Rachelle of Kroll Fraud Solutions was kind enough to send me a list on data breach prevention and response for business. The tips are all very logical and easy to follow - though a look at the business environment will show you just how disorganized companies are when it comes to data security.

Data security practices don’t need to be hard or confusing - simple and organized plans go a long way in preventing, and preparing for, data breach incidents.

Kroll’s Top 10 Tips for Business Data Breach Prevention & Response are:

1. Look beyond IT security when assessing risk - for example: off-site data storage, policies and employee exit strategies
2. Establish a response plan and disseminated it to all management - ensures decisive action when needed
3. Educate employees
4. Minimize your data - don’t collect or keep what you don’t need and restrict access to what you keep
5. Assess any data gained through a merger
6. Be careful with Wi-Fi
7. Retain a breach expert for a neutral look at risk
8. Don’t rely on encryption as your only means of defense
9. Keep security patches up to date
10. Hold all vendors, partners and contractors to the same standards

For more on these tips, visit here.

Tags: kroll, data breach prevention, data breach, response plan, data security, it security, business security

What happens when your upgrade your computers, replace broken computers, or decide to get rid of any outdated data devices such as disk drives or PDAs? How do you dispose of them? Are your practices ensuring that data is destroyed?

NetworkWorld has published a piece on how to properly handle end-of-life IT assets. Their article indicates that many companies do not know what to do with their outdated equipment and, as a result, often place those items into storage. However, this does pose a security risk if data has not been wiped and can be quite costly given the continued cost of software licenses and the lost resale value of that equipment.

In an age where environmentally friendly disposal is encouraged, companies have their choice between recycling or refurbishment and resale. The latter now being encouraged in order to get still-viable equipment into the hands of those who need it.

An asset recovery provider can help you handle the disposal process, including data destruction, refurbishment and resale. The article provides a set of questions that you could ask potential IT asset recovery companies, to know if they are qualified to manage your assets. Such companies should, for example, be able to deal with equipment of varying ages. You should ensure they can wipe your data, and can confirm it with forensic analysis; any data that cannot be erased should be destroyed. The company should be able to refurbish your computers for maximum return and should provide you with the reporting you need for a proper IT asset audit trail.

Tags: it assets, it asset recovery companies, it disposal, computer disposal, refurbishment, recycling, it security, data security

CSO Online has published their Top 10 Data Breaches of 2007 - a list which doesn’t look just at the scale of the data breach, but also to the ‘class action outrage scale’ and ‘Do’h! factor’ - essentially, how crazy the breach was. How mad people were or how outrageously egregious or ‘goofy’ the breach was.

“Some breaches on our list are serious. Some are funny. And some are just plain sad. But all of them were probably preventable. Alas.”

CSO Online’s Top 10 Data Breaches of 2007:

1. TJX - 100 million affected. A number which kept rising. Visa let it happen. Customers were not fond of the gift card remuneration.
2. Her Majesty’s Revenue and Customs - 25 million affected when discs lost in mail. Bad PR response continues.
3. TSA, Part II - 100,000 affected including information of Federal air marshals
4. The Nature Conservancy - 14,000 affected by malware
5. Swedish Urology Group - ‘hundreds’ affected when very personal information lost
6. Shaw’s Supermarket - 472 affected when computer stolen. Which used Social Security Numbers as employee passwords.
7. TSA - 3930 hazardous waste truckers affected. Not an identity you want anyone else to use.
8. Indianapolis Power and Light - 3000 affected by information posted online for 4 years
9. Commerce Bank of Wichita, Kansas - 20 affected, yet reported in detail to the media
10. Monster.com - 1.3 million affected by phishing scheme, notification late and abstruse.

Head over to the article for the specifics of these breaches and their commentary.

Tags: data breaches, top 10 data breaches, data breaches in 2007, data breach, it security, data security

The University of California, Berkeley Samuelson Law, Technology, & Public Policy Clinic has published a study on data breach notification laws. This study found that public release of data breach information has had a positive effect on company security policies.

The study interviewed security officers about organizational structure and security decisions, facts affecting investment decisions and responses to not just the breach notification laws but the market effects of breaches. Essentially, the latter question looked at the corporate response to publicly reported breaches in other companies. The survey also looked at a myriad of literature on changes in the IT security world to supplement this qualitative data.

The study found that the laws drive information exchange between organizations, and within organizations, and have empowered security officers to increase security measures.

Regardless of the risk of identity theft and alleged consumer apathy towards notices, the simple fact of having to publicly notify causes organizations to implement stronger security standards that protect personal information.

The disclosure of security breaches has encouraged the sharing of information among security professionals. I would suggest that the same pattern of communication among security professionals has been mirrored in the media; that data breach notifications have encouraged a discorse about security issues in the news and on blogs such as this one.

One CSO interviewed summarizes data breaches with ‘lessons learned’ and circulates this information to staff. Others use the information to patch systems that have been proven vulnerable in a disclosed data breach.

