News Stay informed about the latest enterprise technology news and product updates.

Lax policies, not bad auditors responsible for stolen data

Companies take the heat when outside auditors "lose" personal data about customers and employees. Blame it on stupidity, carelessness or just plain bad luck, but don't blame the auditor.

A lost laptop here, a stolen backup tape there. With the daily horror stories about compromised data, customers and employees are demanding that companies get their data security houses in order.

Customers should be burning mad, say experts. Companies that hand personal information over to third parties, such as public accounting firms, are responsible for preventing that data from getting into the wrong hands. Unfortunately, too many of them are lousy at it.

Although experts say it's the exception rather than the rule, the number of recently disclosed incidents makes the problem hard to deny. Wells Fargo & Co., the San Francisco-based bank, became the latest victim of allegedly shoddy data protection by an outside auditor. Last month, a laptop containing employee Social Security and healthcare information was stolen from the locked trunk of a vehicle belonging to an employee of an undisclosed third-party auditor.

Richard Stiennon, chief research analyst at IT-Harvest LLC, a Birmingham, Mich.-based security research firm, said such a breach implies that Wells Fargo has been lax in dictating best practices on data protection to its auditors.

"But it tells me more about the auditor, really. The auditor is following sloppy practices. When I was an auditor and a Gartner analyst, you wouldn't believe what I had on my laptop," said Stiennon, a former manager in PriceWaterhouseCoopers LLC's Technical Risk Services group. Stiennon said it was his own personal policy never to let his laptop out of his site when it had sensitive data on it.

Handing over sensitive data to outside auditors is common practice -- it's required by law -- and nothing new. Neither is data theft. But the rules have definitely changed.

Banks have been the target of data theft for years. "But 20 years ago there wasn't anything you could do with that data other than demonstrate that [the bank] couldn't protect it," Stiennon said. "But things changed. Regulations changed, the environment changed, and business practices that hadn't been looked at in a while had to change."

Stiennon said years ago, some financial services companies would often ship backup data tapes that contained customer records with baggage on passenger planes. Boxes containing the tapes would show up on a baggage carousel in an airport where a company employee would pick it up and take it to the office. Sometimes, those boxes would disappear. Thieves would ransom the data back to the victims, who would pay in order to protect their reputations.

In addition, with the rise of identify theft and the advent of laws requiring disclosure of data breaches and notification to those affected by breaches, the necessity of protecting data has become obvious and essential. California's security breach notification law, for instance, took effect in July 2003.

In most organizations, the CIO isn't the one hiring the auditor, but he or she could be culpable if data is breached. CIOs are tasked with protecting all data, regardless of whether it's within the company confines or not. A company can have the best security practices in place, but one careless auditor and you're front-page headlines.

Companies can point the finger at outside auditors. In fact, legal experts say there will be a wave of litigation over who is ultimately responsible in this kind of data breach.

Best to lower your risk from the get-go and spell out liability in a contract, said Edward McNicholas, a partner with Sidley Austin LLP, a Washington, D.C.-based law firm. "You want it to be clear who's going to bear the loss." Work with your firm's legal counsel on the details and wording.

In addition, insist third parties share your security standards and policies before letting go of any data, Stiennon said.

"Doing things on a data protection level is made much more difficult because the standards don't exist yet," he said. "Enterprises have to make sure their own standards are adhered to. Your auditor will say, 'We don't do that.' You say they must. Then they charge you extra."

Get it in writing, said Avivah Litan, vice president and research director at Stamford, Conn.-based research firm Gartner Inc. CIOs should insist on writing strict data security standards into contracts. For instance, auditors should never leave unencrypted data on an unattended laptop.

"Establish all these rules that they have to abide by. Then you audit it and take their business away if they fail," Litan said.

Stiennon said, "My sense is that very few test those rules. But there are a large number that have those rules, which is a first step. Once an auditor is aware that they've signed something, they take those rules very seriously."

Litan said companies should set up compliance offices to hold third parties to their security standards. "Dedicate at least two or three people to establish policy. It's not a full-time thing. But you will need one or two people auditing on a full-time basis, depending on the size of the customer base," she said.

Ultimately, the best method of protecting shared data is to prevent third parties from taking the data outside the company.

"One way [to protect data] is to keep things internal and not allow the data out," Stiennon said. "It's a very simple step. When the auditors come in, allow them to bring software but make them use your computer. That's a direction I highly recommend. It's fairly straightforward."

But this approach is not always possible, especially with auditors from government agencies that have no contractual relationship with the company. In other cases, regulations require outside auditors to retain data on their clients for a certain period of time. Stiennon said companies should address this issue in the contract by requiring the auditor to hold the data in a secure manner.

With business partners, the issue of shared data should be more straightforward, Stiennon said.

"When you're setting up a business relationship, that's when an internal policy has to be compared to the business partner's, and you have to find some common ground that satisfies both organizations," he said.

Let us know what you think about the story; email

Dig Deeper on Enterprise data privacy management

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.