Epsilon Breach: Risks and Lessons Incident is a Wake-Up Call About Database Security Gaps
Privacy Attorney Lisa Sotto says the Epsilon e-mail breach is a warning about the state of data security employed by some third-party service providers. Strong contracts related to security practices must be the norm, not the exception."These types of events provide warning signals to companies that use service providers such as Epsilon," says Sotto, a managing partner of Hunton & Williams New York office, where her practice focuses on privacy, data security and information management issues. "Companies should be sure that have data-security measures in place," and that the third parties with which they work rely on the same high-level security measures as well. "Make sure you have strong contractual obligations in place, to ensure that the third-parties are securing data in the same way you require," she says.

The Epsilon breach is an interesting one, since e-mail addresses alone are not considered sensitive, Sotto says. As such, databases that house consumer e-mail files are typically never encrypted, nor are they protected with additional layers of security, such as dual-layer authentication, for access. For a company like Epsilon, e-mail addresses need to be readily accessible, but this breach could prove that ready accessibility may not be the most prudent route. [Also see, Epsilon: The Impacted Companies.]

During this interview, Sotto discusses:

  • The differing protection requirements for sensitive consumer data versus consumer data that is not considered sensitive;
  • Steps financial institutions, retailers and other affected parties should take;
  • What this latest breach should tell us about the future of phishing, as well as the need for greater data security, everywhere.

Sotto is the managing partner of the New York office, and her practice focuses on privacy, data security and information management issues. She has been rated a No. 1 privacy expert and has earned a No. 1 U.S. national ranking for Privacy & Data Security from Chambers and Partners. In addition, Hunton & Williams LLP's Privacy & Information Practice received a No. 1 U.S. national ranking from Chambers in Privacy and Data Security. Sotto assists clients in identifying, evaluating and managing risks associated with privacy and information security practices of companies and third parties. She advises clients on GLB, HIPAA, COPPA, CAN-SPAM, FCRA/FACTA, the Privacy Act, security breach notification laws, and other U.S. state and federal privacy requirements; Canada's PIPEDA; and global data protection laws [including those in the EU and Latin America].




Around the Network