Aside from the organization’s own efforts at complying with notification laws, reports of breaches at other organizations help information officers maintain that sense of awareness.

Unfortunately, 2007 has proven to be a bad year for data breaches, with the numbers climbing significantly. Despite the positive indications of this survey, previous surveys and continuous breaches show that not enough companies have taken such a proactive approach to data security. Time will tell if these lessons are internalized by more companies in 2008, or if the breach toll will continue to rise.

One of the areas of improvement identified by the study was to clarify the technology provisions available to companies beyond encryption. Encryption is the most cited technology in breach news, but it is merely the base level of security protection. Companies such as Absolute Software exist to offer levels of protection above and beyond that.

Read the full study here [PDF]

Via schneier Tags: breach notification, data breach, data breach notification, security, policy, legislature, law, it security, disclosure

Who Breached: 9 National Health Service (NHS) Trusts (UK)
Number Affected: Hundreds of thousands
Information breached: various
How: 10 separate incidents

Since the HM Revenue & Customs (HMRC) breach affecting 25 million in the UK and a more recent breach affecting 3 million (contractor lost information for learner drivers), a number of health service trusts have reported breaches of their own. The health records for hundreds of thousands of adults and children have been lost by 9 National Health Service trusts in the UK in 10 separate incidents.

Specific data breaches include:

• City and Hackney trust misplaced a CD - 160,000 children (names, addresses)
• Maidstone and Tunbridge Wells Heath Trust misplaced records - 244 cancer patients
• Other breaches involved the Bolton Royal Hospital, Sutton and Merton, Sefton, Mid-Essex, East and North Hertfordshire, Norfolk and Norwich, and Gloucester Partnership Foundation Trust.

The Department of Health (DoH) said, in a statement, that affected people have been notified. Public Health Minister Dawn Primarolo said that this is a serious issue they are working with trusts to resolve:

“It’s not good but we are taking steps as quickly as we can”

Various groups have used these incidents as examples of the dangers of centralized NHS data, which we have mentioned before on this site.

“This is further evidence of the government’s failure to protect the personal information which we provide,” said Conservative health spokesman Andrew Lansley.

What do you think? Do the benefits of centralized medical data outweigh the risks? Or is simply asking for trouble to have such singular access to the data of millions?

Via Reuters Tags: data breaches, nhs, nhs trusts, nhs centralization, health trust, health information, health security, data security, privacy, medical information, identity theft

According to a study funded in part by the Institute of Medicine and published in the Nov. 14 issue of the Journal of the American Medical Association, HIPAA legislation was found to hinder medical research. The Health Insurance Portability and Accountability Act (HIPAA), which came into effect four years ago, may be having an unintended negative effect on biomedical research.

This is the first study to look at the effects of HIPAA on medical research. The study involved 1527 medical researchers in an online survey. The study found that 70% of researchers found HIPAA has made research more difficult and expensive. HIPAA often requires that researchers obtain written consent to examine a patient’s medical records - which slows down the research process, particularly for epidemiologists who look at large pools of data.

25% of the researchers thought that the law enhanced the confidentiality of the research patients, although this is a subjective opinion in this context.

Researchers say that the disclosure requirements are cumbersome and often confusing, that there are institutional differences in how to interpret the rules, and that in strictly-enforced circumstances it can make recruiting patients to studies ‘nearly impossible.’

One scientist wrote that the rule means “I and my staff spend more time doing compliance-related things and less and less time doing actual research.”

Although one can clearly see the importance for the privacy of medical information, the administration of such legislation has been left to scientists. The result of which is an encumbered medical research system. It will be interesting to see what future studies uncover and what, if any, changes are made to HIPAA or to the systems and procedures medical researchers use to deal with it.

Tags: hipaa, medical research, health information, privacy, information security, health information, privacy laws

Who Breached: West Penn Allegheny Health System
Number Affected: 42,000
Information breached: personal and clinical information (unspecified)
How: laptop stolen

December has been a bad month for data breaches associated with laptop thefts. Yesterday, West Penn Allegheny Health System announced that 42,000 home care and hospice patients are at risk for identity theft after a laptop was stolen from the house of a home care nurse on November 24.

The patients of Western Pennsylvania Hospital and Allegheny General Hospital have had their personal and clinical information breached. It is not known if the nurse was reprimanded for taking the laptop home or if the fault lies with a poor security policy.

Spokesman Tom Chakurda considers the risk of identity theft low because of the presumed “thief’s ignorance to its availability” or his “inability to access it”.

Those affected have been offered credit monitoring and can contact (866) 559-6309 for more information.

Via times leader, bizjournals Tags: west penn allegheny health system, data breach, laptop theft, laptop security, data breach, health security

Who Breached: Sutter Lakeside Hospital (California)
Number Affected: 45,000
Information breached: Social Security Numbers, billing & diagnosis information (for some)
How: laptop stolen from contractor

Sutter Lakeside Hospital of Lakeport, California has announced to 45,000 former patients, employees and physicians that their personal information was on a stolen laptop.

