Privacy Compliance & Data Security

Vernick on Cyber Security in the Huffington Post

Scott L. Vernick — Tue, 24 Apr 2012 10:11:48 -0500

The FBI reports that cyberattacks could overtake terrorism as the major threat to the country. According to the Department of Homeland Security, between October 2011 and February 2012, there were 86 reported attacks on U.S. computer systems that control critical infrastructure, factories and databases, compared with 11 over the same period a year ago.

Now more than ever, the focus should be on securing and insulating our nation's computer and Internet infrastructure from both internal and external attacks. The first step in anticipating large-scale cyberattacks is to start thinking of them more like the proverbial disaster waiting to happen -- not a question of if, but when. Planning requires going beyond the limitations of current thinking and considering worst case scenarios.

To keep reading my full article visit “The Internet Privacy Debate Misses the Point,” published April 23 by the Huffington Post.

An Example of the Right Way to Handle a Data Breach: Motorola Xoom

Mark McCreary — Tue, 14 Feb 2012 19:24:08 -0500

You may have read that Motorola announced on February 3rd that it inadvertently sold around 100 refurbished Motorola Xoom tablets through Woot.com without putting the tablets through the typical process of doing a factory reset and wiping any personal data that may have been left by the original owner(s). Specifically, there were approximately 6,200 tablets sold between October and December 2011, of which 100 tablets were affected.

The announcement was interesting in and of itself because it highlighted the notification obligation that arose even though Motorola (likely) had no actual knowledge that refurbished tablets went out that actually contained data. Apparently, Motorola only knew that there was a breakdown in its internal processes and some 100 tablets were not wiped, possibly resulting in the resale of some tablets with data not erased by a customer prior to returning the tablet.

Purchasers of the 6,200 tablets through Woot.com were notified by email to go to a Motorola web site and type in the serial number (or some similar identifier), at which point you would be told if your tablet was affected. If your tablet was affected, Motorola asked that you agree to part with your tablet for four to five business days so that it could be factory wiped.

As to turns out, I owned one of the 100 tablets affected. I never win anything, except the Affected Xoom Tablet Lottery. A day or so later a package with easy-to-follow instructions, very protective packaging and a prepaid envelope arrived at my work. In went the tablet, out went the package. On the fourth business day the tablet was returned in working order with a thank you and restore instructions.

And an American Express gift card for $100!!!

Did I have to return the tablet for a factory wipe? No. Was it a burden for me to return the tablet? Hardly. Was I impressed by Motorola giving me a gift card? Damn right I was, and that is my point.

As someone that deals with data breaches, and clients that have to make tough decisions regarding data breaches, on an almost daily basis, this situation struck me. Motorola did the right thing, went above and beyond what was required, and solidified good will with me. I was not even the party with the affected data. I was just the guy that got the great deal on Woot.com for a refurbished tablet.

That Droid Bionic MAXX suddenly is even more appealing to me. Motorola is suddenly more appealing to me (not that I had any particular problem with them before).

It is possible that Woot.com gave me the gift card, and for that reason my patronage to Woot.com also has been strengthened. This is a great example of partners working together to deal with data breach situations. Making the best of a difficult situation, and earning some good will along the way.

Kudos to Motorola and Woot.com for their handling of this situation.

Data Breach Potentially Affects Up to 100,000 Students, 3,000 Employees

Mark McCreary — Sat, 14 Jan 2012 08:27:28 -0500

The San Francisco Chronicle reported yesterday that officials at the City College of San Francisco discovered a few days after Thanksgiving 2010 that certain computers of the college have been infested with active malware for more than a decade. Up to 100,000 students and 3,000 employees could be affected, and that number may rise based on further, ongoing investigation.

The problem was detected when the college's data security monitoring service discovered very high traffic and alerted the college. Initially thought to be limited to one computer lab (Cloud Hall at the Phelan Avenue campus), further investigated revealed that the problem was more widespread. The San Francisco Chronicle's article reported:

Each night at about 10 p.m., at least seven viruses begin trolling the college networks and transmitting data to sites in Russia, China and at least eight other countries, including Iran and the United States, Hotchkiss and his team discovered. Servers and desktops have been infected across the college district's administrative, instructional and wireless networks. It's likely that personal computers belonging to anyone who used a flash drive during the past decade to carry information home were also affected.

Investigation continues to determine which other computer networks at the college may have been infected, such as accounting, admissions and/or payroll systems. Apparently, 17 different computer systems are presently being analyzed. The college's server with medical information appears to be unaffected, although it is unclear whether any other system may also contain medical information (such as the admissions system).

