Epsilon Breach: Risks and Lessons
Incident is a Wake-Up Call About Database Security Gaps
The Epsilon breach is an interesting one, since e-mail addresses alone are not considered sensitive, Sotto says. As such, databases that house consumer e-mail files are typically never encrypted, nor are they protected with additional layers of security, such as dual-layer authentication, for access. For a company like Epsilon, e-mail addresses need to be readily accessible, but this breach could prove that ready accessibility may not be the most prudent route. [Also see, Epsilon: The Impacted Companies.]
During this interview, Sotto discusses:
- The differing protection requirements for sensitive consumer data versus consumer data that is not considered sensitive;
- Steps financial institutions, retailers and other affected parties should take;
- What this latest breach should tell us about the future of phishing, as well as the need for greater data security, everywhere.
Sotto is the managing partner of the New York office, and her practice focuses on privacy, data security and information management issues. She has been rated a No. 1 privacy expert and has earned a No. 1 U.S. national ranking for Privacy & Data Security from Chambers and Partners. In addition, Hunton & Williams LLP's Privacy & Information Practice received a No. 1 U.S. national ranking from Chambers in Privacy and Data Security. Sotto assists clients in identifying, evaluating and managing risks associated with privacy and information security practices of companies and third parties. She advises clients on GLB, HIPAA, COPPA, CAN-SPAM, FCRA/FACTA, the Privacy Act, security breach notification laws, and other U.S. state and federal privacy requirements; Canada's PIPEDA; and global data protection laws [including those in the EU and Latin America].