The majority of data breaches result from inadvertent employee error, say experts. BBC News reports on the results of a study that found unintentional data loss to be the most frequent cause of cyber breaches (14.4 percent per year). IDC and the security firm RSA analyzed 11 categories of risk at 400 organizations in various industry sectors across the U.S., UK, France and Germany. Of the employee-caused breaches, they found 52 percent to be accidental and 19 percent deliberate. Temporary employees, the study found, are more likely to be culpable. "It's likely contractors may be less well-trained in organizational policy..." said RSA's Chris Young.
Read the full story here Full Story
This survey, one of dozens within the past two years, illustrates my point about employee training as perhaps the most critical aspect of any good breach plan. That 52% of accidental breaches can be greatly diminished by showing employees what is expected of them and seeking their help in improving data security throughout the enterprise. A clear written policy that not only delineates the information that is to be protected, but also provides guidelines for staff and names those who are administering the program is essential in our modern business world. As long as personal identifiable information has value it will be used and sold by illegal profiteers around the world.
Wednesday, August 26, 2009
Friday, August 21, 2009
HHS Issues a Breach Notification Rule
The Department of Health and Human Services (HHS) published its rule on mandatory breach notification requirements, reports Government Health IT. The rule applies to all entities covered by the Health Insurance Portability and Accountability Act (HIPAA). The notification requirement stems from a Congressional mandate in the American Recovery and Reinvestment Act, (ARRA). "These protections will be a cornerstone of maintaining consumer trust as we move forward with meaningful use of electronic health records and electronic exchange of health information," said Robinsue Frohboese of the HHS Office for Civil Rights. Earlier this week, the FTC issued its rule on mandatory breach notification requirements for personal health records vendors.
For more on that rule here.
Thursday, August 20, 2009
Attention All Keepers of Personal Data!
- Do you own a business with employees?
- Do you use personal information in sales transactions?
- Do you keep personally identifiable information (PII), on your clients including students?
- Do you share PII with any other business?
- Does any other business have access to your PII database?
If you can answer yes to any of these questions ask yourself this. What are you doing to actively safeguard that information from loss or theft? Remember, it is your responsibility to protect that information from misuse or theft. No business (above) is exempt.
The federal government has issued guidelines for you to follow in order to be compliant with the standards set forth in several privacy laws.The Federal Trade Commission FTC , has oversight of all businesses apart from the banking and savings industries which have separate oversight. They have the authority to investigate breaches and to even prosecute those businesses whose security practices are lacking.
The answer to anyone who questions the need for securing this kind of information is very simple. There are roughly 9 to 10 million identity theft victims in the U.S. each year. The majority of those victims had their information compromised from a database and not from direct theft. When you and your business safeguards the information you keep on others you are protecting them. When someone else does the same they are protecting you. All of us leave a trail of data behind in the course of our lives. Every school we have ever attended, every home we have purchased, loan made, insurance claim, military service, in short everything we have ever done has left a record that needs to be protected from theft or misuse. Each one of us is a link in the chain of protection. When you and your business safeguards the information you keep on others you are protecting them. When someone else does the same they are protecting you.
Tuesday, August 18, 2009
Data Security Measures Deadline Extended
The Massachusetts Office of Consumer Affairs and Business Regulation (OCABR) has amended its data security regulations. In a media release yesterday, the OCABR announced that the rules will facilitate a risk-based approach to data security, which is expected to help the small-business community, in particular. In creating written security programs, businesses will be able to take into account their size, industry type and identity-theft risk, among other characteristics. The OCABR also modified the regulations to make them technology neutral. The new effective date is March 1, 2010. A public hearing on the changes will take place Tuesday, September 22.
The government has long been under pressure to create a federal standard for data security. Existing laws such as the FCRA and GLB Safety Act have set out guidelines for businesses that include risk analysis, written policy definitions, and employee training. However, apart from the Red Flags Rules [sec.114 FACTA] to date nothing definitive has been issued that delineates specifically what each business must do and what criteria they must follow to safeguard PII. This new Mass. law promises to provide much of that language to guide businesses in that State. It is my belief that when enacted this new legislation will become a model for similar federal legislation.
