Blog

Posts Tagged ‘identity theft’

State Laws Encourage Backup Encryption

Sunday, January 24th, 2010

I heard a rumor recently that Iron Mountain, a leading provider of offsite storage for backup data, was implementing a new policy that all customer data must be encrypted.

It makes sense. Unencrypted backup media seems to be an increasingly common source of data breaches. Chase Bank lost data on an unencrypted backup tape. Information Vaulting Services lost a backup tape from the state of Arkansas containing unencrypted personal information on over 800,000 individuals. A third-party storage vendor lost an unencrypted backup tape from Bank of New York Mellon with sensitive information from 4.5 million customers. The list goes on, and on, and on…..and on.

While the organization entrusted with the data–Chase Bank, the state of Arkansas, or Bank of New York Mellon in the cases cited above–ultimately must pay the price for the data breach, both in terms of the broken trust with customers and damaged reputation, as well as any fines, penalties, and the cost of notifying and protecting customers, the fact is that these losses also reflect poorly on the third-party organizations responsible for securely storing the backup media.

Organizations like Iron Mountain that provide offsite storage have no way of knowing what data is contained on the media it stores for its customers, nor whether or not that data is encrypted or protected in any way. A tape is a tape is a tape and they are all handled and treated the same. Granted, a company that exists to provide secure offsite storage for backup data should not lose its customer’s backup media, but it shouldn’t bear any additional responsibility for personal or sensitive information being compromised as a result.

It turns out that the rumor I heard was incorrect. I spoke with Iron Mountain and I was told that it does not require customers to encrypt backup data–although it does believe its a good idea and highly recommends that customers consider doing so.

Apparently, the rumor stems, at least in part, from laws enacted in Nevada and Massachusetts. Those state laws require that personal information that could lead to identity theft be protected–even on backup media. Iron Mountain may not require it, but Nevada and Massachusetts do require that organizations in those states, or that conduct business in those states and/or result in personal information from citizens of those states being retained, encrypt information on backup media.

Suffice it to say, its just a good idea. Data at rest should be encrypted whether it is stored on servers on your internal network, or backup media stored offsite with a third-party.

Tags: , , , , , , , ,
Posted in Data Storage Security, Security Breaches & Data Loss Incidents | 1 Comment »

Minnesota Employee Data Exposed by Lookout Services

Tuesday, December 15th, 2009

Personal information related to hundreds of Minnesota state employees has been publicly available on the Web for months–unencrypted and without any sort of password protection. Minnesota entered into a two-year deal with Texas-based Lookout Services to use its “seamless Fail Safe I-9 E-verify process”, but all state agencies have been ordered to stop using the service following discovery of the data breach.

Exposed data included employee names, birth dates, Social Security numbers and hire dates for every Minnesota state agency using the service, as well as personal data from a variety of other Lookout Services clients.

Lookout Services is one of about 13,000 firms registered with the Department of Homeland Security (DHS) to process E-verify checks to determine citizenship and employment eligibility for prospective employees. However, Bill Wright, deputy press secretary for U.S. Citizenship and Immigration Services–the agency within DHS responsible for E-verify checks– responded saying “Is there a requirement to notify if there has been a security breach? The answer is no.”

The state of Minnesota, however, disagrees with  that philosophy. Minnesota is one of 46 states that does require victims be notified in the event of a data security breach. The Minnesota legislation requires that victims whose data has been exposed to unauthorized access be notified as soon as possible about the breach.

The responsibility for protecting the data ultimately lies with the companies or agencies it was originally entrusted to. Part of the process of engaging a third-party to handle such sensitive information is to ensure they have strong policies and procedures, and adequate security controls in place to safeguard the information. Apparently, Minnesota didn’t do its due diligence prior to partnering with Lookout Services.

Tags: , , , , , , , ,
Posted in Security Breaches & Data Loss Incidents | 1 Comment »

Patient Data Leaked to Local Attorneys by Hospital Worker

Sunday, December 13th, 2009

The University Medical Center (UMC) in Las Vegas is in hot water after it was discovered that at least one hospital employee has been leaking personal information of accident victims to local attorneys so that the lawyers could solicit the patients as clients. The breach of patient data violates federal HIPAA (Health Insurance Portability and Accountability Act) guidelines and could result in fines up to $1.5 million.

According to an article from the Las Vegas Review-Journal, the potential HIPAA fines are divided into four categories with a total maximum of $1.5 million:

  • If the hospital shows it didn’t know about security leaks, even though it made a good-faith effort to ferret them out, it faces fines of $100 to $50,000 per violation.
  • If the violation resulted from a reasonable cause with no willful neglect, the hospital could be fined $1,000 to $50,000 for each offense.
  • If federal officials determine the hospital was negligent but fixed the problems within 30 days, the fines would run $10,000 to $50,000 per violation.
  • If it takes longer than 30 days, the fines start at $50,000.

The hospital received fairly high marks from a county auditor for HIPAA compliance, but with a few notable flaws. The auditor identified issues with patient records being left unattended, outgoing email with sensitive information being transmitted without encryption, and no record of what information was disclosed to third-parties in some cases. Any of these data protection weaknesses could come back to haunt UMC both with the federal investigation and fines, as well as with any subsequent civil suits arising from the breach of confidentiality.

Health and medical institutions like UMC would benefit from using tools to enforce data security policies and monitor and restrict the data that is sent to networked printers or saved to removable media, and software that can scan and filter outbound email to ensure sensitive information is not transmitted unencrypted.

Tags: , , , , , ,
Posted in Security Breaches & Data Loss Incidents | 2 Comments »