The good news, besides that the college notified those potentially affected in what most would agree was a prompt timeframe, is that there are no known cases of identity theft originating from this extremely lengthy data breach.

Personal Information Data Breaches - Not if, but When?

Amy C. Purcell — Tue, 03 Jan 2012 16:29:57 -0500

By Elizabeth Litten

The widely publicized pre-Christmas breach of confidential data held by Stratfor Global Intelligence Service (“Stratfor”), a company specializing in data security, reminded me that very little (if any) electronic information is truly secure. If Stratfor’s data can be hacked into, and the health information of nearly 5 million military health plan (TRICARE) members maintained by multi-billion dollar Department of Defense contractor Science Applications International Corporation (SAIC) (the subject of a five-part series of blog postings found on Fox Rothschild’s HIPAA, HITECH and HIT Blog. Parts 1, 2,3, 4 and 5 ) can be accessed, can we trust that any electronically transmitted or stored information is really safe?

I had the pleasure of having lunch with my friend Al yesterday, an IT guru who has worked in hospitals for years. Al understands and appreciates the need for privacy and security of information, and has the technological expertise to know where and how data can be hacked into or leaked out. Perhaps not surprisingly, Al does not do his banking on-line, and tries to avoid making on-line credit card purchases.

Al and I discussed the proliferation of the use of iPhones and other mobile technology by physicians and staff in hospitals and other settings, a topic recently discussed in a newsletter published by the American Medical Association. Quick access to a patient’s electronic health record (EHR) is convenient and may even be life-saving in some circumstances, but use of these mobile devices creates additional portals for access to personal information that should be protected and secured. Encryption technology and, perhaps most significantly, use of this technology, barely keeps pace with the exponential rate at which we are creating and/or transmitting data electronically.

On the other hand, trying to reverse the exponential growth of electronic communications and transactions would be futile and probably counter-productive. The horse is out of the gate, and expecting it to stop mid-stride and retreat back with a false-start call is irrational. The horse will race ahead just as surely as my daughter will text and check her Facebook page, my son will recharge his iPad, and I will turn around and head back to my office if I forget my iPhone. We want and need technology, but seem to forget or fail to fully understand the vast, unprotected and ever-expanding universe into which we send information when we use this technology.

If we expect breaches or, at least, question our assumptions that personal information will be protected, perhaps we will get better at discerning how and when we disclose our personal information. An in-person conversation or transaction (for example, when Al goes to his bank in person or when a physician speaks directly to another physician about a patient’s care) is less likely to be accessed and used inappropriately than an electronic one. We can better assess the risks and benefits of communicating information electronically when we appreciate the security frailties inherent in electronic communication and storage.

Perhaps Congress should take the lead in enacting laws that will help protect against data breaches that could compromise “critical infrastructure systems” (as proposed in the “PRECISE Act” introduced by Rep. Daniel E. Lungren (R-CA)), but more comprehensive, potentially expensive, and/or use-impeding cybersecurity laws might have the effect of tripping the racehorse mid-lap rather than controlling its pace or keeping it safely on course.

2011 Data Breach Summary

Mark McCreary — Wed, 28 Dec 2011 18:30:33 -0500

Smart Money just ran a story about the top five data breaches of 2011. While I do not necessarily agree that these are the top five (students, students, NYC hospital patients, not to mention the Stratfor breach), the takeaway is interesting: none of them have the same source for the breach:

1. Epsilon. What more needs to be said to keep contract attorneys up at night than "Epsilon"? This data breach involved a third party losing data about its customers' customers. Stated another way, the owner of the information did nothing wrong...other than hiring a contractor that mishandled information. Indemnification mean more to you now? The takeaway from this breach: come clean, come clean, come clean.

2. Sony. Massive breach of the online gaming network. Lots of data lost, lots of downtime for pasty, sun-adverse gamers. Hackers targeting the network to blame. The takeaway from this breach: do not handle it the way Sony handled it.

3. Tricare. A Science Applications International Corp. has data backup tapes stolen from a car. SAIC is a defense contractor for the military. Approximately 4.9 million veterans affected. Hackers targeting lax security to blame. The takeaway from this breach: don't leave the data tapes in the car (come on, people!).

4. Sutter. A simple stolen desktop computer containing information about possibly 3.3 million patients goes missing. The takeaway from this breach: encrypt! Chances are they had zero intention to stealing the actual information, but you can be sure it was still a breach notification scenario.

5. Texas Comptroller. This is number three in my book. Personal information of 3.5 million people left publicly available for over one year. Information about persons required to hand over that information, not information voluntarily handed over. Total disaster. Anyone could have found this information, given its availability. The takeaway from this breach: hire IT staff that is security conscious and, more importantly, give those people the budget to do their jobs.

