The Law of the Land – States Without Data Breach Laws Face Serious Problems

12 05 2010

There are currently four states in the US that lack any data breach legislation.  Alabama, Kentucky, New Mexico and South Dakota make up this list.  It is great to see that so many states are currently pursuing legislation and have legislation in place to make data breaches less dangerous for those involved.  However, with four states still lagging behind in this area, many companies are still not liable for notification because of location.  For instance, many companies that would normally have to report any sensitive data loss or breach in their business may not have to with their corporate headquarters located in these areas.

Kentucky recently suffered a data breach with the Our Lady Peace hospital compromising thousands of patients’ personal information.  The hospital did notify the patients, which was very positive in a state where it is not made mandatory.  However, it’s clear that breaches can occur anywhere and thus, everywhere needs to have some laws in place.

I’m certainly not calling out states to force companies to reveal data breaches, but when someone’s data is in the wrong hands, it’s important for them to know so that they can take the necessary action to prevent any problems.  This has nothing to do with company integrity.  This is about people who may suffer a fate of financial downfall or complete identity theft with the loss of their data.

States without data breach laws are soon to follow as their ranks shrink.  With Mississippi enacting data breach legislation this year, it is becoming apparent that data security is necessary in this increasingly data-filled world.

As we continue to discuss Data Breach Laws in our “Law of the Land” blog series, look for your own state to learn more about what laws are in place.





The Law of the Land – Data Breach Laws in the US

30 04 2010

As data security continues to become more of a priority for countries worldwide, the US has begun developing more and more legislation each day.  Most laws are state-by-state, with only a few federal laws in place.  We will be covering these state laws more in-depth in an effort to provide a better understanding for everyone.  To begin, let’s take a look at some recently passed laws in Mississippi and California.

California

A bill has just passed in the California Senate that will expand data breach notification laws in the state.  After already passing SB-1386 in 2003, the state is looking to expand this law.  SB-1386 requires any person, business or government agency that comprises data that is not their own to notify those who have been affected by the data breach.  Under this law, the breached person or organization does not have to reveal the amount of information affected, what was affected and various other specifics.

SB-1186 is the proposed law that would make this information necessary within the notification of those affected.    It would also require breaches of 500 or more records would need to be submitted to the state attorney general’s office.  This bill has just passed the California Senate and is awaiting deliberation in the House.  This bill has already been presented once and was vetoed by Governor Schwarzenegger.

Mississippi

Mississippi became the 46th state to pass data breach legislation earlier this year.  By passing House Bill 583, the state requires “any person who conducts business in this state” to notify the “owner or licensee” of the data that they manage of the breach.  This does not require any specific information to be included in the notification, but it is also the first piece of data breach legislation that the state has deliberated over.  The state allows a delay of notification if authorities believe that it will hinder a criminal investigation.

These are the two most recent states deliberating and passing data breach notification laws.  After California’s landmark SB-1386, 46 states have followed suit.  This leaves Alabama, Kentucky, New Mexico and South Dakota as the last four states without legislation.  We will be discussing the laws state by state as time goes on.  Keep an eye out for your state in the future!





Thoughts about the “Study: Frequent password changes are useless” article on Yahoo News

17 04 2010

I recently read the article Frequent password changes are useless

After giving this some thought, a couple of things struck me as being very important but easily overlooked. Both are related to this paragraph,

“Rather, frequent password changes are simply a waste of time and, therefore, money. According to the Microsoft researcher’s very rough calculations: To be economically justifiable, each minute per day that computer users spend on changing passwords (or on any security measure) should yield $16 billion in annual savings from averted harm. No one can cite a real statistic on password changes’ averted losses, but few would estimate it’s anywhere approaching $16 billion a year.”

The article says “frequent password changes are simply a waste of time” and it does not define frequent. By frequent do they mean daily, weekly, monthly? I would not think that changing passwords once a quarter would qualify as frequent.

Note that that $16 billion is not for each company! It’s for the national aggregate. If your company only looses $1 million, that’s simply a small piece of the aggregate pie; but, for many companies, it could mean bankruptcy or, potentially, years of expensive, personal data breach litigation. If memory serves correctly, defense against this type of litigation depends heavily on having taken every ‘reasonable’ precaution. If one of those reasonable precautions is deemed to be frequent changes of passwords, then never changing passwords or changing them only once per year could mean additional loss of millions in court battles. Oh, one must also remember the fines and penalties if data protection laws are violated and loss of credibility in the market place when it’s your company that gets compromised.

Something to think about.





