In the wake of the data breach at the South Carolina Department of Revenue, I would like to mention some steps that businesses can take to protect themselves, their customers, and their employees from possible intrusions from this breach and other potential breaches or disasters.
1) All individuals should take advantage of the free credit monitoring being offered by South Carolina through Experian. The link to get this protection is: www.experian.com/scdor. The access code is scdor123. Also, place a fraud alert and a credit freeze on your credit report with the Experian, Equifax, and Transunion credit reporting agencies.
2) South Carolina businesses should take advantage of the free credit monitoring offered by Dun & Bradstreet.
3) Monitor banking and credit card accounts on-line daily.
4) If you (or your business) have provided your banking information (account and routing number) to the state, talk to your banker about how your bank is protecting its customer accounts. If you are not comfortable with protection provided by the bank, discuss changing your account number.
5) If your business does not already have a written security policy that sets up the company standards and responsibility for security of on-line data and off-line documents, get one. Be sure to address secure document disposal, data back-ups and the security of the back-ups. The policy should also include consequences for violations and it must be enforced.
6) Know what kind of consumer and employee information you are collecting, where it is, and who has access to it. Access should be limited to as few as possible on a need-to-know basis. Likewise, know who you are giving YOUR information to, why they need it, and how they protect it.
7) If you accept credit cards make sure customer credit card information that is stored in your system is encrypted by you or your processor. For recurring charges, it is preferable to store those card numbers in a data vault provided by your processor. Customer credit card numbers and other consumer information should never be stored on unsecured documents . And don’t blow off the annual PCI questionnaire (SAQ). Complete it honestly. This questionnaire should show you where you may be exposed. Your merchant account provider should be willing to help you with this.
8) Develop a strict password policy that addresses assigning passwords, levels of access, routine password changes, prohibits password sharing, and sets up procedures for immediate password deactivation when appropriate.
9) Hire an IT security specialist to review your system security if you don’t have a qualified employee to do this. If an employee designed the security, the review should be independent.
10) If you keep hard/paper copies with sensitive employee or customer information, they should be adequately protected, secured, and protected during disposal.
11) Restrict access to your facilities. Know who can enter and what they can access. Restrict key distribution and change locks/keys in appropriate situations (lost keys, employee termination, etc.).
12) Have a disaster recovery plan. This plan should specifically address each step to be taken, and by whom, in the event you have a data breach or a physical disaster (e.g., your building burns down). A data breach will require notification and damage control procedures for your employees and customers. A physical disaster plan will address steps and responsibility to work with your insurance company, acquire an alternate facility and equipment, and restore the data from back-ups.
I realize that the above procedures can be costly and sometimes cumbersome. Each business needs to weigh the costs of implementing such procedures against the benefits that will be derived from the protection provided. The State of South Carolina is going to spend at least $12,000,000 repairing the damage from the recent data breach. That doesn’t include what they’ll spend to prevent it from happening again. I’m sure many are wondering if the State would have been better served by spending that money years ago to strengthen system security. But hindsight is 20/20.