BONUS: not a data breach, but a significant ruling this year. Corporations have no right to privacy. This Supreme Court ruling impacts corporate decisions on so many levels...or it should.

Happy New Year to our readers.

FTC Settles With Facebook, Agrees to Whopping 20-Year Consent Order

Mark McCreary — Wed, 30 Nov 2011 06:52:38 -0500

According to a press release issued yesterday, November 29, 2011, by the Federal Trade Commission, Facebook settled charges that Facebook “deceived consumers by telling them they could keep their information on Facebook private, and then repeatedly allowing it to be shared and made public.”

The complaint (PDF link) lists a litany of bad practices by Facebook. One allegation that stands out, largely because of the media firestorm that it created at the time, was Facebook’s change in privacy settings to users’ accounts in December 2009. The foregoing settings change was, in the FTC’s opinion, particularly egregious because Facebook undertook the changes without any notice or consent from users.

Another allegation that stands out, again both because of the media firestorm and the falsehood, was Facebook’s assertion that information from deactivated user accounts would not be accessible.

And what grueling punishment must Facebook endure for its privacy-related bad acts? According to Jon Leibowitz, Chairman of the FTC, "Facebook is obligated to keep the promises about privacy that it makes to its hundreds of millions of users." Rough justice.

In all seriousness, there is some substance to the settlement. Facebook must not make any further deceptive privacy claims. Facebook must also get consumers' approval before it changes the way it shares their data. Finally, Facebook must obtain periodic assessments of its privacy practices by independent, third-party auditors for the next 20 years.

Frankly, the foregoing requirements on Facebook are all steps that a company like Facebook, if not substantially all companies handling consumer personal information, should be undertaking.

Specifically, under the proposed settlement, Facebook is:

barred from making misrepresentations about the privacy or security of consumers' personal information;
required to obtain consumers' affirmative express consent before enacting changes that override their privacy preferences;
required to prevent anyone from accessing a user's material more than 30 days after the user has deleted his or her account;
required to establish and maintain a comprehensive privacy program designed to address privacy risks associated with the development and management of new and existing products and services, and to protect the privacy and confidentiality of consumers' information; and
required, within 180 days, and every two years after that for the next 20 years, to obtain independent, third-party audits certifying that it has a privacy program in place that meets or exceeds the requirements of the FTC order, and to ensure that the privacy of consumers' information is protected.

The proposed order also contains standard record-keeping provisions to allow the FTC to monitor compliance with its order.

The proposed settlement is not yet final. The proposed settlement will be open to public comment for thirty days, ending on December 30, 2011. The terms of the proposed settlement is published in the Federal Register shortly. After the close of the comment period, the FTC will decide whether to make the proposed consent order final.

Interested in submitting your comments to the FTC? According to the press release: Interested parties can submit comments online or in paper form by following the instructions in the "Invitation To Comment" part of the "Supplementary Information" section. Comments in paper form should be mailed or delivered to: Federal Trade Commission, Office of the Secretary, Room H-113 (Annex D), 600 Pennsylvania Avenue, N.W., Washington, DC 20580. The FTC is requesting that any comment filed in paper form near the end of the public comment period be sent by courier or overnight service, if possible, because U.S. postal mail in the Washington area and at the Commission is subject to delay due to heightened security precautions.

Comparison of Major Carriers' Retention of Mobile Device Usage

Mark McCreary — Fri, 30 Sep 2011 04:59:31 -0500

The Computer Crime and Intellectual Property Section of the U.S. Department of Justice compiled a summary in August 2010 of the retention periods of major cellular service providers of data transmitted to and from users' mobile devices. The report is here. (PDF link) The American Civil Liberties Union (ACLU) obtained a copy of the foregoing report through a Freedom of Information Act (FOIA) request. The contents of the report are interesting, to say the least.

As reported by Cory Doctorow on the terrific Boing Boing in this article, and by David Kravets of Wired.com in this article titled "Which Telecoms Store Your Data the Longest? Secret Memo Tells All," it is unclear which major cellular carrier treats our usage data with the most respect. On the one hand, Verizon stores text message details (just the transmission receipt details, such as recipient and time) only one year, compared to as long as 5-7 years for post-paid subscribers of AT&T. On the other hand, AT&T, Sprint and T-Mobile store none of the contents of text messages, whereas Verizon stores that information for 3-5 days. The IP Session information may be the most interesting, because of the additional information that can be gleaned from the raw data, the question of why it is stored (billing disputes?) and the disparity in length of storage. One of the excellent infographics posted on Wired's web site is posted here, but a full Wired article is a must read.

