Human errors are the most common threats to exposing a person’s personal information to data breaches according to an analysis of reported data breaches by Rapid7, a security intelligence company. Rapid7 compiled the data breach information for the report based on the number of reported public information data breaches from January 2009 to May 2012 in the Chronology of Data Breaches maintained by the Privacy Rights Clearinghouse, a nonprofit privacy advocacy group.

The data breach statistics from the report totaled 268 incidents affecting 94 million people.  The biggest factor responsible for the largest number of breaches of data was unintended disclosure due to negligence and clerical errors. 78 incidents led to exposing almost 12 million records of private information.  The next highest number was 51 incidents due to the loss of a portable data storage device which resulted in breaching almost 82 million personal records.  Hacking was low on the list, adding up to 40 incidents exposing about 1 million records.   

What can be done about this alarming problem?

Security experts advise implementing nationally mandated data breach protection protocols and developing effective breach response programs in conjunction with cyber security training for employees who handle sensitive public data.  Employing technology such as encryption is another method to counter human error since it is inexpensive, simple to administer and highly effective in protecting data.  Using management software that can track and monitor which devices are being used, monitor downloaded data and has the ability to remotely wipe the memories of lost or stolen devices is another data protection tool.

Some experts even go so far as to suggest that all these initiatives need to be backed by a law that punishes workers who fail to follow these protocols with either firing them from their jobs or jail time, depending on the severity of the data breach.  The bottom line is that protecting the public’s most private information is serious business and those who are entrusted with such sensitive information need to recognize that they have a responsibility to protect the public’s privacy.  And in turn, it’s a responsibility that we, the people must ensure that they take seriously.

Now that your data breach response plan is in place and you’re confident that your company is safeguarded from malicious  data breach attempts, what can possibly be still the biggest threat to your data breach protection plan?  Answer: the plan itself. All the planning and preparation in the world won’t protect your business from a data breach if the response plan fails to work.  The business world is ever changing so it’s necessary to ensure that your response plan stays current and functional.

That is why it’s imperative that you regularly audit, test and update your plan on preferably, a quarterly basis.

Here are 7 checklist items to keep in mind when auditing your response plan:

1) Update your data breach response team contact list – Employees come and go therefore it’s important that the contact information for the members of your internal and external breach response team is current.  Make sure department heads are noted and once updated, re-distribute the list to the appropriate people.

2) Verify that your data breach response plan is comprehensive – Revise the plan to include any major company changes, such as new departments or adjustments in data management policies.  Check in with each response team member to ensure their department understands its role and what they need to do during a data breach.  Set up a mock breach of data scenario so that your response team can practice trial runs. Practice a full scale rehearsal annually so the plan is fully vetted and any adjustments can be made before an event occurs.

3) Double check your vendor contracts – Check that your contracts with your forensics firm, data breach resolution provider and other vendors are current and easily accessible.  Review your vendors and contracts and make sure they both still match your data protection and security needs.

4) Review notification guidelines – Verify that the data breach notification section of your response plan reflects the latest state legislation and that your notification letter templates address any new laws.  Ensureyour contact list of attorneys, government agencies and media is updated so you can easily notify them after a breach.  For medical data breaches, healthcare providers need to verify that Department of Health & Human Services contacts are updated and their response team understands data breach information reporting procedures.

5) Check up on third parties that have access to your data – Evaluate how third parties are managing your data and if they are following your data protection rules.  Educate them on any new legislation that may affect you during a data breach.  Stress to third parties the importance of reporting a data breach to you immediately and what is expected in the resolution process. Healthcare companies need to meet HIPAA requirements and should check that business associate agreements (BAAs) are established.

6) Evaluate IT Security – Ensure proper data access controls are in place. Check that automated software and operating system updates for the entire company are installed properly. Verify that any automated security monitoring and reporting system is up to date and working.  Store backup copies of data securely.

7) Review staff security awareness – Verify that your staff is up to date on company policy regarding data security procedures, including what digital and paper documents to keep and how to securely discard what is not needed.  Train staffto identify signs of cyber security threats in their daily work life and know the proper course of action in reporting a breach.  Check that employees are keeping their work related laptops, mobile and digital devices secure at all times and remind them to change passwords every three months.

As we approach another season of shopping and consumerism, the retail industry should pay strict attention to the findings in the latest Verizon’s Data Breach Investigations Report (DBIR), an annual data breach information study conducted by the Verizon RISK Team (VERIS) with participation from the U.S. Secret Service and international national cyber security agencies in Australia, Holland, Ireland, and Britain. The study analyzed forensic evidence to examine how data breaches occurred in organizations, who caused the breaches, why they did it, how the victims responded, and how the breaches could have been prevented. 

 The 2012 DBIR focused on the retail industry which for the past two years has ranked only second behind hotel and food services as the business most plagued with data breaches.  The main reason for the high rankings of these two trades is that they use point of sale (POS) systems to conduct daily business activities, making them prime targets for criminals that exploit POS systems with weak security.  Point of sale generally refers to when money is transacted in exchange for goods or services. Retailers are especially easy targets for cyber criminals who can hijack credit card information from long distances and these kinds of attacks are low risk for the criminals who often disappear long before a data security breach is discovered.  In addition, fraudsters prefer to target small to medium businesses such as franchise owners that lack the resources and/or expertise to manage their own cyber security. 

