What's Being Done to Stop Accidental Data Breaches

Credit Union Journal  |  Monday, January 18, 2010 By Kevin Jepson, Technology Writer

BURBANK, Calif.-Disgruntled, laid-off employees may be inclined to walk out with confidential data stored under their belt, but a number of CUs say they are still more concerned that current employees will accidentally e-mail non-public information (NPI), rather than maliciously steal it.

"Protecting data from accidental leakage is my foremost concern" related to data loss, said Clark Dilley, manager, information systems and technology at $215-million AFTRA-SAG FCU here, echoing what other CIOs have told Credit Union Journal over the years.

And with e-mail in the mix, accidents will happen. "E-mail is by far the most accessible and easiest technology to exploit," explained Glen Chrzas, VP-technology at $890-million Altura CU in Riverside, Calif. "Every employee at the credit union has access to e-mail. With a few keystrokes, an entire member database could be sent. Most staff members don't realize that e-mail could be intercepted and used for the wrong purpose."

"It's easy for an employee to copy NPI onto an e-mail, and if you don't have a filtering system, a lot of information could go out," agreed Miriam Neal, VP-information systems at $160-million South Western FCU in La Habra, Calif.

That's why safeguards are important, Neal stressed. To scan e-mails for NPI before they are sent, South Western FCU uses Compliance Commander Sentry e-mail and Internet intrusion provided by Intrusion, Inc., of Richardson, Texas.

Altura CU engages similar protection as part of the Data Security Suite offered by San Diego-based Websense, said Chrzas. "Every night, we fingerprint our sensitive member data off our core system." The data is stored in a system that scans outgoing e-mails and attachments for sensitive data. If NPI is found, Websense stops the e-mail from being sent, and the e-mail is reviewed.

Furthermore, Websense web-filtering blocks employee access to all web-based e-mail sites, Chrzas added.

Technology can only go so far in preventing data loss, whether it's accidental or intentional, and whether via e-mail, the Web or through removable media such as thumb drives, Dilley continued. "Certainly, there are steps to take, such as turning off USB ports, using eeb filtering systems and file access monitoring, but where there's a will, there's a way. It's important for IT staff to exercise creativity when exploring their infrastructures for weaknesses and identifying ways to safeguard information."

AFTRA-SAG FCU protects laptops and removable media in part by using Beachhead Solutions' Lost Data Destruction, said Dilley.

"Credit unions need to have a persistent agent like LDD on each device that can take swift action to eliminate the access to data, even after the laptop has left the credit union," added Jeff Rubin, VP-marketing and strategy for the Santa Clara, Calif.-based Beachhead. LDD encrypts the device data and allows managers to remove access to that data remotely. "(Laptop and removable media) allow for physical movement of data, so companies often have trouble tracking leakages. Because e-mail relies on electronic mobility, any data leakage can be tracked or prevented."

Websense believes the web pose the greatest danger. "Webmail and personal storage websites have the convenience of e-mail but are able to handle the amount of data required to gain a return," said David Thompson, director, product management, Websense. "E-mail is likely too cumbersome because the amount of data necessary for a profit exceeds easy transmission, and laptops are a corporate asset that is tracked."