Privacy Compliance & Data Security : Data Security Lawyer & Attorney : Fox Rothschild Law Firm : Privacy Rights, Security Breach Responses

The following was recently posted in substantially the same form on the Fox Rothschild LLP HIPAA, HITECH and Health Information Technology blog.

Elizabeth Litten and Michael Kline write:

We have posted several blogs, including those here and here, tracking the reported 2011 theft of computer tapes from the car of an employee of Science Applications International Corporation (“SAIC”) that contained the protected health information (“PHI”) affecting approximately 5 million military clinic and hospital patients (the “SAIC Breach”).  SAIC’s recent Motion to Dismiss (the “Motion”) the Consolidated Amended Complaint filed in federal court in Florida as a putative class action (the “SAIC Class Action”) highlights the gaps between an incident (like a theft) involving PHI, a determination that a breach of PHI has occurred, and the realization of harm resulting from the breach. SAIC’s Motion emphasizes this gap between the incident and the realization of harm, making it appear like a chasm so wide it practically swallows the breach into oblivion. 

SAIC, a giant publicly-held government contractor that provides information technology (“IT”) management and, ironically, cyber security services, was engaged to provide IT management services to TRICARE Management Activity, a component of TRICARE, the military health plan (“TRICARE”) for active duty service members working for the U.S. Department of Defense (“DoD”).  SAIC employees had been contracted to transport backup tapes containing TRICARE members’ PHI from one location to another.

According to the original statement published in late September of 2011 ( the “TRICARE/SAIC Statement”) the PHI “may include Social Security numbers, addresses and phone numbers, and some personal health data such as clinical notes, laboratory tests and prescriptions.” However, the TRICARE/SAIC Statement said that there was no financial data, such as credit card or bank account information, on the backup tapes. Note 17 to the audited financial statements (“Note 17”) contained in the SAIC Annual Report on Form 10-K for the fiscal year ended January 31, 2012, dated March 27, 2012 (the “2012 Form 10-K”), filed with the Securities and Exchange Commission (the "SEC”), includes the following:

There is no evidence that any of the data on the backup tapes has actually been accessed or viewed by an unauthorized person. In order for an unauthorized person to access or view the data on the backup tapes, it would require knowledge of and access to specific hardware and software and knowledge of the system and data structure.  The Company [SAIC] has notified potentially impacted persons by letter and is offering one year of credit monitoring services to those who request these services and in certain circumstances, one year of identity restoration services.

While the TRICARE/SAIC Statement contained similar language to that quoted above from Note 17, the earlier TRICARE/SAIC Statement also said, “The risk of harm to patients is judged to be low despite the data elements . . . .” Because Note 17 does not contain such “risk of harm” language, it would appear that (i) there may have been a change in the assessment of risk by SAIC six months after the SAIC Breach or (ii) SAIC did not want to state such a judgment in an SEC filing.

Note 17 also discloses that SAIC has reflected a $10 million loss provision in its financial statements relating to the  SAIC Class Action and various other putative class actions respecting the SAIC Breach filed between October 2011 and March 2012 (for a total of seven such actions filed in four different federal District Courts).  In Note 17 SAIC states that the $10 million loss provision represents the “low end” of SAIC’s estimated loss and is the amount of SAIC’s deductible under insurance covering judgments or settlements and defense costs of litigation respecting the SAIC Breach.  SAIC expresses the belief in Note 17 that any loss experienced in excess of the $10 million loss provision would not exceed the insurance coverage.  

Such insurance coverage would, however, likely not be available for any civil monetary penalties or counsel fees that may result from the current investigation of the SAIC Breach being conducted by the Office of Civil Rights of the Department of Health and Human Services (“HHS”) as described in Note 17.

Initially, SAIC did not deem it necessary to offer credit monitoring to the almost 5 million reportedly affected individuals. However, SAIC urged anyone suspecting they had been affected to contact the Federal Trade Commission’s identity theft website. Approximately 6 weeks later, the DoD issued a press release stating that TRICARE had “directed” SAIC to take a “proactive” response by covering a year of free credit monitoring and restoration services for any patients expressing “concern about their credit as a result of the data breach.”   The cost of such a proactive response easily can run into millions of dollars in the SAIC Breach. It is unclear the extent, if any, to which insurance coverage would be available to cover the cost of the proactive response mandated by the DoD, even if the credit monitoring, restoration services and other remedial activities of SAIC were to become part of a judgment or settlement in the putative class actions.