Repeat Data Breaches Not Always a Result of Negligence – Spotlight: Wyndham Hotels

5 03 2010

Wyndham Hotels has been hit with the third data breach in a year and has once again compromised sensitive customer data.  While frustration sets in for Wyndham, as well as it’s customers, one thought comes to mind: why?  Why is it that, after two data breaches, the organization is still facing hackers and their onslaught of effective attacks?  Well, as with anything of this magnitude, there are many possible answers.

People point fingers at organizations and their lack of security.  Or, perhaps its negligence from insiders who fail to control their data exchange and management.  Human error is a leading cause in data breaches, but perhaps it’s more than that.  It’s time to stop pointing fingers and start analyzing where the root of the problem lies.

Wyndham communicates with franchisees and managed communities, which puts countless people in charge of sensitive data.  Simply put, there are too many points of entry.  Sure, it’s great to have free flow of data from a convenience standpoint, but when that puts data out for nearly anyone to access, convenience then becomes a hassle.  Luckily, there are plenty of ways to prevent this and still maintain multiple points of entry.

Encrypting data so that it remains secure when at rest, in motion or even in the deleted file can put a huge barrier against hackers even after they enter one’s database.  Thus, it’s important to have detailed security on each file, rather than just on the database.  What may seem tedious can actually be quite simple with the right solution.

Using streamlined encryption tools, users can then have peace of mind knowing that their data will remain secure, no matter who can access it.  While human error will never be completely eradicated from data exchange, these security measures can make this margin of error shrink to a miniscule amount.





Healthcare and Managed File Transfer

23 02 2010

With sensitive and confidential data being sent internally and externally to outsourced providers, insurance companies, laboratories or other physicians – email, FTP and standard mail are no longer viable solutions. Managed File Transfer (MFT) solutions are ideal for large healthcare organizations that need to secure file transfer throughout their entire IT infrastructure due to the large amount of transfers that are processed on a daily basis.

How Do You Secure Your Healthcare Information?

Most large healthcare organizations are riddled with file transfer products, tools and utilities that cannot interoperate. This makes securing data enterprise-wide difficult and cost prohibitive. With the amount of data transferred by healthcare organizations increasing everyday, it is imperative you implement a modern, cost-effective solution that adheres to current security requirements in the industry.

From an IT standpoint, a Managed File Transfer provides the enterprise-wide level of data security needed for the efficient flow of secure data transfer within the organization and for B2B transfers. You are able to streamline the audit process and access audit information from a central point, saving your organization time and money. A Managed File Transfer solution integrates with platforms enterprise-wide to increase automation and reduce the need for specialized staff. This allows your staff to follow all elements of a file transfer and determine the impact of potential problems before they become a business-critical issue.





Old Tricks Still Working for Cyber Criminals

4 02 2010

It seems that, despite all of the innovation in data security, companies are still being plagued with problems from old methods of cyber crime.  One particular sentence in the article stuck out to me:

“In many cases, the management interfaces were accessible directly from the Internet and had little or no password protection, potentially allowing attackers to deploy their own malicious applications on the Web server.”

Sometimes, it’s very easy to forget about the simple things that we take for granted in securing our data.  With just a password, any cyber criminal can enjoy full access to sensitive information.  We need to take control of this measure and remember that passwords will always look to users for the most responsibility.  It does not matter how password protected something is if the password itself is released.  Human error may always be a part of data security, but with human error comes human solutions!  Be smart when accessing sensitive information and continually make changes to your passwords every so often.  Of course, anytime account activity seems suspicious, immediately change your password, which may be the simplest solution to what could be a very complex problem.  By remembering to complete this menial tasks, you can help support the security of your data and, ultimately, your organization.

I believe Captain Planet said it best, when he let us know that:

“The power is yours!”





Don’t be on the 2010 10 Bad Tech Moves List

15 01 2010

2009’s list is definitely envetertaining, but 1 of them caught my attention – accidentially sending information via email to an incorrect third party.  With email, once the email is sent – it is sent.  So while you would like to pull it back, you just can’t.   Below is the except from the 2009 list on bad tech moves:

7. “We’ll accept your money but none of the blame” award:

Goes to the Rocky Mountain Bank of Wyoming, which sued Google to obtain the name of one of its Gmail users after the bank accidentally e-mailed that person confidential financial info for 1,325 of its customers. The bank also tried to keep those 1,325 customers (and the rest of the world) from finding out about the data leak by asking the court to seal the case records. Because that’s how you want your bank to act: blame the person who received the information, not the idiot bank employee who sent it to him, and then try to cover it up…