The government has long been under pressure to create a federal standard for data security. Existing laws such as the FCRA and GLB Safety Act have set out guidelines for businesses that include risk analysis, written policy definitions, and employee training. However, apart from the Red Flags Rules [sec.114 FACTA] to date nothing definitive has been issued that delineates specifically what each business must do and what criteria they must follow to safeguard PII. This new Mass. law promises to provide much of that language to guide businesses in that State. It is my belief that when enacted this new legislation will become a model for similar federal legislation.
Thursday, August 6, 2009
Companies Take Heed
Corporate Ethics Must Change, Says Matwyshyn. A Wharton School professor says that corporations will have to adapt to increasing consumer savvy when it comes to the role of information security in business dealings, reports Forbes. At Defcon last week, privacy expert and Wharton professor of legal studies and business ethics Andrea Matwyshyn said: "Companies need to be aware that their customers are going to start asking questions about their security and what they're doing." Matwyshyn studies corporate law and information technology. She says even though they are not required to disclose their security procedures to consumers, big businesses should inform customers about their security practices and threats, adding that if corporate ethics don't change, legislators might step in.
While it is true that businesses are not required to disclose security procedures and methods, the public still has the last say in this. When you go to work for a company, enter into an agreement or contract with another business, invest in or simply do business with them you have the right to expect that they are handling your personal information in a responsible manner. And you have the right to NOT get involved with a business that does not take this seriously. If covered by the Red Flags Rule you can ask to see their identity theft prevention and response policy. I have been to bank branches for speaking engagements since Nov 1st of '08 where the branch manager had no idea of the banks policy nor what the policy document looked like. Banks were to be in compliance prior to November 1st of '08. The bottom line is this. If you are one of the people who are waiting for the government to fix the problem you are not going to get any satisfaction. We are empowered to make businesses take the responsible route when it comes to data security. We live in a society where lawyers throw cases of client files in dumpsters, and personnel departments email sensitive personal info to one another without any sort of encryption or protection, and employees that lose laptops and thumb drives containing unencrypted NPI on a regular basis. These are just a few of the "mistakes" companies make daily, and do not include the intentional acts of theft of paper files, flash drives, and CD ROMS by underpaid, laid-off or disgruntled employees needing extra cash.
If a business does not address this issue head on by training and honestly assessing internal risk they are playing with fire. There is no limit in company size either. EVERY business regardless of size must take heed. This is a real issue with real consequences and businesses are the prime source of data.
While it is true that businesses are not required to disclose security procedures and methods, the public still has the last say in this. When you go to work for a company, enter into an agreement or contract with another business, invest in or simply do business with them you have the right to expect that they are handling your personal information in a responsible manner. And you have the right to NOT get involved with a business that does not take this seriously. If covered by the Red Flags Rule you can ask to see their identity theft prevention and response policy. I have been to bank branches for speaking engagements since Nov 1st of '08 where the branch manager had no idea of the banks policy nor what the policy document looked like. Banks were to be in compliance prior to November 1st of '08. The bottom line is this. If you are one of the people who are waiting for the government to fix the problem you are not going to get any satisfaction. We are empowered to make businesses take the responsible route when it comes to data security. We live in a society where lawyers throw cases of client files in dumpsters, and personnel departments email sensitive personal info to one another without any sort of encryption or protection, and employees that lose laptops and thumb drives containing unencrypted NPI on a regular basis. These are just a few of the "mistakes" companies make daily, and do not include the intentional acts of theft of paper files, flash drives, and CD ROMS by underpaid, laid-off or disgruntled employees needing extra cash.
If a business does not address this issue head on by training and honestly assessing internal risk they are playing with fire. There is no limit in company size either. EVERY business regardless of size must take heed. This is a real issue with real consequences and businesses are the prime source of data.
Tuesday, August 4, 2009
Government Employees' Names, SSNs Exposed
HELLO!?
U.S. Commerce Department employees have been notified that their sensitive personal information was exposed last month, reports the Washington Post. The names and Social Security numbers of 27,000 were on an Excel spreadsheet that a National Finance Center employee sent to a co-worker via unencrypted e-mail, the report states. The department is making arrangements to track for identity theft resulting from the breach and is urging employees to monitor their credit reports.
I repeat, your information is out there and used, or misused each and every day of the week.