We have blogged about what constitutes an impermissible acquisition, access, use or disclosure of unsecured PHI that poses a “significant risk” of “financial, reputational, or other harm to the individual” amounting to a reportable HIPAA breach, and when that “significant risk” develops into harm that may create claims for damages by affected individuals. Our partner William Maruca, Esq., artfully borrows a phrase from former Defense Secretary Donald Rumsfeld in discussing a recent disappearance of unencrypted backup tapes reported by Women and Infants Hospital in Rhode Island. If one knows PHI has disappeared, but doubts it can be accessed or used (due to the specialized equipment and expertise required to access or use the PHI), there is a “known unknown” that complicates the analysis as to whether a breach has occurred. 

As we await publication of the “mega” HIPAA/HITECH regulations, continued tracking of the SAIC Breach and ensuing class action litigation (as well as SAIC’s SEC filings and other government filings and reports on the HHS list of large PHI security breaches) provides some insights as to how covered entities and business associates respond to incidents involving the loss or theft of, or possible access to, PHI.   If a covered entity or business associate concludes that the incident poses a “significant risk” of harm, but no harm actually materializes, perhaps (as the SAIC Motion repeatedly asserts) claims for damages are inappropriate. When the covered entity or business associate takes a “proactive” approach in responding to what it has determined to be a “significant risk” (such as by offering credit monitoring and restoration services), perhaps the risk becomes less significant. But once the incident (a/k/a, the ubiquitous laptop or computer tape theft from an employee’s car) has been deemed a breach, the chasm between incident and harm seems to open wide enough to encompass a mind-boggling number of privacy and security violation claims and issues.

• Print
• Comments
• Trackbacks
• Share Link

The FBI reports that cyberattacks could overtake terrorism as the major threat to the country. According to the Department of Homeland Security, between October 2011 and February 2012, there were 86 reported attacks on U.S. computer systems that control critical infrastructure, factories and databases, compared with 11 over the same period a year ago.

Now more than ever, the focus should be on securing and insulating our nation's computer and Internet infrastructure from both internal and external attacks. The first step in anticipating large-scale cyberattacks is to start thinking of them more like the proverbial disaster waiting to happen -- not a question of if, but when. Planning requires going beyond the limitations of current thinking and considering worst case scenarios.

To keep reading my full article visit “The Internet Privacy Debate Misses the Point,” published April 23 by the Huffington Post.

• Print
• Comments
• Trackbacks
• Share Link

You may have read that Motorola announced on February 3rd that it inadvertently sold around 100 refurbished Motorola Xoom tablets through Woot.com without putting the tablets through the typical process of doing a factory reset and wiping any personal data that may have been left by the original owner(s).  Specifically, there were approximately 6,200 tablets sold between October and December 2011, of which 100 tablets were affected.

The announcement was interesting in and of itself because it highlighted the notification obligation that arose even though Motorola (likely) had no actual knowledge that refurbished tablets went out that actually contained data.  Apparently, Motorola only knew that there was a breakdown in its internal processes and some 100 tablets were not wiped, possibly resulting in the resale of some tablets with data not erased by a customer prior to returning the tablet.

Purchasers of the 6,200 tablets through Woot.com were notified by email to go to a Motorola web site and type in the serial number (or some similar identifier), at which point you would be told if your tablet was affected.  If your tablet was affected, Motorola asked that you agree to part with your tablet for four to five business days so that it could be factory wiped.

As to turns out, I owned one of the 100 tablets affected.  I never win anything, except the Affected Xoom Tablet Lottery.  A day or so later a package with easy-to-follow instructions, very protective packaging and a prepaid envelope arrived at my work.  In went the tablet, out went the package.  On the fourth business day the tablet was returned in working order with a thank you and restore instructions.

And an American Express gift card for $100!!!

Did I have to return the tablet for a factory wipe?  No.  Was it a burden for me to return the tablet?  Hardly.  Was I impressed by Motorola giving me a gift card?  Damn right I was, and that is my point.  

