Posts Tagged Security Breach

Citigroup Breach Triggers Congressional Response

Posted by on Monday, 11 July, 2011

The data breach at Citigroup in May – a breach which reportedly exposed an estimated 200,000 customer accounts – has motivated members of the U.S. Congress to re-introduce legislation to penalize the very organizations that have been victimized by hackers.  What are the next steps your company should take?

New bills to protect consumers’ personal dataLinoma Software Managed File Transfer Solutions

Two bills are proposed by both House and Senate legislators.

First, Sen. Patrick Leahy (D-Vt.) has introduced the Personal Data Privacy and Security Act of 2011.  The new bill provides:

  • Tough criminal penalties for individuals who intentionally or willfully conceal a security breach involving personal data;
  • A requirement that companies that maintain personal data establish and implement internal policies to protect data privacy and security; and
  • A requirement that the government ensure sensitive data is protected when the government hires  third-party contractors.

This act would also require, under threat of fine or imprisonment, that businesses and agencies notify affected individuals of a security breach by mail, telephone or email  “without unreasonable delay.” Media notices would be required for breaches involving 5,000 or more people.  The FBI and the Secret Service would need to be notified if the breach affects 10,000 or more people, compromises databases containing the information of one million or more people, or impacts federal databases or law enforcement.

But that’s not the only security bill that has businesses concerned.

In the House, Rep. Mary Bono Mack (R-Ca) is holding hearings in preparation of a bill she’s named The SAFE (Secure and Fortify) Data Act that would also require “reasonable security policies and procedures” to protect consumers and enable disclosures to victims and the Federal Trade Commission within 48 hours of a data breach.

Companies no longer viewed as the victims

All this sounds good from the consumer’s point of view. But what about the expense – and potential Linoma Software GoAnywhere Managed File Transfer Solutionpenalties – suffered by the “owners” of the data: the businesses themselves?

While these bills may address the public’s interest for notification — and indeed they would bring some semblance of a national standard – they also represent an interesting shift in the liabilities that companies will face.  How is that?

Though we currently have no federal data breach notification law, federal policies now view the companies that experience a data breach as the victims of crime. However, under the proposed legislative bills, companies that do not act quickly to appropriately secure the personal data of customers – or fail to report a data breach in a reasonable amount of time – would not only suffer the theft of data, but also be held liable for its loss.

This is a significant shift. Companies are now being viewed not as the owners of consumer data, but merely guardians and trustees whose job it is to protect that data or face criminal penalties. And the message is clear: if companies won’t take adequate precautions to secure the sensitive data of our customers, they’ll pay a hefty price.

Where does your company stand?

In a world in which diligent hackers have the power break into seemingly secure networks and systems, what can your company do?

The challenge is first to determine exactly what qualifies as adequate precautions.

GoAnywhere Secure Managed File Transfer A review of the HIPAA HITECH security provisions that took effect last year provides some insight about what the government considers adequate protection.

HITECH strongly recommends the use of encryption technology. Encryption is a good place for your company to start, especially when dealing with the data your company stores on its servers.  If sensitive data itself is kept securely encrypted, a data breach doesn’t expose the content of the information itself.

Secure managed file transfer protocols – which send data using encryption – is the second place to focus attention.

If data is encrypted when it is being securely transmitted between business partners, the value of that data should it be breached – through hacking, theft, or other malicious actions – is worthless.  Encryption and secure managed file transfers can dramatically minimize the holes of technical breaches, significantly reducing an organization’s liability.

Preventing exposure

The Citigroup data breach has rekindled the momentum for a nationwide, cross-industry data breach reporting standard. This standard will not to eliminate the physical breaches themselves. What’s needed is legislation to encourage companies secure the underlying data that is the target of the hackers.

Isn’t it time for your company to take a serious look at its liabilities and to investigate how encryption and managed file transfers can close these important security holes?

Thomas Stockwell

Thomas M. Stockwell is one of Linoma Software's subject matter experts and a top blogger in the industry. He is Principle Analyst at IT Incendiary, with more than 20 years of experience in IT as a Systems Analyst, Engineer, and IS Director.

More Posts - Website

Dealing with the HITECH Requirements of HIPAA

Posted by on Monday, 7 February, 2011

Last November, six hospitals and one nursing home were fined in California for data security breaches related to patient healthcare records. The total fines were $792,500 by the California Attorney General. The cause? The facilities failed to prevent unauthorized access to confidential patient medical information.

While these breaches made headline news in California, they were but the tip of the iceberg of the total healthcare record breaches in 2010. According to the Privacy Rights Clearinghouse, there were 592 reported healthcare data security breaches last year, which potentially exposed more than 11.5 million records. This was double the breaches of healthcare facilities in 2009, opening severe liabilities to the organizations that housed those patient records.

So what now? If your organization can be fined for failing to prevent unauthorized access, how can you safeguard your company’s healthcare records?

HITECH – What is it?

Subtitle D of the Health Information Technology for Economic and Clinical Health Act (HITECH Act), enacted as part of the American Recovery and Reinvestment Act of 2009, extended the complete Privacy and Security Provisions of HIPAA to business associates of covered entities. This includes the extension of newly updated civil and criminal penalties to business associates.  On November 30, 2009, the regulations associated with the new enhancements to HIPAA enforcement took effect.

What’s it mean? If your company merely does business with an organization that is involved with healthcare records, HITECH says that you are liable for any security breaches on your watch that reveal patient vital healthcare information. This could include things like names, addresses, social security and Medicare/Medicaid numbers, or any info that could lead to misuse of healthcare information.

So how can your company protect itself from this liability?

