Friday, October 16, 2009

Which Story to Post? Payroll company loses PII, and Underreporting losses

It isn't often I am faced with a decision as to which story to post here. I generally shy away from reporting specific breaches unless the particular story reinforces a point I am trying to stress regarding employee training perhaps or simple gross negligence in the face of what should be common knowledge amongst the business community.
In this case however, I found two such stories on the same day and have them here for you.

The Washington Post reports that, for the second time in a month, hackers have gained the login credentials of PayChoice clients. The company sent a notice to customers yesterday to let them know that thieves had exploited a weakness in the password-change component of the company's online payroll portal, the report states. PayChoice has since disabled the site and modified logins. In its e-mail alert to clients, PayChoice said "...we determined that valid user credentials...were used in an unauthorized manner to...have payments made to fraudulent bank accounts." Full Story

There is simply no excuse for a payroll company to have such an incident in light of the laws in effect (FACTA Red Flags Rules specifically), that require them to take specific precautions to prevent just such a breach.

This next item shows clearly that giving discretion to breached entities as to whether and when to report breaches serves no one. People who have had their information mishandled or lost while it is in the trust of an organization have the right to know about their increased risk so that they might take appropriate steps to protect themselves. That is the problem that I and others have issues with the reporting laws that give wide discretion to not report or delay reporting information losses.

The results of an audit involving the loss of Connecticut taxpayers' data show the state took too long to determine whether confidential information was compromised, reports The Day. The names and Social Security numbers of 106,000 Connecticut taxpayers were exposed when a Department of Revenue Services (DRS) employee's laptop was stolen from a parked car. "DRS botched its initial response to the theft," said AG Richard Blumenthal who took part in the audit. "Inexcusably, our tax agency exposed more than 100,000 taxpayers for nearly a week to possible plundering of personal assets." But Blumenthal hailed DRS for tightening access controls, encrypting data and developing data breach procedures since then. Full Story


Anonymous said... On Nov. 1, virtually every business nationwide will be required to comply with the Red Flags Rule, another piece of legislation designed to control identity theft by changing how businesses handle sensitive information of their customers and their employees. Most states have privacy laws in addition to federal privacy and informational security laws, yet many businesses fail to comply because few are aware the laws exist on privacy compliance, and best practices are required.
It is estimated that more than half of all businesses and most small enterprises are at significant financial risk if they lose consumer or employee information. Compliance with federal and state laws as well as having documented best practices goes a long way to reducing liabilities and risk.
The Identity Theft Education Center has posted a free online class for business owners to understand the law, their new responsibility and liability, and the most cost effective methods to lower their liability , comply with the law and better protect the information it collects on its clients and customers. The online presentation is conducted by KJ Anderson III, CITRMS ( ) and can be found at .

John Taylor said...

Thank you for your comments. I must add that it is not true that all businesses must comply with Red Flag Rules. Red Flags should not be characterized as a compliance issue like ADA. There are many exeptions to Red flags that have been agreed to by the FTC.