As someone that deals with data breaches, and clients that have to make tough decisions regarding data breaches, on an almost daily basis, this situation struck me.  Motorola did the right thing, went above and beyond what was required, and solidified good will with me.  I was not even the party with the affected data.  I was just the guy that got the great deal on Woot.com for a refurbished tablet.

That Droid Bionic MAXX suddenly is even more appealing to me.  Motorola is suddenly more appealing to me (not that I had any particular problem with them before).

It is possible that Woot.com gave me the gift card, and for that reason my patronage to Woot.com also has been strengthened.  This is a great example of partners working together to deal with data breach situations.  Making the best of a difficult situation, and earning some good will along the way.

Kudos to Motorola and Woot.com for their handling of this situation. 

• Print
• Comments
• Trackbacks
• Share Link

 The San Francisco Chronicle reported yesterday that officials at the City College of San Francisco discovered a few days after Thanksgiving 2010 that certain computers of the college have been infested with active malware for more than a decade.  Up to 100,000 students and 3,000 employees could be affected, and that number may rise based on further, ongoing investigation.

The problem was detected when the college's data security monitoring service discovered very high traffic and alerted the college.  Initially thought to be limited to one computer lab (Cloud Hall at the Phelan Avenue campus), further investigated revealed that the problem was more widespread.  The San Francisco Chronicle's article reported:

Each night at about 10 p.m., at least seven viruses begin trolling the college networks and transmitting data to sites in Russia, China and at least eight other countries, including Iran and the United States, Hotchkiss and his team discovered. Servers and desktops have been infected across the college district's administrative, instructional and wireless networks. It's likely that personal computers belonging to anyone who used a flash drive during the past decade to carry information home were also affected.

Investigation continues to determine which other computer networks at the college may have been infected, such as accounting, admissions and/or payroll systems.  Apparently, 17 different computer systems are presently being analyzed.  The college's server with medical information appears to be unaffected, although it is unclear whether any other system may also contain medical information (such as the admissions system).

The good news, besides that the college notified those potentially affected in what most would agree was a prompt timeframe, is that there are no known cases of identity theft originating from this extremely lengthy data breach.

• Print
• Comments
• Trackbacks
• Share Link

By Elizabeth Litten

The widely publicized pre-Christmas breach of confidential data held by Stratfor Global Intelligence Service (“Stratfor”), a company specializing in data security, reminded me that very little (if any) electronic information is truly secure. If Stratfor’s data can be hacked into, and the health information of nearly 5 million military health plan (TRICARE) members maintained by multi-billion dollar Department of Defense contractor Science Applications International Corporation (SAIC) (the subject of a five-part series of blog postings found on Fox Rothschild’s HIPAA, HITECH and HIT Blog. Parts 1, 2,3, 4 and 5 ) can be accessed, can we trust that any electronically transmitted or stored information is really safe?  

I had the pleasure of having lunch with my friend Al yesterday, an IT guru who has worked in hospitals for years. Al understands and appreciates the need for privacy and security of information, and has the technological expertise to know where and how data can be hacked into or leaked out. Perhaps not surprisingly, Al does not do his banking on-line, and tries to avoid making on-line credit card purchases. 

Al and I discussed the proliferation of the use of iPhones and other mobile technology by physicians and staff in hospitals and other settings, a topic recently discussed in a newsletter published by the American Medical Association. Quick access to a patient’s electronic health record (EHR) is convenient and may even be life-saving in some circumstances, but use of these mobile devices creates additional portals for access to personal information that should be protected and secured. Encryption technology and, perhaps most significantly, use of this technology, barely keeps pace with the exponential rate at which we are creating and/or transmitting data electronically.  

On the other hand, trying to reverse the exponential growth of electronic communications and transactions would be futile and probably counter-productive. The horse is out of the gate, and expecting it to stop mid-stride and retreat back with a false-start call is irrational. The horse will race ahead just as surely as my daughter will text and check her Facebook page, my son will recharge his iPad, and I will turn around and head back to my office if I forget my iPhone. We want and need technology, but seem to forget or fail to fully understand the vast, unprotected and ever-expanding universe into which we send information when we use this technology. 