The Department of Health and Human Services (DHHS) interim Security Rule says that “a covered entity must consider implementing encryption as a method for safeguarding electronic protected health information.” The DHHS rule does permit something called “comparable methods” in lieu of encryption, but it does not specify what those methods might be.

Encryption vs. Comparable Methods: The Vague Alternatives

To determine if your company can provide security through some so-called “comparable method” it’s important to look at the types of breaches that occurred in the past. The Privacy Rights Clearinghouse provides a good free search service to investigate at http://www.privacyrights.org.

By looking through the types of breaches that occurred in 2010, (stolen laptops, doctors emailing records to their home computers, lost or missing flash drives, unauthorized browsing by employees), the first question that you should be asking is “Can our organization really secure all those potential mechanisms for data theft without relying upon encryption?” It’s a difficult task, and the resources that your organization will expend (hardware solutions, policy solutions, etc.) can be significant.

Still, the monetary fines for failing to provide adequate protection are severe, and your management may decide that a thorough review of your security will be required.

By comparison, implementing encryption technology like Crypto Complete – is undoubtedly a faster and more cost-effective means. Crypto Complete encrypts sensitive data at the source using integrated key management, complete with auditing, field encryption and backup encryption, without interrupting the normal IT workflow. Data encryption permits the source of information itself to be put under a lock and key, and once encrypted, that data is protected from both unlawful use and the HITECH liability rule.

Now is the Time

Finally, consider the downside of ignoring the HITECH rules? Take a look at one attorney’s perspective “Responding to an Electronic Medical Records Security Breach: What Every Health Care Provider Needs to Knowto get a handle on the steps for determining the scope of the law. You’ll be surprised at how comprehensive the requirements have become, and why your management should be concerned.

Encrypting your data is the most recognized, safest and least expensive means of protecting your organization from liability from unauthorized access. If you’ve been to putting off addressing the potential pitfall of unauthorized access to your data, now is the time to investigate.

Thomas Stockwell

Thomas M. Stockwell is one of Linoma Software's subject matter experts and a top blogger in the industry. He is Principle Analyst at IT Incendiary, with more than 20 years of experience in IT as a Systems Analyst, Engineer, and IS Director.

More Posts - Website

Who Insures the Insurer?

Posted by on Monday, 2 August, 2010

Do insurance companies maintain Data Security Breach Insurance?

On June 23, 2010 more than 200,000 Anthem Blue Cross customers received letters informing them that their personal information might have been accessed during a security breach of the company’s website. Customers who had pending insurance applications in the system are currently being contacted because information was viewed through an on-line tool that allows users to track the status of their application. Social Security and credit card numbers were potentially viewed.  It’s one more tumble in a cascade of security breaches that can have terrible consequences for the customers and clients of such a large insurance company.

And of course, this raises an ironic question: Do insurance companies maintain their own liability insurance in the event that their information systems are compromised?  As absurd as it may seem at first glance, it’s really not a laughing matter. According to the Ponemon Institute, the average cost of a security breach is now exceeding $200 per client record.  This would mean that Anthem Blue Cross’s breach last month created a liability as great as $40M.

Moreover, there’s a ripple effect to organizations that do business with insurance companies that suffer such an information security breach.  Each Personnel Department that delivers private employee information to an outside service supplier has an inherent responsibility and liability to its employees.

We all know that the privacy information transferred between companies should use a secure and confidential method of transmission.  Yet too many small and medium-sized companies are still using simple FTP (File Transfer Protocol) software that has been proven to be susceptible to the threats of network hackers.  And by the time these organizations realize their vulnerability, it’s often too late.  These companies are often performing these FTP transfers below the radar of their IT departments.  How does it happen?

Often personnel data is off-loaded to PCs from the main information systems where it is left “in the open” on the hard drives of desktops or laptops. After the data is transferred this residual data is often unprotected, where it’s subject to theft or secondary security flaws. Insurance agents – whose jobs are to facilitate the processing of the data with their insurance providers – can also suffer from such breaches. The loss of an agent’s laptop – through theft, accident, or routine use of USB thumb-drives – poses additional liability.

There are two readily available strategies to help prevent these kinds of security abuses. The first strategy is to use data encryption technologies that not only encrypt the data, but also record into a secure log detailing when, where, and by whom the sensitive data has moved from the main information database.  Linoma’s CryptoComplete offers precisely this kind of encryption capability, and it should be examined by IT professionals as a viable, highly configurable resource for the protection of the company’s information assets.

The second strategy is to use a secure method of transfer for the data itself, ensuring that the information is never left in a vulnerable state on an individual’s personal computer.  By removing FTP access to the data by any employee’s PC and channeling the transfer through the secure corporate server, IT can prevent the problem of network hacking from occurring.  Linoma’s GoAnywhere Director solution is precisely the means of achieving the goal of a secure FTP transfer between companies.

The tragedy of the Anthem Blue Cross breach was the result of a faulty security scheme in the design of its customer service solution.  But it is not the only potential failure of data security that can impact its customers and business partners. And, unfortunately, this information security breach is just one of the 356 million reported breaches that have occurred in the US over the last five years.

So who insures the insurer when a data security breach occurs?  The real answer is IT itself.  And helping IT achieve a better result will be the subject of this blog over the next few months.

Thomas Stockwell

Thomas M. Stockwell is one of Linoma Software's subject matter experts and a top blogger in the industry. He is Principle Analyst at IT Incendiary, with more than 20 years of experience in IT as a Systems Analyst, Engineer, and IS Director.

More Posts - Website

1.800.949.4696  |  sales@linomasoftware.com  |  privacy policy
Copyright ©1994 - 2012 Linoma Software  |  All rights reserved