Besides this information being eye opening on a personal level, it can be crucial evidence in the case of a corporate data breach. While we all hope that law enforcement will use all tools available to it when investigating a corporate crime, knowing the tight time constraints under which businesses investigating a potential crime is crucial. To be clear, I am referring to use of these tools as an option for ethical investigations into criminal activity through law enforcement. These are not tools to assist a company in sacking an employee that is surfing the web on her mobile phone while on the clock. In any event, these time frames should be considered when investigating a suspected data breach.

If you are getting that "eye in the sky is watching me" feeling, I will be sure not to mention the warrantless GPS and triangulation tracking capabilities of the major mobile carriers available to law enforcement.

Source: BoingBoing.net; Wired.com

Purdue Notifies 7,000 Students of SSN Theft 16 Months After Discovering the Breach

Mark McCreary — Thu, 18 Aug 2011 05:43:59 -0500

Purdue University informed 7,093 former students on Monday that their Social Security numbers may have been stolen from servers at the University on April 5, 2010. The notification comes 16 months after the discovery of the breach.

According to the (Indiana) Journal & Courier, the server contained 6.6 million nine-digit numbers in the accessed files. After spending six months analyzing those numbers, Purdue determined that approximately 65,000 of those number combinations could be Social Security numbers. An additional four months was spent reanalyzing the numbers and performing forensic analysis. Based on those efforts, the University had matched 7,093 of those number combinations to Social Security numbers of former students.

The breach was discovered only three days after it occurred, approximately April 8, 2010. Fourteen months after discovery of the breach, Purdue notified the Office of the Indiana Attorney General. Now, approximately two months later, the affected former students were notified.

Purdue did not offer any sort of credit monitoring and, instead, recommended to those affected to be vigilant and keep and eye on their credit activity.

The announcement by Purdue comes on the heals of an announcement by The University of Wisconsin-Milwaukee on August 10th that 75,000 of its students had been exposed to a hacking incident in May 2011, as reported earlier here.

While the delay of three months may have seemed excessive last week, at least UWM beat Purdue's delay by almost 14 months.

PSA: LinkedIn Assumes You "Opt-In" to Social Media Advertising

Mark McCreary — Fri, 12 Aug 2011 06:25:16 -0500

Boing Boing has an excellent how-to located here on how to opt out of being included in LinkedIn's social media advertising. Briefly, LinkedIn assumes that you consent to LinkedIn's use of your image in the adverstising of its sponsor's products. If you recommend your CPA firm, and your CPA firm purchases advertising on LinkedIn, your photo may appear in that advertising.

This approach may be fine in certain cases. However, besides just the general creepiness of it, employers should be aware that it creates a potential association between your company (not just the individual) and that third party. I can imagine a scenario where a company is suing its former CPA firm and an advertisement appears with the Controller's image in a LinkedIn advertisement for the same CPA firm.

If your company's social media policy allows employees to participate in LinkedIn and other social media sites, consider whether the policy needs an update to require opting-out of this social media advertising.

HACKED: 75,000 Social Security Numbers at Risk at University of Wisconsin

Mark McCreary — Fri, 12 Aug 2011 05:39:46 -0500

The University of Wisconsin-Milwaukee (“UWM”) announced on Wednesday that a malware-infected, university server was discovered on May 25th that allowed hackers, apparently seeking research data, to access several types of scanned documents. Included in the potentially accessed documents were student applications from past and present students, which applications contained Social Security numbers.

At this time, UWM has not been able to confirm that any of the documents were actually taken by the hackers. UWM reports that “[t]he university learned of the installation of malware on May 25, and immediately shut down the system and began to investigate. During the course of the investigation, on June 30, 2011, we discovered that the database containing social security numbers was included in the compromised system.”

UWM wants to assure students that although names and Social Security numbers were possibly taken, the potentially accessed documents did not contain any financial data or academic information such as student grades. At least students don’t have to worry about having embarrassing grades posted.

The announcement asks “[s]houldn’t the university be offering free credit monitoring?” After all, free credit monitoring is expected these days, although certainly no required. The response? “We have no evidence that anyone’s personal information was retrieved or that any information was misused. However, it is recommended that everyone should monitor their financial information by:

Reviewing bank and credit card statements regularly, and looking for unusual or suspicious activities.
Contacting appropriate financial institutions immediately upon noticing any irregularity in a credit report or account.
Request a free credit report and carefully inspect your own credit scores.

That is one approach, I suppose. It is certainly different.