If we expect breaches or, at least, question our assumptions that personal information will be protected, perhaps we will get better at discerning how and when we disclose our personal information. An in-person conversation or transaction (for example, when Al goes to his bank in person or when a physician speaks directly to another physician about a patient’s care) is less likely to be accessed and used inappropriately than an electronic one. We can better assess the risks and benefits of communicating information electronically when we appreciate the security frailties inherent in electronic communication and storage. 

Perhaps Congress should take the lead in enacting laws that will help protect against data breaches that could compromise “critical infrastructure systems” (as proposed in the “PRECISE Act” introduced by Rep. Daniel E. Lungren (R-CA)), but more comprehensive, potentially expensive, and/or use-impeding cybersecurity laws might have the effect of tripping the racehorse mid-lap rather than controlling its pace or keeping it safely on course.

• Print
• Comments
• Trackbacks
• Share Link

Smart Money just ran a story about the top five data breaches of 2011.  While I do not necessarily agree that these are the top five (students, students, NYC hospital patients, not to mention the Stratfor breach), the takeaway is interesting: none of them have the same source for the breach:

1.  Epsilon.  What more needs to be said to keep contract attorneys up at night than "Epsilon"?  This data breach involved a third party losing data about its customers' customers.  Stated another way, the owner of the information did nothing wrong...other than hiring a contractor that mishandled information.  Indemnification mean more to you now?  The takeaway from this breach: come clean, come clean, come clean.  

2.  Sony.  Massive breach of the online gaming network.  Lots of data lost, lots of downtime for pasty, sun-adverse gamers.  Hackers targeting the network to blame.  The takeaway from this breach: do not handle it the way Sony handled it.

3.  Tricare.  A Science Applications International Corp. has data backup tapes stolen from a car.  SAIC is a defense contractor for the military.  Approximately 4.9 million veterans affected.  Hackers targeting lax security to blame.  The takeaway from this breach: don't leave the data tapes in the car (come on, people!).

4.  Sutter.  A simple stolen desktop computer containing information about possibly 3.3 million patients goes missing.  The takeaway from this breach: encrypt!  Chances are they had zero intention to stealing the actual information, but you can be sure it was still a breach notification scenario.

5.  Texas Comptroller.  This is number three in my book.  Personal information of 3.5 million people left publicly available for over one year.  Information about persons required to hand over that information, not information voluntarily handed over.  Total disaster.  Anyone could have found this information, given its availability.  The takeaway from this breach: hire IT staff that is security conscious and, more importantly, give those people the budget to do their jobs.

BONUS: not a data breach, but a significant ruling this year.  Corporations have no right to privacy.  This Supreme Court ruling impacts corporate decisions on so many levels...or it should.

Happy New Year to our readers.

• Print
• Comments
• Trackbacks
• Share Link

The breaches about which we normally hear have to do with retailers and service providers.  Those businesses are the ones that do not appreciate the importance of protecting data, feel they could use the money necessary to create good security in better ways and are the easy targets for hackers.  Thankfully, what we generally do not hear about are data breaches at large financial institutions.  

Citigroup announced yesterday that its servers were hacked into in early May and the names, addresses account numbers and other account information of 200,000 credit card customers were stolen.  Citigroup further reported that social security numbers, CVV security codes and dates of birth were NOT stolen.  This data breach affects approximately 1% of all of Citigroup's customers.

There is no information about how the hackers were able to access Citigroup's servers.  It is unclear whether information on this security breakdown will ever be released, but the occurrence is a stark contrast to the normal data loss involving systems that are not as well-protected as financial company systems.  Generally speaking, retailers are easy targets, financial institutions are not.

The current delay in notifying affected individuals may be the result of Citigroup's cooperation with law enforcement, considering that Citigroup is otherwise required to notify those affected individuals almost immediately.  Some are speculating that the delay may (finally) result in federal legislation detailing data breach response guidelines.  You know, because the massive prior data breaches were not enough to make federal legislation a priority.

In any event, if you are a Citigroup customer you should keep your eyes out of an email notifying you of the breach.  That being said, it would not be surprising to see a phishing effort undertaken to have unsuspecting Citigroup customers that may or may not actually be affected by the breach click on links in email in order to steal usernames and passwords.  In other words, if you do receive a notice from Citigroup about the breach, make sure that the email really is from Citigroup by confirming the links take you to a genuine Citigroup web site or navigating to the Citigroup web site manually and looking for information on the data breach.

