Those who listened to the November 19^th, 2022 podcast I did with breach attorney Spencer Pollock know that he stated that 90% of the breaches he was involved in over the prior 12-month period would have been non-reportable had the data been properly encrypted.

https://qpcsecurity.podbean.com/e/what-you-must-do-in-order-to-prepare-for-a-breach/

(Review link above for attestation and regulatory enforcement proof.)

I have three major points for you in this show.

• You need an IRP
• You need a CvCISO
• And you need to understand how data is being handled in your organization

Let’s first talk about CvCISO

Help you understand why you need a CvCISO working with you on a regular basis because even if you are a really large organization, the probability that all of your processes are clean, secured, compliant, and all your end user training is effective, well that probability is not high.

https://qpcsecurity.podbean.com/e/understanding-vciso-services-and-why-you-need-them/

Incident response plan

Virtually every organization is now required to have a written incident response plan. These are some examples of people that must be specifically listed in the IRP. What does your organization do when they don’t have these people as full-time internal staff? You need a CvCISO.

People you are required to name explicitly as part of your incident response plan:

• IT technical staff
• Incident response manager (this better be a CvCISO or a certified incident response company)
• IT director
• CIO
• Stakeholders such as board of directors and heads of business units
• Finance director
• Communications manager – this is either your internal PR person, your internal corporate counsel, or your breach attorney
• Legal representative – either your internal corporate counsel or breach attorney
• Human resource manager

Types of data

Let’s talk about some real-world examples of data insecurity. Let’s start by establishing what some categories of data are. PII, PHI, PCI data.

PHI is personal health information so think of that as drug screening results as well as medical records. So it’s not just healthcare organizations that have it. Anyone who does drug screening will have PHI.

PII is personally identifiable information such as your name, contact information, social security number, I-9 information, a copy of your passport or driver’s license, and non-public photos of you. This is also your direct deposit bank information. I would also include your salary at your job is PII. It is certainly non‑public. So who has that kind of information on you? Well anyone who does HR recruiting or has employees is typically going to have this kind of data.

I encourage small businesses to use a PEO and not store any of this data themselves. They should outsource that entirely. Some HR management firms have areas in their SaaS platform that their customers (your employer) can upload documents to and store them securely and NOT on the employer’s environment anywhere.

PCI is payment card information. If an organization processes credit cards in any way outside of a contained e-commerce and merchant processing platform, then they probably have PCI data that is on a system they control. Many retailers just use SaaS apps that directly integrate with merchant processing to avoid any storage or holding of PCI data. You should expect that larger organizations are retaining your credit card information.

Applicant tracking and employee onboarding systems

The security of these systems is only as good as the security of the company that is using them, their processes, how they handle the data throughout the flow, and how documents you complete for them are disposed of if they were submitted in paper format.

Good process

As you interact with the recruiter or prospective employer, all of the data goes directly into an applicant tracking system that is SaaS by the applicant themselves. The only thing that may be emailed would be a resume. Any assessment results or applicant data is all direct input into the ATS. The ATS is SaaS cloud hosted with a very secure company and all accounts which access the data are on a need to know, RBAC approach with MFA enforcement.

• WOTC information is all submitted by you directly into the WOTC company website
• All of your PII would be submitted by you directly into the HR enrollment/payroll system without intervention from anyone else. No one else needs to handle your data.
• The data you submit is only being submitted to a high security SaaS HR management/payroll platform.
• Your employer never needs to download and retain any of that information because it is stored in the HR management system. Nor did your employer ever need to have a copy of the information you submitted because you submitted it yourself. So you know it is not in their email or on their servers anywhere. They also did not print it and then not shred it.

Bad process

You are an applicant and the company you are applying to has you fill out paper forms. You do and then they scan those forms with a scanner and send those files somewhere. Let’s say they are scanned to an insecure location on the internal network. Then someone retrieves the scanned images of the paper you filled out and emails them to a distribution list.

So let’s go over what is in the scanned PDF file that got emailed to an internal company distribution list.

• Direct deposit information – full banking account and routing number
• Full name and address
• I-9 verification which includes social security number, driver’s license number, and birth certificate
• W-4 which contains PII and SSN again
• Copies of your signature
• Date of birth
• Your offer letter including salary and benefits

Concerns

What happened to the physical paper copies of the forms you completed? Were these shredded same day?

Was the information in the email distribution list forwarded to anyone who did not have a complete need to know?

Was the information forwarded to a party external to the company?

Document management platforms

Premise databases often have a lack of encryption

Lack of data encrypted at rest and quite possibly the data is not encrypted in transit. If the system that the data is stored inside of is a premise-based thick client application such as an application that has SQL server as the back end, it is not likely that those communications between the thick client and the database server are encrypted in transit. The SQL server most assuredly is not encrypted because very few applications support SQL database encryption and even fewer IT people know how to set it up.

I have seen document management platforms with 500,000 records in them containing some of the most sensitive PII and this data was not only housed on servers that were unpatchable and fully deprecated, but the data being transmitted to/from the server was not encrypted, nor was the data in the database encrypted at rest.

If you put a dollar figure to the cost of a breach and it is associated with the number of unique records that contain reportable information, the cost of that old, insecure server just went through the roof.

Even if you say $1/record, that is $500k. Wowzers! And it’s not likely that was the only server compromised in the breach.

What data is stored in people’s emails when a company does not have solid policies, end user training, and technical enforcements to prevent the data from being improperly stored?