The laptop contained personal and medical information dating from 2005. A contractor took the laptop home, where it was stolen. The contractor went against hospital policy by downloading the information to the laptop’s hard drive.

The information was to be transferred securely from one system to another during an equipment upgrade. The employee had access to work on the information through a virtual private network, but was not authorized to download it.

Learning of the breach, the hospital fired the contractor responsible. Those affected were contacted on Monday.

Sutter Lakeside CEO Kelly Mather re-iterated their commitment to protecting this data:

“We work in an environment where protecting individuals’ information is absolutely as important as providing quality service and care. Storing this type of information on a laptop hard drive is at variance with our organization’s strict policies,” Mather said.

Sutter Lakeside Hospital has increased training to managers, instigated an audit of all portable computer devices, ordered encryption software for all computers, and is re-evaluating security policies. Contractors and employees are already trained on HIPA (Health Information Protection Act) and on the appropriate handling of Protected Health Information. Unfortunately, in this case, the training was not enough.

Despite these positive steps, the hospital is under the mistaken impression that encryption provides 100% protection. Further steps should be taken to safeguard data and to track their IT assets and the patterns of data being accessed. These steps would provide additional protection as well as ways to quickly identify and react to any thefts.

Via attrition.org, Record-Bee Tags: sutter lakeside hospital, hipa, phi, data security, data breach, laptop security, laptop theft, health security

The Ponemon Institute and Deloitte & Touche have released a new study looking at privacy & data protection in 2007. The survey, of 800 North American privacy and security professionals, found that data breaches have been prevalent in 2007 with 85% of executives claiming at least one reportable security breach in the last 12 months. In an astonishing 63% of executives have had between 6 and 20 reportable breaches.

The survey found that data breaches are a huge issue both in the percentage of companies affected and in the repeated breaches. Unfortunately, this has placed many companies into reactive mode instead of taking more firm precautions against these security breaches.

Other key findings from the survey:

• 7% of security professionals’ time is dedicated to employee training
• 10% of their time is spent establishing an incident response team, reporting and doing root-cause analysis (proactive security activities)
• 50% of their time is spent in reacting to incidents and fixing those vulnerabilities
• 20% of incident response time is spent notifying those affected by the breach - versus the 5% they feel should be devoted to this (versus training, analysis, reporting to management)
• Security programs are developed in the following areas: 
  • Governance - 63.5%
  • Policy Development - 70.6%
  • Operational processes, risk assessment, training - 45-55%
  • Measurable controls - 30%
• Less than 30% indicate that training programs are conducted annually - most indicate a single training effort or ad hoc efforts

Rena Mears, of Deloitte shares her shock in the state of IT security:

“This survey provides insight into the scale of the problem and how enterprises are struggling to respond. It’s clear that both privacy and security professionals are caught in a reactive cycle.”

Larry Ponemon echoes these concerns:

“The astonishingly high rate of data breache is undermining public trust in both commercial and governmental organizations and points to an urgent need for privacy and security to be elevated as a coordinated, strategic imperative within all organizations”

All of the data we’ve seen this year has indicated that data breaches are a major problem and that there is a disconnect on how to prepare for and prevent such issues.

You can download the full survey here. [PDF]

Via dark reading Tags: data breach, data security, security policy, it security

The Federal Trade Commission (FTC) and the World Privacy Forum (WPF) have each published reports on medical identity theft. The FTC looked specifically to medical identity theft for the first time in their annual ID theft survey. These statistics are the first of their kind in the medical security field, and affirm the conclusions of of the WPF report published earlier in the year.

According to the FTC Report, 3% of all identity theft victims in 2005, approximately 250,000 people, were victims of medical identity theft. These victims had their information used to receive medical care, benefits, or to get medical insurance. The WPF cites the danger of this type of identity theft:

“The report finds that one of the significant harms a victim may experience is a false entry made to his or her medical history due to the activities of an imposter. Erroneous information in health files can lead and has led to a number of negative consequences for victims.”

Currently, it is difficult to recover from medical identity theft. Unlike credit reports, patients do not have the same rights to correct errors in their medical histories, nor do they have a right to receive a free copy of their medical file (as one would a credit report).

Medical identity theft can lead to credit issues if the false identification is used for expensive hospital visits. These false entries on medical files can exhaust an individual’s medical coverage and, in some cases, make them uninsurable (e.g. having a disease on record that is not yours) or unemployable (psychiatric history).

Medical identity theft may never be discovered unless an outstanding bill, or incorrect medical treatment, surfaces. Because medical identity theft is difficult, and sometimes never, detected, the may be much more prevalent than the statistics reveal.

For more on medical identity theft, you can download the WPF Report here. [PDF]

Via World Privacy Forum Tags: identity theft, id theft, medical identity theft, health security, medical security, fraud