• Print
• Comments
• Trackbacks
• Share Link

Sony announced yesterday that its PlayStation Network and Qriocity services were compromised by an "unauthorized" person.  What was the haul?  According to Sony, the "name, address (city, state, zip), country, email address, birthdate, PlayStation Network/Qriocity password and login, and handle/PSN online ID" and the "profile data, including purchase history and billing address (city, state, zip), and your PlayStation Network/Qriocity password security answers" of 77 million individuals.

That's right, 77 million people.  This is one of the largest Internet data losses in history.  We can assume that the data was not encrypted, otherwise we would hear little or nothing about the data loss (most states exempt encrypted data from disclosure requirements), or else Sony would be screaming "Don't fret too much, the data was encrypted and we did not lose the decryption key."  Sony is not making either claim at this time.

Well, data breaches happen, you may be thinking.  We have seen companies with best practices still suffer at the hands of hackers or rogue employees.  Sony is taking the most heat not from the data loss, but from the timing of the disclosure to those affected.  The disclosure of the data breach to customers directly was on April 26th.  The data breach apparently occurred between April 17 and April 19.  It has been reported that Sony discovered the breach on April 20th.  There was a gap of six days between discovery and disclosure.  Six days may be an eternity when you are a gamer and your network is down (there are likely millions of teenagers with fresh sunburns), but how long is six days in the data breach world?

Six days between discovery and disclosure may be acceptable, especially to the extent that Sony was working with law enforcement and was requested/told not to make a public announcement.  To clarify the preceding sentence, six days may not be too long when working with law enforcement as long as Sony was truly working with law enforcement and the delay had a genuine purpose.  However, Sony did not explain that law enforcement cooperation was the reason for the delay.  It is not likely that Sony ran afoul of any state statute timing requirements, which have quite a bit of leeway built in. 

If you or your children are on one of these services, you need to pay particular attention to this story as it develops.  You (the keyword being "you") need to monitor your bank accounts and credit cards - frankly, any account into which a third party can back into knowing your security question or your password on this service (remember, if you use the same password for your email account AND this service, somebody may have both of those right now).  For now, Sony has not offered any type of monitoring service, so your financial/credit monitoring is currently your responsibility.

Hopefully Sony will continue to come out with more information, or we will learn that the data is in "safe" hands (think Matthew Broderick in War Games - almost nothing went wrong in that movie).  In any event, your children that go to business school will enjoy reading the future case study on this one.

• Print
• Comments
• Trackbacks
• Share Link

The cost per customer record in a data breach increased $10 over the 2009 average to $214 per customer record compromised in a data breach, which is $12 more than the 2008 average of $202 per customer record. The Poneman Institute, which conducts independent research on privacy, data protection and information security policy, released its sixth Annual Study: U.S. Cost of Data Breach (Available Here - PDF link), declaring that the average cost per compromised customer record rose to $214.  The report is sponsored by Symantec Corporation.  Excellent materials such as an infographic, summaries, blog entries, a podcast and slide presentation can be found on Symantec's web site here.

Before getting into the numbers, you should note that Symantec is offering a Data Breach Risk Calculator.  The foregoing calculator is NOT for the feint of heart, so consider yourself warned.  That being said, the calculator is a powerful tool that considers several factors when estimating data breach costs to businesses.

The report is based on 51 reported data breaches in the United States (other country reports are also published) in 2010, ranging from 4,200 to approximately 105,000 records in 15 different industries. Of the breaches studied, organizations paid a low of $780,000 ($750,000 in 2009), and a high of $35.3 Million ($31 Million in 2009) in connection with the breach response. The average cost to an organization from a data breach increased from $6.65 Million in 2008, and $6.75 Million in 2009, to $7.2 Million in 2010 (Summary).

The cost breakdown for breach response among lost business, ex-post response, notification and detection & escalation is eye-opening and, if nothing else, should be motivational to businesses to address problems before they arise.