While the details of the investigation by this public institution remains under wraps, it does raise interesting questions. To be clear, there may be excellent bases for not making the disclosure earlier. However, we have seen more and more experts commenting on how huge delays in public announcements are justified. Sure, delays in notification can sometimes be justified where only an intrusion is known and it is unclear whether personal information is accessible through that intrusion.

We have come to the point where using the “ongoing internal investigation” excuse is habitually abused. In this case, based on facts known, it took 35 days for a “national computer security consultant” to determine the source and extent of the breach. In other words, it took experts 35 day to conclude that if a certain port on a server was exposed, then access to a certain, non-encrypted database was possible. I asked our network guys about this, and they said it should take about 30 minutes to determine what was exposed if a port was left open.

After confirmation of the possibility that the sensitive documents could have been accessed, it too another 41 days to make a public announcement.

Okay, so maybe law enforcement delayed the notification. Certainly possible. These comments are not meant to be an indictment of UWM specifically, but of the new approach to data breach notification that is occurring more often than not.

In the cases where delay notification is grossly delayed, it is more often that company executives and their counsel decide that if the breach was announced, and it was later determined that access to the potentially accessed documents did not occur, then the “bad press” would be worse than delaying notification for 77 days. Stated another way, they don't want to unnecessarily worry potentially affected persons.

Again, we do not know all the facts. In all likelihood the sensitive documents were not accessed. However, more and more we all are seeing HUGE delays in notifying those affected. If I received a breach notification 77 days after discovery I would be mad as hell. That is 77 days when identity theft could have occurred and I was not being vigilant because I was unaware of a breach. This is the exploding Pinto approach to data breaches.

UCLA Health System Hospitals To Pay $865,000 For Privacy Breaches

Amy C. Purcell — Fri, 08 Jul 2011 09:41:57 -0500

From 2005 through 2009, UCLA Health System Hospitals ("UCLA") received complaints that its employees had viewed celebrities' medical records without authorization. After an investigation, federal health regulators determined that UCLA employees reviewed patients' electronic medical records "repeatedly and without a permissible reason." Federal health regulators found that UCLA failed to remedy the problem and discipline or retrain its staff. Ultimately, UCLA entered into a settlement agreement with federal health regulators. Under the settlement agreement, UCLA must pay a fine of $865,000. The settlement agreement further requires UCLA to: (1) submit a plan to federal regulators outlining how it plans to prevent future privacy breaches; (2) retrain its staff about privacy protections; (3) institute privacy policies; (4) appoint a representative to oversee its privacy improvements; and (5) report to federal regulators for the next three years.

Citibank Data Breach: Even the Banks Can't Get It Right

Mark McCreary — Fri, 10 Jun 2011 05:56:46 -0500

The breaches about which we normally hear have to do with retailers and service providers. Those businesses are the ones that do not appreciate the importance of protecting data, feel they could use the money necessary to create good security in better ways and are the easy targets for hackers. Thankfully, what we generally do not hear about are data breaches at large financial institutions.

Citigroup announced yesterday that its servers were hacked into in early May and the names, addresses account numbers and other account information of 200,000 credit card customers were stolen. Citigroup further reported that social security numbers, CVV security codes and dates of birth were NOT stolen. This data breach affects approximately 1% of all of Citigroup's customers.

There is no information about how the hackers were able to access Citigroup's servers. It is unclear whether information on this security breakdown will ever be released, but the occurrence is a stark contrast to the normal data loss involving systems that are not as well-protected as financial company systems. Generally speaking, retailers are easy targets, financial institutions are not.

The current delay in notifying affected individuals may be the result of Citigroup's cooperation with law enforcement, considering that Citigroup is otherwise required to notify those affected individuals almost immediately. Some are speculating that the delay may (finally) result in federal legislation detailing data breach response guidelines. You know, because the massive prior data breaches were not enough to make federal legislation a priority.

In any event, if you are a Citigroup customer you should keep your eyes out of an email notifying you of the breach. That being said, it would not be surprising to see a phishing effort undertaken to have unsuspecting Citigroup customers that may or may not actually be affected by the breach click on links in email in order to steal usernames and passwords. In other words, if you do receive a notice from Citigroup about the breach, make sure that the email really is from Citigroup by confirming the links take you to a genuine Citigroup web site or navigating to the Citigroup web site manually and looking for information on the data breach.

