NEW YORK-Kroll's Fraud Solutions division is offering a list of the Top 10 Data Security Trends for 2011. All of the analysis below is from the Kroll report.
1. More small-scale breaches will make headlines. Now that healthcare entities are required to report breaches affecting 500 or more individuals, expect to see an increase in the number of smaller-scale breaches reported. Further, as all companies increase data security measures, system audits will bring to light breaches that may have been overlooked in the past. This is not to say that the era of the massive, Heartland or TJX-style breach is over, but they may be matched by small-breach frequency.
2. "Low-tech" theft, where data is stolen through non-electronic means, will increase. Data thieves look for the path of least resistance, focusing on areas of least attention to the organization. Because most organizations are focused on improving technology and moving from paper to electronic records, expect to see more low-tech data theft on the horizon-such as the bank teller convicted of identity theft for writing down customer information on sticky notes and using it to open credit accounts.
3. The continuing crisis of lost devices will dominate the data-theft landscape. Organizations rely on portable devices-smart phones, netbooks and laptops-for anytime, anywhere connectivity. Yet, stolen or missing devices continue to be a major source of data breaches. In fact, the U.S. Department of Health and Human Services breach list indicates that 24% of reported breaches were due to laptop theft-more than any other specific cause. Expect to see an increased number of instances and warnings of mobile vulnerabilities and scams-similar to the recent increase in smishing (SMS or text phishing).
4. Data minimization will increasingly be seen as an essential component to data security plans. Companies that have spent years amassing as much consumer information as possible are starting to view this model as more of a boondoggle than a bounty. If the information is of no use, it represents a liability. In 2011, organizations will increasingly turn to data minimization-limiting the data collected and stored, and purging old data on a regular schedule-as a means to reducing their risks.
5. Increased collaboration and openness will increase organizational vulnerability to data breach. Interoperability is a requirement for healthcare entities switching to electronic health records, but other sectors (e.g., education and government) are also increasing initiatives to share and utilize data on a massive scale. By nature, data in transit is data at risk. In other words, the exchange of data opens organizations up to new vulnerabilities-from lackluster data security measures at a partner institution to increased propagation of data.
6. Organizations will increase implementation of social networking policies. For many consumers, social applications have come to define their lifestyles, and they are increasingly bringing their private lives into the workplace. In fact, mobile devices have created a world of "24/7" employees, erasing the already fine line between work and home. Employers will need to focus and develop an organization-wide strategy for social networking policies as they relate to data security to ensure that employees do not open the company up to undue risks.
7. Data encryption will be seen as a "golden ticket" to compliance. Encryption is often incorrectly positioned as a complete solution to data security. After all, it is one of the best defenses against malicious attempts to hack electronic data. And, given the new data protection laws in Massachusetts and Nevada, encryption is fast becoming an essential part of organizations' compliance checklists. But, to truly ensure all of the bases are covered, companies will have to remember two caveats: compliance doesn't equal data security and encryption doesn't equal a total solution-it is only one tool in the data security arsenal.
8. Third parties will face more stringent breach notification requirements. HITECH is placing business associates under increasing scrutiny, as businesses rely more and more on third-party data collection. Expect to see more organizations, even those outside the healthcare industry, placing stringent contractual obligations on their third parties to protect company data.
9. Privacy awareness training will gain prominence as an essential component of breach preparedness. Technology fixes like encryption are effective, but expensive, and electronic monitoring alone won't catch all instances of PII misuse. With comprehensive privacy awareness training, employees can act as privacy advocates who know how to recognize security hotspots, understand legal obligation, and use vigilance whenever they deal with PII. This is the kind of security equity that no technology can buy.
10. The possibility of a federal breach notification law is high for 2011. While it's difficult to confirm without a doubt, there are some compelling reasons why an overarching federal law is likely on the horizon in 2011:
States are moving forward, creating a confusing tapestry of conflicting law. A federal law would cut through the noise.
Congress has enacted considerable legislation recently-namely HITECH-that opens the door to further legislation.
Through grants and other funding sources, the federal government is continuing an aggressive path to encourage the growth of technological initiatives (such as the ONC Beacon grants and the USDOE's Race to the Top). These new initiatives require new ways of thinking about data security and privacy.
