Kroll names top 10 data security issues for 2011

Kroll's Fraud Solutions division has released its data security forecast for 2011, highlighting the top 10 areas where organizations, particularly those in the healthcare industry, will see the most changes in new data security regulations, breach vulnerabilities and protective measures.

"There is no question that the events of 2010 will impact how organizations approach data security in 2011," said Brian Lapidus, chief operating officer for Kroll's Fraud Solutions division. "Expected changes run the gamut from how organizations prepare for and respond to a breach to the types of breaches they will confront. Organizations can stay ahead of the curve by making sure that they are up to speed on the changing risks – from the top of the organization down."

Kroll's top 10 data security trends for 2011:

1. More small scale data breaches will make headlines. Now that healthcare entities are required to report breaches affecting 500 or more individuals, expect to see an increase in the number of smaller scale breaches reported. As all companies increase data security measures, system audits will bring to light breaches that may have been overlooked in the past.
2. "Low-tech" theft, where data is stolen through non-electronic means, will increase. Data thieves look for the path of least resistance, focusing on areas of least attention to the organization. Because most organizations are focused on improving technology and moving from paper to electronic records, we can expect to see more low-tech data theft on the horizon.
3. The continuing crisis of lost devices will dominate the data theft landscape. Organizations rely on devices such as smartphones, netbooks and laptops for anytime, anywhere connectivity. But it is these types of devices that if stolen or missing continue to be a major source of data breaches. In fact, the U.S. Department of Health and Human Services breach list indicates that 24 percent of reported breaches were due to laptop theft – more than any other specific cause. Expect to see an increasing number of instances and warnings of mobile vulnerabilities and scams. There's already been an increase in smishing (SMS or text phishing).
4. Data minimization will increasingly be seen as an essential component to data security plans. Companies that have spent years amassing as much consumer information as possible should consider whether the information is still useful. If not, it represents a liability. In 2011, we will see organizations increasingly turn to data minimization – limiting the data collected and stored, and purging old data on a regular schedule – as a means to reducing their risks.
5. Increased collaboration and openness will increase organizational vulnerability to data breach. Interoperability is a requirement for healthcare entities switching to electronic health records, but by its nature, data in transit is data at risk. In other words, the exchange of data opens organizations up to new vulnerabilities – from lackluster data security measures at a partner institution to increased propagation of data.

   Story continued on next page.

6. Organizations will increase implementation of social networking policies. For many consumers, social applications have come to define their lifestyles, and they are increasingly bringing their private lives into the workplace. In fact, mobile devices have created a world of "24/7" employees, erasing the already fine line between work and home. Employers will need to focus and develop an organization-wide strategy for social networking policies as they relate to data security to ensure that employees do not open the company up to undue risks.
7. Data encryption will be seen as a "golden ticket" to compliance. Encryption is often incorrectly positioned as a complete solution to data security. It is one of the best defenses against malicious attempts to hack electronic data, and given the new data protection laws in Massachusetts and Nevada, encryption is fast becoming an essential part of organizations' compliance checklists. But to truly ensure that all bases are covered, companies will have to remember two caveats: first, compliance doesn't equal data security; second, encryption doesn't equal a total solution – it's only one tool in the data security arsenal.
8. Third parties will face more stringent breach notification requirements. HITECH is placing business associates under increasing scrutiny, as businesses rely more and more on third-party data collection. Expect to see more organizations placing stringent contractual obligations on their third parties to protect company data.
9. Privacy awareness training will gain prominence as an essential component of breach preparedness. Technology fixes like encryption are effective but expensive, and electronic monitoring alone won't catch all instances of PII misuse. With comprehensive privacy awareness training, employees can act as privacy advocates who know how to recognize security hotspots, understand legal obligation and use vigilance whenever they deal with PII. This is the kind of security equity that no technology can buy.
10. The possibility of a federal breach notification law is high for 2011. While it's difficult to predict with certainty, there are some compelling reasons why an overarching federal law is on the horizon:

• States are moving forward, creating a confusing tapestry of conflicting law. A federal law would cut through the noise.
• Congress has enacted considerable legislation recently – namely HITECH – that opens the door to further legislation.
• Through grants and other funding sources, the federal government is continuing an aggressive path to encourage the growth of technological initiatives (such as the ONC Beacon grants). These new initiatives require new ways of thinking about data security and privacy.

Kroll is a risk consulting company with headquarters in New York.