Blog

Posts Tagged ‘personal information’

$6.5 Million is a Lot to Gamble

Wednesday, May 12th, 2010

Section 13402(e)(4) of the HITECH Act, requires that the Secretary of Health and Human Services post a list of breaches of unsecured protected health information affecting 500 or more individuals.  

Since HHS began tracking and posting these breaches in late September of 2009, there have been 77 such incidents, impacting a total of 2.4 million individuals. That is an average of more than 30,000 breached records containing personal information for each incident. A 2009 study by the Ponemon Institute found that the average cost of a data breach in the United States is $208 per compromised record, making the average cost of these 77 data breaches over $6.5 million.

Some of the data breaches were the result of physical data–forms and paperwork–being thrown into a dumpster. But, nearly 75 percent of the incidents involved unencrypted data stored on servers, backup tapes, or portable storage media.

Applying the averages–here is the bottom line: 56 out of 77 incidents could have been prevented if those organizations used Zecurion Zserver Suite to encrypt and protect data. That means that nearly 1.8 million of the 2.4 million affected individuals would not have had their personal data compromised, and that thesr organizations could have avoided a combined $364 million in costs to clean up after the breach.

The investment in proactively protecting data is significantly less than the cost of reacting to a data breach incident, and it doesn’t have the long-term negative impact to the organization’s credibility and reputation.

Tags: , , ,
Posted in Data Storage Security | 2 Comments »

A Server Breach Does Not Have to be a Data Breach

Monday, January 11th, 2010

Stop and think about your bank for a minute. Do they pile the money up in the middle of the lobby? Why not?–There are locks on the doors.

No. The bank does have locks on the doors…and an alarm system…and armed security guards…and video surveillance…and yet, they still keep the money locked in a vault–just.in.case. Even if intruders manage to break through or bypass all of the other security measures, the money will still not be compromised because it is in a locked vault.

Organizations need to treat sensitive data the same way banks treat money. The security controls in place–firewalls, intrusion detection, antimalware, etc.–are great, and necessary, but sensitive information like Social Security numbers, account numbers, etc. needs to be encrypted for that extra measure of protection to ensure it can not be breached even if malicious intruders manage to cricumvent the other security controls.

The school district in Eugene, OR had security in place on its server, but attackers were able to bypass it. That server contained information on 13,000 current and former employees including names, addresses, dates of birth, Social Security numbers, tax identification numbers and direct-deposit bank account information. If the school district had encrypted the data on the server using a tool like Zecurion ZServer Storage, the sensitive information could have been protected even though attackers breached the server.

Tags: , , , ,
Posted in Security Breaches & Data Loss Incidents | 5 Comments »

Laptop Stolen, But Security Measures Make Data Compromise Unlikely

Thursday, December 17th, 2009

A story from CNN today reports that a laptop containing personal information on approximately 42,000 Fort Belvoir Morale, Welfare and Recreation (MWR) patrons was stolen over the Thanksgiving holiday weekend. The focus of the CNN story seems to center on the fact that it took two weeks for the military to respond and alert those whose information may be compromised by the theft. It goes on to exclaim that this is not the first time the military has had a laptop stolen, but assures us that there is a bill currently in the Senate which would call for greater protection for mobile data.

What seems to be somewhat glossed over in the CNN story is the fact that this data was protected. CNN does mention it when it says “information security experts for the Army say it’s unlikely that the information will be compromised because the data are guarded by three layers of security and encryption passwords.” But, somehow that part seems buried under the rest of the story as if we’re not supposed to care about it.

I am not sure we can ask much more. Portable computers like laptops and netbooks are trending up in sales, and portable storage like USB flash drives and external hard drives are relatively cheap.  The convenient and portable size of the computers also makes them easy and convenient to steal. The bottom line is that there is a lot of sensitive information being carried around on these devices.

Companies and individuals need to operate under the assumption that a laptop will be stolen. I am not suggesting that laptop theft is so rampant that there is no way to avoid it, I am just suggesting that the data on the laptop be treated as if its theft were a sure thing. If you knew, for a fact, that your laptop would be stolen tomorrow, what kind of security would you have on it to protect the information it contains? Which data is so sensitive that you would add extra layers of security and encryption to virtually guarantee that it can’t be compromised?

In this case, perhaps the military should have notified individuals sooner. It can also be argued that, because of the security controls and encryption in place, the military didn’t need to notify anyone at all. By placing adequate protection on the laptop the military essentially ensured that the thief might be able to use or sell the laptop, but they won’t be accessing any of the data it contains.

Tags: , , , , ,
Posted in Security Breaches & Data Loss Incidents | 1 Comment »

Minnesota Employee Data Exposed by Lookout Services

Tuesday, December 15th, 2009

Personal information related to hundreds of Minnesota state employees has been publicly available on the Web for months–unencrypted and without any sort of password protection. Minnesota entered into a two-year deal with Texas-based Lookout Services to use its “seamless Fail Safe I-9 E-verify process”, but all state agencies have been ordered to stop using the service following discovery of the data breach.

Exposed data included employee names, birth dates, Social Security numbers and hire dates for every Minnesota state agency using the service, as well as personal data from a variety of other Lookout Services clients.

Lookout Services is one of about 13,000 firms registered with the Department of Homeland Security (DHS) to process E-verify checks to determine citizenship and employment eligibility for prospective employees. However, Bill Wright, deputy press secretary for U.S. Citizenship and Immigration Services–the agency within DHS responsible for E-verify checks– responded saying “Is there a requirement to notify if there has been a security breach? The answer is no.”

The state of Minnesota, however, disagrees with  that philosophy. Minnesota is one of 46 states that does require victims be notified in the event of a data security breach. The Minnesota legislation requires that victims whose data has been exposed to unauthorized access be notified as soon as possible about the breach.

The responsibility for protecting the data ultimately lies with the companies or agencies it was originally entrusted to. Part of the process of engaging a third-party to handle such sensitive information is to ensure they have strong policies and procedures, and adequate security controls in place to safeguard the information. Apparently, Minnesota didn’t do its due diligence prior to partnering with Lookout Services.

Tags: , , , , , , , ,
Posted in Security Breaches & Data Loss Incidents | 1 Comment »