk. So, if you eliminate these two problem areas, you'll have it licked, right? Well not completely, but you will have gone light years towards fixing the problem.

I know that you are thinking that this is easier said than done -- but it is possible -- I have seen it happen. And it all starts with an intensive risk assessment. In fact, if you were deciding whether to spend money on an assessment or new technology, such as encryption of mobile devices, you'd get better ROI spending the dollars on an assessment. Without it, encryption is just a finger in the dike that will inevitably spring another leak.

Now, does this mean that technology is not part of the solution? Of course not, and encryption and other security measures will play a large part in it. However, it's the surgical employment of technology tools to a limited universe of potential problems that wins the day, not the blanket adoption of technology in the hopes that you can eliminate your risk. Be mindful that both methods can be expensive -- because finding and eliminating the two worst abuses of PII is not going to be cheap. But if given the choice, I prefer to get to the root of the problem, not just cover it with a Band-Aid.