Serving Colorado's Counties

Technical Update vol. 26 no. 36 - How Secure is Your Data?

September 6, 2022

Personal data has increasingly become a target of hackers. Twitter, Target, and Yahoo are a few of the companies that have experienced data breaches that left their customers vulnerable to identity theft, brought on FCC investigations, and exposed the companies to litigation. Taking the necessary steps to protect personal data protects you from a data breach's public relations and legal consequences.

Limit the Data Collected

Do not collect unnecessary information. If you do not have the information in the first place, it cannot be stolen. In a complaint against RockYou, a mobile gaming site, the FCC alleged that the company unnecessarily collected children's e-mail addresses and passwords. They then stored the addresses in an unencrypted format. Consider how much sensitive information you really need to collect and have a system in place to delete out-of-date, unneeded information regularly.

Limit Access to Data

Limit the number of people who can access personal data. Only allow employees with legitimate need-to-know access to sensitive data. The FCC action against Twitter noted that most employees had wide-reaching and unnecessary access to customer data. Twitter failed to enforce password changes or automatic account lockouts after several failed login attempts for administrative passwords. According to the FCC, these failures made Twitter vulnerable to multiple hacks. Avoid Twitter's missteps by limiting access to sensitive data, requiring periodic password resets, and locking accounts after multiple failed login attempts.

Encrypt Data

Use industry-accepted encryption methods when storing and transmitting data. Data needs to be protected at all points of the transmission route. It is not enough to encrypt your server. If you need to transfer sensitive data, make sure that data is encrypted during transmission. This includes data stored on mobile devices (i.e., laptops, hard drives, etc.). A data breach involving the social security numbers, disability ratings, and other personal information of 26.5 million veterans occurred because a Department of Veterans Affairs analyst had his laptop stolen. Incidents like this can be avoided by encrypting the data during storage and requiring user authentication at all points of access.

Create a Data-breach Response Plan

Developing a data-breach incident plan can protect county employees and data. Part of your incident plan should involve regularly backing up critical data. In a recent case involving ransomware, a CTSI member lost crucial data because they did not regularly back up their files to a separate secure location.

What This Means for Counties

In case of a data breach, contact the CTSI property and liability claims department immediately for help with an assessment of your exposure and the critical next steps. As a CAPP member, your county has coverage in place to help manage the loss and navigate the legal and digital steps to take after a breach occurs. For more information, contact CTSI at 303-861-0507.

A PDF of this Technical Update is available here.

News & Updates

Technical Update vol. 27 no. 4 - Out-of-State Remote Work

With the increase in telecommuting and remote work since the pandemic, employers are receiving more employee requests to work remotely outside of Colorado. While out-of-state work arrangements can help with […]

Read More
2023 CTSI Human Resources Consultant Survey

We have had numerous requests from membership to put back in place an HR function as we have had in the past, as part of our loss prevention to assist […]

Read More
Read More
Technical Update vol. 27 no. 3 - Hand Injuries are Common and Preventable

According to the US Department of Labor, injuries to hands account for nearly 25% of all lost-time in the workplace. That’s a total of 110,000 injuries per year. Yet, cuts, […]

Read More
Technical Update vol. 27 no. 2 - Automatic 30-Day Extension for ACA Forms

Changes made by IRS and Treasury The Treasury Department and IRS have extended the deadline from Jan. 31 to March 2 for employers to provide ACA forms to employees. Originally […]

Read More