A data storage service has access to the private information of a vast number of consumers. As organizations continue to expand, they must convince their clients that sensitive information will be safeguarded. It is important that intellectual properties, such as trademarks and innovative technology, are not infringed upon. As increasing amounts of data are stored electronically, an understanding of cyber law and other applicable laws is important in today’s computer age to assure clients that their information will be kept confidential. For any company seeking to meet clients’ security needs, there are vital areas of concern:
Cyber Law
The Electronic Communications Privacy Act of 1986, commonly called the Wiretap Act, was designed to protect citizens from unauthorized invasions of their telephone privacy. As the use of computers and private data storage continues to rise, the act has been amended to cover digitally stored personal information and communications such as email.
Most states and some U.S. territories have enacted legislation that outlines requirements for reporting security breaches. Failure to follow these regulations can result in fines and penalties for the guilty company or parties. Data breach notification laws require organizations to notify “without unreasonable delay” any persons whose encrypted personal information has been accessed by unauthorized parties due to a breach in system security.
As the digital world becomes more complex, guidelines must be created for the secure storage and use of electronic data. Senior executives must take responsibility for information security and develop a strategic plan suitable to their company’s needs. Keeping the system updated with the most recent legal requirements for security will require continuous training for employees who are responsible for encrypted information.
“Acceptable Use” Policies
Since the employees of a data storage service have access to the private records of organizations as well as individuals, steps must be taken to prevent data being stolen and protect the organization’s data system from harm. People often use the computer at work for personal activities and may innocently introduce viruses and other harmful “bugs,” making it easier for hackers to access information.
Organizations must develop and implement an acceptable-use policy to protect its digital data system. Managers must set firm guidelines on what employees may and may not do on company computers, and set policies regarding downloads, opening unfamiliar email attachments, and installing unauthorized software. Employees should be asked to sign an employment contract and agree to the policy in writing. Violations of this policy must be taken seriously, to the point of dismissal and/or civil action against the offending employee.
Computer Fraud and Abuse Act
A hacker’s motives vary; they may just enjoy causing mischief by changing your computer settings, but usually they are more malicious, retrieving personal data you may have stored in your hard drive, like bank account and credit card information. Hackers may introduce viruses and other malware that can crash your systems and networks. The Computer Fraud and Abuse Act defines unauthorized use and makes it a punishable federal offense. It prohibits certain behaviors such as accessing private information without permission, trespassing on a computer, attempting to defraud, or damaging a computer or the information it contains. Violation of the act is considered a criminal act, but the perpetrator is also subject to civil action.
Case Study: Bank of America
Workers who have access to private information must be trustworthy, but an employee who has access to individuals’ bank accounts and credit card numbers may be tempted by easy money. Consider the recent Bank of America identity- theft scandal, in which an employee leaked huge amounts of customers’ personal data to a large ring of scam artists. The scammers stole the customers’ identities and drained their bank accounts. Once the bank realized there was a security breach, they reported the matter to law enforcement agencies but were not quick to inform customers that their private information had been compromised. Although the bank made restitution to their customers for their losses and offered them two years of free credit monitoring, it will be hard to rebuild the trust of those customers who chose to remain with the bank.
The employee and scammers in this case were guilty of violating identity theft laws. The Identity Theft and Assumption Act of 1998 is an amendment to existing federal fraud laws and establishes identity theft as a federal crime. It specifies which types of private information are covered under the act, and provides for penalties for people who attempt or conspire to commit identity theft.
As organizations continue to grow globally, it becomes ever more important that data breaches are prevented. Security breaches harm the company’s reputation when its clients can no longer trust the business to protect their private information. Civil actions against the organization or its employees may occur. A secure data storage service must be protected against unauthorized access from within the organization as well as from outsiders.
More About CP Cyber
CP Cyber is a full service cyber security consulting firm helping our clients uncover risks and build top of the line defenses to prevent cyber crimes. To find out more about us visit our homepage here: https://cpcyber.com or follow our Denver Cyber Security Google Page.
Resources:
Lazarus, David. (May 24, 2011). Bank of America data leak destroys trust. Retrieved from: articles.latimes.com/2011/may/24/business/la-fi-lazarus-20110524
The Lanham Act. (n.d.). Retrieved from: http://www.law.cornell.edu/wex/Lanham_Act