When we talk about responsibility for a company's data security, naturally, management comes to mind first, typically a CISO, CSO or CIO. Security professionals and IT managers themselves concede that they bear the lion's share of this responsibility.
A recent study showed that 65% of IT decision makers believe they would likely lose their job due to a security breach. But the real foundation of a well-managed company's data security efficacy comes down to each and every employee within that company. A perfect example occurred nearly five years ago at a Midwest-based hospital revenue cycle management company and demonstrated how devastating a poorly-managed security framework can be at multiple levels of an organization.
In July of 2011, a company employee left an unencrypted laptop containing protected health information of tens of thousands of patients from Minnesota hospitals in the trunk of a rental car parked at an airport. Obviously it was stolen or this would not be much of a story. But think for a moment about all the security best practices that were either absent or ignored.
Why wasn't this critical data encrypted? Why was there no technology in place to remotely wipe the information on the device? Was the employee trained to not let a device containing such sensitive data out of his or her direct control? Were there written policies in place covering these issues? If so, were they routinely enforced and were offending employees routinely disciplined? Did anyone audit or monitor the daily operational security practices at this company?
The company certainly paid the consequences for this massive oversight. The Minnesota Attorney General instituted a HIPAA action which resulted in a $2.5 million settlement to the government with an agreement that the company suspend practice in the state of Minnesota from between two to six years, a decision solely within the discretion of the Attorney General. In its next public filing, the company acknowledged it would lose between $23 million to $25 million in revenue each year it was absent from operating in Minnesota.
The company's shareholders then filed a class action lawsuit alleging that had they known about the HIPAA investigation when it was first instituted, some of them may have sold their shares before their value plummeted by more than half. This suit settled for $14 million.
Then, at the end of 2013, the Federal Trade Commission reached a settlement with the company requiring it be independently audited immediately and every other year thereafter, for a period of 20 years, to ensure proper security measures are deployed. In the meantime, the CEO and CFO departed, and the company was delisted from the New York Stock Exchange. All totaled, a single stolen device cost the company over $100 million in fines, settlements and lost revenue.
Sign up for Computerworld eNewsletters.