Sony Hit By Data Breach Affecting 77 Million Gamers

Mark McCreary — Wed, 27 Apr 2011 05:01:41 -0500

Sony announced yesterday that its PlayStation Network and Qriocity services were compromised by an "unauthorized" person. What was the haul? According to Sony, the "name, address (city, state, zip), country, email address, birthdate, PlayStation Network/Qriocity password and login, and handle/PSN online ID" and the "profile data, including purchase history and billing address (city, state, zip), and your PlayStation Network/Qriocity password security answers" of 77 million individuals.

That's right, 77 million people. This is one of the largest Internet data losses in history. We can assume that the data was not encrypted, otherwise we would hear little or nothing about the data loss (most states exempt encrypted data from disclosure requirements), or else Sony would be screaming "Don't fret too much, the data was encrypted and we did not lose the decryption key." Sony is not making either claim at this time.

Well, data breaches happen, you may be thinking. We have seen companies with best practices still suffer at the hands of hackers or rogue employees. Sony is taking the most heat not from the data loss, but from the timing of the disclosure to those affected. The disclosure of the data breach to customers directly was on April 26th. The data breach apparently occurred between April 17 and April 19. It has been reported that Sony discovered the breach on April 20th. There was a gap of six days between discovery and disclosure. Six days may be an eternity when you are a gamer and your network is down (there are likely millions of teenagers with fresh sunburns), but how long is six days in the data breach world?

Six days between discovery and disclosure may be acceptable, especially to the extent that Sony was working with law enforcement and was requested/told not to make a public announcement. To clarify the preceding sentence, six days may not be too long when working with law enforcement as long as Sony was truly working with law enforcement and the delay had a genuine purpose. However, Sony did not explain that law enforcement cooperation was the reason for the delay. It is not likely that Sony ran afoul of any state statute timing requirements, which have quite a bit of leeway built in.

If you or your children are on one of these services, you need to pay particular attention to this story as it develops. You (the keyword being "you") need to monitor your bank accounts and credit cards - frankly, any account into which a third party can back into knowing your security question or your password on this service (remember, if you use the same password for your email account AND this service, somebody may have both of those right now). For now, Sony has not offered any type of monitoring service, so your financial/credit monitoring is currently your responsibility.

Hopefully Sony will continue to come out with more information, or we will learn that the data is in "safe" hands (think Matthew Broderick in War Games - almost nothing went wrong in that movie). In any event, your children that go to business school will enjoy reading the future case study on this one.

Doing the Math: Average Data Breach Cost Now Up to $214 Per Record

Mark McCreary — Wed, 09 Mar 2011 06:42:39 -0500

The cost per customer record in a data breach increased $10 over the 2009 average to $214 per customer record compromised in a data breach, which is $12 more than the 2008 average of $202 per customer record. The Poneman Institute, which conducts independent research on privacy, data protection and information security policy, released its sixth Annual Study: U.S. Cost of Data Breach (Available Here - PDF link), declaring that the average cost per compromised customer record rose to $214. The report is sponsored by Symantec Corporation. Excellent materials such as an infographic, summaries, blog entries, a podcast and slide presentation can be found on Symantec's web site here.

Before getting into the numbers, you should note that Symantec is offering a Data Breach Risk Calculator. The foregoing calculator is NOT for the feint of heart, so consider yourself warned. That being said, the calculator is a powerful tool that considers several factors when estimating data breach costs to businesses.

The report is based on 51 reported data breaches in the United States (other country reports are also published) in 2010, ranging from 4,200 to approximately 105,000 records in 15 different industries. Of the breaches studied, organizations paid a low of $780,000 ($750,000 in 2009), and a high of $35.3 Million ($31 Million in 2009) in connection with the breach response. The average cost to an organization from a data breach increased from $6.65 Million in 2008, and $6.75 Million in 2009, to $7.2 Million in 2010 (Summary).

The cost breakdown for breach response among lost business, ex-post response, notification and detection & escalation is eye-opening and, if nothing else, should be motivational to businesses to address problems before they arise.

Source: Poneman Institute/Symantec Corporation

According to the report and infographic that was published, the source of the data breach was related to negligence in 41% of the cases. 31% of the data breaches were the cause of intentional and malicious attacks, up seven percent from 2009. Breaches due to third party mistakes dropped three percent to 39%. Encryption as a post-breach remedy remained the most popular, up three percent to 61%

As in prior years, those organizations that move quickly tend to experience a higher cost per record for the data response. Organizations that move quickly tend to do so in a disorganized manner with little efficiency (e.g., they do not have a breach response plan in place), and spend on average $268 per record, up significantly from the 2009 average of $219 per record. Those organizations that took longer to respond paid $174 per record on average.

The news regarding data breach costs and impacts continues to worsen and shows no sign of improving or slowing.

Online Privacy in the Open - Who Cares About the Faux Fight?

