Protegrity has issued guidelines to help companies protect their Personally Identifiable Information (PII), such as names, email addresses and passwords, in the wake of the Epsilon data breach. On Friday, April 1, Epsilon Interactive announced that unknown intruders had broken into one of its email servers and accessed the names and email accounts of some of its 2,500 corporate customers, including Best Buy, Citibank, Disney, JPMorgan Chase, Hilton and Marriott. By following standard corporate security office (CSO) protocol and using modern data security solutions, this breach could have been prevented.
“The Epsilon breach is further evidence that companies and their so-called trusted partners are not following best practices or using the most advanced technologies to secure sensitive customer information,” said Iain Kerr, President and CEO for Protegrity USA. “To avoid breaches like this, companies really need to understand the full scope of their sensitive data flow and concentrate on protecting not just the network but the data itself. The Epsilon case is also a huge wake-up call that companies absolutely need to hold all outside partners that handle their sensitive information to the highest data security auditing standards.”
To maximize protection for PII data and eliminate the risk of brand damage resulting from breaches experienced by Epsilon and its customers, Protegrity offers these guidelines:
1 Treat PII data as if it were financial information - PII data has become a primary target of malicious attacks because it can be exploited for phishing scams to prod for more valuable information such as credit card and bank account numbers. Since there are less regulations and available guidelines on protecting PII data, we recommend looking to more established regulations and applying their guidelines. For example, by protecting PII as you would financial information, you will ensure that you have the best security measures in place to mitigate the next breach. Organizations can refer to publically available guidelines, such as PCI DSS 2.0 and others, to establish an internal PII data security policy that is run by the corporate security office.
2 Know where your data is going and protect the data first and foremost – Most companies have focused their data protection strategies on protecting the network where the data is stored, rather than protecting the actual data. Start with an internal data classification audit that walks through your data flow for your internal business processes as well as all external processes with third party vendors to identify all potentially sensitive data. Outsourcing your database hosting duties does not mean that you outsource liability.
3 Audit your data flow, and be sure your vendor is also audited regularly - Once you know your data flow and have classified the data, you should then determine that any vendors with access to the data are complying with your standards for data security. At a minimum, you must know what type of security solution your third party firm is using during data transit and at rest, and when and how frequently that firm is audited.
4 Protect your PII data with modern solutions – While Epsilon did not disclose what type of data security solution it was using when its servers were breached, the company reportedly was not using encryption. Organizations need to actively monitor emerging data security solutions because older technologies like access control, masking and hashing are no longer sufficient. At a minimum, PII should be protected by modern encryption; however tokenization provides the strongest and most cost effective data security.
5 Ensure separation of duties – Creating a separation of duties between the corporate security office and the database administrator will ensure that no single individual or group controls access to information in the database without oversight of the CSO. This separation of duties should also be established between the CSO and anyone who administers IT systems that data flows through.