No one can prevent accidents or mistakes from happening, just as you cannot prevent intentional acts of data theft. If you have a comprehensive ID theft early warning and restoration service working for you, you can be assured that no matter how your personal information gets in the hands of the wrong people that they cannot ruin your life. The damage is very limited and correctable.
U.S. Commerce Department employees have been notified that their sensitive personal information was exposed last month, reports the Washington Post. The names and Social Security numbers of 27,000 were on an Excel spreadsheet that a National Finance Center employee sent to a co-worker via unencrypted e-mail, the report states. The department is making arrangements to track for identity theft resulting from the breach and is urging employees to monitor their credit reports.
I repeat, your information is out there and used, or misused each and every day of the week.
No one can prevent accidents or mistakes from happening, just as you cannot prevent intentional acts of data theft. If you have a comprehensive ID theft early warning and restoration service working for you, you can be assured that no matter how your personal information gets in the hands of the wrong people that they cannot ruin your life. The damage is very limited and correctable.
Thursday, July 30, 2009
Network Solutions Begins a Damage Control Effort
If anyone still has reservations as to whether or not to have some sort of identity theft mitigation service one only needs to consider the following.
Following disclosure of a data breach that may have compromised the credit card data of more than 573,000 patrons of small commercial Web sites, Internet domain administer and host Network Solutions has initiated a crisis response effort. Reaching out to its clients affected by the breach, Network Solutions has offered assistance in helping sites notify those customers whose credit card data may have been compromised, including offering credit monitoring services. Network Solutions spokesperson Susan Wade told DMNews, "Unfortunately, something like this could happen to any online business, so we're just letting our customers know that we're there for them, we will help them as much as we can, and we take this issue very seriously."
It is important to recognize that identity theft can and often does raise its ugly head in many different ways. Our information is out in the world and used by thousands of businesses and government agencies constantly. It doesn't take a statistician to see that the odds are that your information will be compromised, and likely many times. Why then would anyone want to gamble that they won't become the victim of the most difficult crime in history. Difficult you say? When identity theft strikes records are corrupted with false information. There is no one source to use to correct them and once corrupted the onus is on the victim to prove that they have been victimized. When the data says one thing how are you going to prove otherwise? Most victims spend years trying to correct their health or SSN files or DMV or insurance records, or any number of files that are used to shape who we are perceived to be in the official and public eye.
Having a service which will not only shortcut the crime but most importantly go to work for you to correct those records no matter how or when they have been corrupted by misuse of your personal data. It is also in the best interest of each and every employer to make such a service available to all of their employees. An employee distracted by this kind of problem cannot concentrate on work or maintain a healthy attitude for as long as they are dealing with an identity theft episode.
Following disclosure of a data breach that may have compromised the credit card data of more than 573,000 patrons of small commercial Web sites, Internet domain administer and host Network Solutions has initiated a crisis response effort. Reaching out to its clients affected by the breach, Network Solutions has offered assistance in helping sites notify those customers whose credit card data may have been compromised, including offering credit monitoring services. Network Solutions spokesperson Susan Wade told DMNews, "Unfortunately, something like this could happen to any online business, so we're just letting our customers know that we're there for them, we will help them as much as we can, and we take this issue very seriously."
It is important to recognize that identity theft can and often does raise its ugly head in many different ways. Our information is out in the world and used by thousands of businesses and government agencies constantly. It doesn't take a statistician to see that the odds are that your information will be compromised, and likely many times. Why then would anyone want to gamble that they won't become the victim of the most difficult crime in history. Difficult you say? When identity theft strikes records are corrupted with false information. There is no one source to use to correct them and once corrupted the onus is on the victim to prove that they have been victimized. When the data says one thing how are you going to prove otherwise? Most victims spend years trying to correct their health or SSN files or DMV or insurance records, or any number of files that are used to shape who we are perceived to be in the official and public eye.
Having a service which will not only shortcut the crime but most importantly go to work for you to correct those records no matter how or when they have been corrupted by misuse of your personal data. It is also in the best interest of each and every employer to make such a service available to all of their employees. An employee distracted by this kind of problem cannot concentrate on work or maintain a healthy attitude for as long as they are dealing with an identity theft episode.
Subscribe to:
Posts (Atom)