Source: Poneman Institute/Symantec Corporation

According to the report and infographic that was published, the source of the data breach was related to negligence in 41% of the cases. 31% of the data breaches were the cause of intentional and malicious attacks, up seven percent from 2009.  Breaches due to third party mistakes dropped three percent to 39%.  Encryption as a post-breach remedy remained the most popular, up three percent to 61%

As in prior years, those organizations that move quickly tend to experience a higher cost per record for the data response. Organizations that move quickly tend to do so in a disorganized manner with little efficiency (e.g., they do not have a breach response plan in place), and spend on average $268 per record, up significantly from the 2009 average of $219 per record. Those organizations that took longer to respond paid $174 per record on average.

The news regarding data breach costs and impacts continues to worsen and shows no sign of improving or slowing.

• Print
• Comments
• Trackbacks
• Share Link

A recent analysis of the past year’s data breaches by Imperva concludes that, in 2010, there has been a nearly 200% increase over 2009. Conversely, the number of records compromised shrank nearly 100% -- from 230 million records in 2009 to 13 million records in 2010. These results are based upon information provided by the Privacy Clearinghouse (PRC), a nonprofit that tracks publicly disclosed U.S. data breaches http://bit.ly/dDYgxI.

While these results may seem like good news at first glance, the real message for businesses is that they have to be more vigilant than ever when it comes to security and privacy issues. In large measure, the number of compromised records is down because hackers have fine-tuned the art of the steal.

Think of it this way. An amateur thief might come into your house and ransack it, stuffing everything within reach into a shopping bag.  A professional knows where to find the safe containing the jewelry, bonds and other real valuables and would only go after them.                               

Data is today’s richest currency.  As it grows in value so does the technical sophistication and savvy of today’s cyber thieves. In an economy based upon intellectual capital and information technology,   it’s essential to know how to protect information and respond to increasingly sophisticated and targeted data breaches, as well as the legal and the regulatory recourse available when this type of violation occurs.

Some final notes related to the above numbers … They only represent “publicly disclosed” breaches. It’s likely that unreported breaches would push these figures much higher. In addition, according to the Financial Times, for the first time ever worldwide data theft in 2010 surpassed physical losses for global companies http://bit.ly/dGVOna.

• Print
• Comments (1)
• Trackbacks
• Share Link

Do you recall that little data breach that Educational Credit Management Corporation (ECMC) had a couple of weeks ago?   That "theft" of data that included names, addresses, dates of birth and social security numbers of some 3.3 million individual student loan borrowers was big news in data breach circles.  We reported about it here.

Well, hope springs eternal as I was pinged today by ECMC's PR firm letting me know that the storage medium was recovered and "law enforcement officials" do not believe that the personal information was compromised.  (Savvy move, Weber Shandwick.)

I hope, for the sake of the borrowers if nothing else, that none of the information was accessed.  I also hope that experts can determine that nobody accessed information (which probably can be done if we are talking about a thumb drive or hard drive, probably much less likely if we are taking about a DVD, fingerprints notwithstanding).

Maybe some encryption firm is making a lot of money from ECMC as we speak and that Congress is noticing this apparent dodged bullet and will use it to advance a toothy, federal breach notification law. 

The full press release is available if you click Continue Reading below.

• Print
• Comments
• Trackbacks
• Share Link

You may recall that Governor Schwarzenegger "terminated" the proposed update to California´s landmark privacy protection law (AB 700), known as SB 20, which California’s State Legislature previously approved and we reported about here. SB 20 was proposed by State Senator Joe Simitian (D-Palo Alto), the original author of California's breach notification law after which many states model their breach notification laws.

Well, the Governator's office encouraged Rep. Simitian to reintroduce the amendment, which is now Senate Bill 1166.  This Bill was approved by the California Senate last Thursday and now moves to the California State Assembly for approval and, if approved, signature by the Governor.

The existing legislation requires that any company or business that loses unencrypted personal information send a security breach notification letter to those affected. States adopting breach notification laws similar to California's now number 46, plus the District of Columbia, Puerto Rico and the US Virgin Islands. 

At its heart, SB 1166 accomplishes two major goals. First, SB 1166 would require that the notification letters sent to victims “contain specific information designed to help victims safeguard their privacy. This includes the type of personal information exposed, a description of the incident, and when it took place.”  At least 13 states already have laws indicating the contents of breach notification letters to affected individuals.  These provisions are often encouraged because consumers receiving notices are often confused about what data is affected, and because as the number generic notices received by consumers increased there is fear that apathy will set in and a consumer will miss notice of a particularly troubling breach.