Scott L. Vernick — Mon, 07 Mar 2011 09:56:40 -0500

Much ado has been made in recent weeks about the FTC’s Do Not Track proposal, the push from Congress to protect consumers, and the response from Google, Microsoft and Mozilla, as well as the online ad industry, about the risks and rewards of self-regulation. But what has seemed to be missing from the debate is the public’s own outcry. Amidst the churning discussions there has not been a sense that the general online population is overly concerned about whether an advertiser can track their preferences... at least until the information they share leads to a distinct invasion of privacy with repercussions.

All in all, this debate remains self-contained, and raises more questions than it answers.

From the political front, the Congressional proposals present an issue that is easy to support. Who is “against” privacy? Perhaps the same people who want to bring down apple pie and stop Veterans Day parade...

Technology executives and startups being buffeted about by the concern of over impending government regulation, agreeing on a self-implemented system, and monetizing so -called "privacy assets" for those opting to share more. But how much of the genie is already out of the bottle? Is it possible to truly claw back or sanitize people’s data that is already out there?

There is certainly cause for public concern, though it seems that is not the case until an actual situation occurs. If a website, social forum or third party advertiser holding your personal information is hacked or breached, the potential invasion of privacy on personal preferences could be huge. Finances, sexual preference, and many items that could lead to identity theft are all put at risk. Yet we continue to "like" and "share" and post pictures because living online has become an extension to daily life.

Is this public acceptance? Maybe we won’t know until there is a problem that draws attention on a national scale. The public has control over their own activity online, and the amount of information they wish to share.

If the public is truly concerned about online privacy, it is a matter of self-regulation on a personal level. In the meantime, the government and the industry will continue to swirl in a cycle that perhaps will only end with a set of regulations and authorizations that create more unenforceable layers than there were before. Data thieves will always find ways to game the system, there will always be a risk when sharing personal information online, and advertising will not stop being the fuel that runs much of the internet.

Health Data for 1.7 Million NYC Hospital Patients, Staff and Others At Risk

Scott L. Vernick — Thu, 03 Mar 2011 08:50:21 -0500

On February 10, 2011, the New York City public hospital system filed a lawsuit against its records management contractor over allegations that the contractor permitted the theft of unencrypted data tapes storing health information and other personal data on some 1.7 million patients and staff. The New York City hospital system disclosed the breach, which occurred on December 23, 2010, for the first time in a February 11, 2011, statement. The complaint alleges that six data tapes, storing HIPAA protected information and other personal data for approximately 1.7 million patients at three facilities, as well as for employees, vendors, contractors and other service providers, were stolen from a van left unlocked in Manhattan by the hospital system's records management contractor. In a statement, the hospital system said that, while the stolen tapes have not been found, no fraud has been reported and the tapes are protected by a proprietary system that makes the data difficult to access.

Supreme Court Tells AT&T It Has No Right to Privacy

Mark McCreary — Wed, 02 Mar 2011 06:47:08 -0500

The Supreme Court of the United States has ruled in Federal Communications Commission, et al. v. AT&T Inc., et al. (slip opinion - PDF link) that business entities have no personal privacy rights under the Freedom of Information Act (FOIA) (PDF link). The ruling was unanimous and arose from a Third Circuit decision.

There are several exemptions built into the FOIA, whereby federal agencies do not have to make certain information available when requested. Exemption 7(C) pertains to law enforcement records that, if disclosed, “could reasonably be expected to constitute an unwarranted invasion of personal privacy.” 5 U. S. C. §552(b)(7)(C). The issue addressed was whether corporations have "personal privacy" for purposes of exemption 7(C).

AT&T was investigated by the Federal Communications Commission in connection with AT&T's participation in the FCC's E-Rate (Education-Rate) program for schools and libraries. As a result, AT&T disclosed to the FCC that it may have overcharged the Government for its services in connection with the E-Rate program. During the resulting investigation, AT&T disclosed various information to the Government, including billing information, name and job descriptions of employees involved and AT&T's conclusion regarding wrongdoing by its own employees. The matter was resolved in December 2004 and AT&T paid $500,000 and instituted a plan to ensure the incorrect billing did not occur again.

CompTel, "a trade association representing some of AT&T's competitors," submitted a FOIA request in connection with the E-Rate program investigation. The FCC's Enforcement Bureau did withhold some competitive information, as well as names and other personal information related to AT&T's employees. However, the Enforcement Bureau did not apply exemption 7(C) to AT&T itself because "businesses do not possess 'personal privacy' interests as required by the exemption."