Second, SB 1166 would also require that parties that have a (single event) data breach that affects more than 500 California residents provide a copy of the notification letter to the state Attorney General’s office. This second provision is where the there is now a potential for a clearinghouse. In most conceivable cases of a data breach of any significant size, it is likely that 500 California residents will be affected. Under applicable sunshine laws, this information would be more widely available to watchdog groups, not to mention concerned citizens. It is also conceivable that the Attorney General’s office would post information regarding these reported data breaches on its web site in an easily accessible manner.

We will have to wait and see if Skynet orders the Governor signs this law when and if it reaches his desk.

• Print
• Comments
• Trackbacks
• Share Link

ECMC reported last Friday, March 26th, that a data theft occurred over the weekend of March 20-21 from ECMC's headquarters.  During this breach, which has been termed a "theft," data was stolen that included names, addresses, dates of birth and social security numbers of some 3.3 million individual student loan borrowers.  ECMC did note in its press release that no "bank account or other financial information" was stolen, which may not come as a huge relief to those affected considering the types of data that was stolen.

What is not clear is whether the information was encrypted, although it is not difficult to conclude that the information almost certainly was not encrypted in light of the public announcement and credit reporting.  The media on which the records were contained, although not specifically identified, was referred to as "portable media."

ECMC's president and CEO, Richard Boyle, said in the statement "[w]e deeply regret that this incident occurred and the stress it has caused our borrowers and our partners and are doing everything we can to help protect our borrowers' identity and personal information."

ECMC is a guarantor of federal student loans.  It is offering, gratis, the now-customary credit monitoring service from one of the major credit reporting bureaus (Experian, in this case).

ECMC reports that it delayed its public announcement at the direction of the law enforcement divisions.

This data breach of ECMC's records further highlights the vast gap between state-level data encryption requirements that are emerging and the lack of the same at the federal level.

• Print
• Comments
• Trackbacks
• Share Link

The cost per customer record in a data breach increased $2 over the 2008 average to $204 per customer record compromised in a data breach. The Poneman Institute, which conducts independent research on privacy, data protection and information security policy, released its fifth annual report (Available Here) declaring that the average cost per compromised customer record rose to $204.  The report is sponsored by PGP Corporation.

The report is based on 45 reported data breaches in the real world, with samples ranging from 5,000 to approximately 10,000 records. Of the breaches studied, organizations paid a low of $750,000, and a high of $31 Million in connection with the breach response. The average cost to an organization from a data breach increased from to $6.65 Million to $6.75 Million from the 2008 to the 2009 (Summary) studies.

• Print
• Comments
• Trackbacks
• Share Link

With 2009 (thankfully) behind us, we should take a minute to look back before moving on.  As most people recognize and accept, history tends to repeat itself and 2009 is a great year to learn from others' mistakes and missteps.

Computerworld created a "2009 data breach hall of shame" recently that is an excellent read if you would like an overview of the most notorious data breaches of 2009.  None of us should lose sight of the thousands (if not tens of thousands) of smaller and unreported data breaches that occur every year.

I will not restate the work down by Computerworld, but I do believe that the RockYou breach is the most egregious.  Assuming all of the facts as reported in various media outlets are true, the idiotic (ignorant is just not the right word) storage of passwords in plain text (rather than in an encrypted form) highlights just how far companies have yet to go to understand even the most basic principles of data protection.

Let's all hope for a safer, more compliant year in 2010 if, for no other reason, so that our own personal information is not released into the wilds.  Happy new year.

• Print
• Comments (1)
• Trackbacks
• Share Link

The risk management technology company, Intersections Inc., and the Identity Theft Assistance Center launched www.Breachcenter.com today.  Breachcenter.com is a website where companies that have suffered data breaches can share their experiences. Instead of focusing on the "technical aspects of breach recovery" or "breach prevention", Breachcenter.com focuses on the "human side" of responding to a data breach. Breachcenter.com serves as a "community-fueled knowledge base" that includes practical information about how to respond to a data breach, including legal obligations to notify consumers who may be affected by the breach.

• Print
• Comments
• Trackbacks
• Share Link