AT&T took the position the root term “person” in the phrase "personal privacy" refers to "persons" as defined under the Administrative Procedures Act. The definition of "person" under the Administrative Procedures Act includes several types of business entities, specifically, corporations. The FCC concluded that AT&T's position that it is “a ‘private corporate citizen’ with personal privacy rights that should be protected from disclosure that would ‘embarrass’ it . . . within the meaning of Exemption 7(C) . . . at odds with established [FCC] and judicial precedent,” and concluded that “Exemption 7(C) has no applicability to corporations such as [AT&T].”

The Court of Appeals for the Third Circuit agreed with AT&T, and the FCC petitioned the United States Supreme Court for review, and the Third Circuit holding was overturned.

Chief Justice Roberts delivers a thoughtful analysis of why the terms "person" and "personal" should not be read to give business entities "personal privacy rights," which you can read in detail in the opinion (PDF link). In a final wink, nudge and affirmation of his reasoning, Chief Justice Roberts concludes the analysis by stating that "[w]e trust that AT&T will not take it personally."

Recent Enforcement Activity...

Scott L. Vernick — Mon, 28 Feb 2011 14:01:55 -0500

Last week, the federal government fined Cignet Health (Maryland) $43 million for violating the privacy rights of 41 patients by denying them access to their medical records. The fine levied by the Department of Health and Human Services is the first under HIPAA's privacy rule. The Department of Health and Human Services' Office of Civil Rights determined that, between September 2008 and October 2009, Cignet Health violated patients' rights by denying them access to their medical records. Cignet Health also repeatedly failed to cooperate with the investigation conducted by the Office of Civil Rights and did not comply with a subpoena for medical records issued by the Office of Civil Rights until ordered to do so by a federal judge in March 2010.

Separately, the federal government reached a $1M dollar settlement with Massachusetts General Hospital over potential violations of patient privacy laws when an employee lost patients records on local public transportation. The lost information concerned 192 patients in the hospital's Infectious Disease Associates outpatient practice, including information pertaining to patients with HIV/AIDS. For 66 patients, the lost data included billing forms that recorded name, birth date, medical record number, health insurer and policy number and diagnosis.

Moving to the Cloud: Making Sure You Know the Location of the Cloud

Mark McCreary — Fri, 25 Feb 2011 10:18:50 -0500

Over the last two years more and more clients have requested that we assist them with moving some or all of their business services to the "cloud." Some of these clients want to use a service that would result in sensitive information being stored on the servers of a third party service provider, such as web-based email, Salesforce.com, Google Docs. As much as each of these businesses have heavily debated the pros and cons of moving to the cloud, rarely do they consider where the cloud is physically located.

Financial and health industries have always had a focus on thinking through where their protected data was located. There is a sophisticated legal framework dealing with prohibitions on the storage of sensitive data on foreign soil, such as financial, import-export or healthcare rules and regulations. For example, a well thought-out online services agreement for a financial institution should have a strict prohibition on storage of data in certain countries or a country other than where the financial institution is located.

However, businesses do not always consider that the information that is stored in a cloud-based service may be physically located on servers not situated in the United States. Having your business information located in a foreign country can easily (very, very easily) lead to loss, unauthorized private and governmental access and the tripping of the myriad of existing laws, rules and regulations.

The Software Advice Blog has a recent blog post that highlights some of the considerations that a business should undertake when considering the storage of data in a cloud-based service. Because the decision making process for each business is unique, no blog post is going to give you all of the answers. But the examples here and in the entry on Software Advice do give you some idea of what your business should be considering.

A final note is that the physical location of cloud-based servers is relevant at all times, not just when you have offices, employees or services based in other countries. You may know that you are dealing with a company based in your home country, but you should not assume that the servers used by that company are also based in your home country.

California's Simitian Moves to Bolster Data Breach Notices

Scott L. Vernick — Mon, 14 Feb 2011 09:46:53 -0500

California State Senator, Joe Simitian (D-Palo Alto), who authored the state's existing data breach law in 2002, has introduced Senate Bill 24 to strengthen the content of notices provided to individuals when their personal information has been hacked, stolen or lost. If passed, Senate Bill 24 proposes to offer individuals better protection against identity theft by standardizing the content for data breach notification, including (i) a general description of the incident, (ii) the type of information breached, (iii) the date and time of the breach and (iv) a toll-free telephone number of major credit reporting agencies for security breach notices in California. Senate Bill 24 would also require public agencies, businesses and others to send a copy of the breach notification to the California Attorney General if more than 500 Californians are affected by a single breach. Former Governor Arnold Swarzenegger vetoed similar legislation introduced by Senator Simitian.