 VERIS defines threat agents as the cause of data breach incidents and categorizes them as either external (originating outside the victim organization), internal (originating inside the victim organization) and partner (any third parties who share a business relationship with the victim.)  The report found that external threat agents were the most prolific with the majority of attacks originating fromEastern Europe, a hot bed of organized cyber crime.  Internal threats made up a smaller percentage of incidents and often involved criminals coercing retail staff to help them by either using a remote skimming device or swapping legitimate PIN entry devices and POS terminals with identical, counterfeit replacements that are rigged to capture payment card data. 

 Even though these cyber thieves can be insidious, especially during a busy holiday season, retailers can protect themselves by following a few simple data breach protection practices:

1)      Change passwords consistently on all POS systems since hackers constantly scan the web for passwords that are easy to guess.

2)      Implement a firewall on remote access/administration services.  

3)      Do not use POS systems to access the internet.

4)      Make sure your POS system is compliant with the Payment Card Industry Data Security Standard (PCI DSS) an information security standard for businesses that handles credit card information.

While technology undoubtedly has made accessing medical information much easier and faster, it also has also provided an increased potential for medical data breaches especially as health personnel begin to use unsecure mobile devices for personal and work use.  With an increase in health care employees using their own tablets and smartphones in the workplace, many healthcare companies are considering adopting a Bring Your Own Device (BYOD) policy.  However, many companies have failed to implement mobile data breach protection, breaking the HIPAA Security Rule which requires healthcare companies to perform a risk analysis of the processes by which they protect the confidentiality of electronic patient health information maintained by their organization.  Companies are required to use the information gathered from the analysis to take measures to ensure the confidentiality of patient data and to reduce risks to a reasonable level.  If companies don’t comply and there is a data security breach, they can be heavily fined by the U.S. Department of Health & Human Services.

Just recently, a teaching hospital and medical practice associated with a large university was fined $1.5 million in a data breach of patient information when a laptop computer containing unencrypted data on 3,621 patients and research subjects was stolen.  Hospital and practice officials were found guilty of violating the HIPAA Security Rule by not implementing data protection and security on their mobile devices.  The loss of laptops, portable storage gadgets like thumb drives and cell phones have already cost insurance companies, drugstores, medical practices and even a government health and social services department, millions of dollars in fines.

Unfortunately, this troubling trend doesn’t just affect the medical industry.  In August 2012, Coalfire (a firm that provides IT audit and risk assessment) surveyed 400 individuals across North America covering a variety of industries about their company’s mobile device security practices. The data revealed that many organizations lack policies addressing mobile cyber security threats.

Key statistics from the survey:

• 84 percent use the same smartphone for personal and work usage.
• 47 percent don’t have a password on their mobile phone.
• 51 percent said their companies cannot remotely wipe data from mobile devices if they are lost or stolen.
• 49 percent said their IT departments have not discussed mobile/cyber security with them.

Clearly, companies are not doing enough to protect themselves and their employees from the expensive cost of a data breach.  As mobile devices become popular and less expensive, workers will naturally want to use them for their jobs.  Therefore, it is prudent for companies to adopt business data breach protection and security policies to protect not only their company data but also their pocketbook.

Get ready, Connecticut. A new data breach law is now in effect that brings the Office of the Attorney General (OAG) into the reporting loop.

The new law requires notifying the OAG by email no later than when affected consumers are notified. Previously, businesses were only required to report a breach to consumers. Yet Attorney General George Jepsen and his office were tasked with enforcing state breach laws – hard to do when you don’t know about the incidents.

But that’s all changed. Assistant Attorney General Matthew Fitzsimmons and the office’s Privacy Task Force will monitor the incoming emails. The new reporting requirement and newish task force (it was created last year) give the OAG more oversight of breach activity that may be putting consumers at risk. With more oversight comes better enforcement – at least that’s certainly what the OAG hopes.

Connecticut requires consumer notification when a breach involves unencrypted, computerized personal data. The state’s definition of “personal data” includes someone’s first and last names in combination with at least one of three data types: a Social Security number; a driver’s license or state identification number; or a financial account number, such as a credit card number, along with the access code for the account.

Businesses that don’t comply with the new law may find themselves in violation of the state’s Fair Trade Practices Act. Remember that sooner is better than later when it comes to breach reporting. At least if you want to avoid fines and violations.

Here’s the new email address for reporting breaches in Connecticut: ag.breach@ct.gov.

Many small business owners believe that their companies are too small to be victims of data breach. When in reality, nothing could be further from the truth. In fact, the latest Verizon data breach study “Verizon 2012 Data Breach Investigations Report” found that nearly 75 percent of the data breaches analyzed last year involved businesses with less than 100 employees.

Disturbing Data Breach Trend

And, these findings seem to represent a trend. Verizon, which conducts its data breach study annually, found that large-scale data breaches dropped dramatically in 2011, while small and medium company data breaches skyrocketed. Ditto for the year earlier, when Verizon found that 63 percent of the data breaches investigated were at small businesses.

So what’s up? Why are cyber criminals targeting small and medium businesses (SMBs) for data breach and identity theft?

The most likely reason is because it’s easier. SMBs, just like their larger counterparts, may digitally store information like credit card transactions and employee, patient or customer profiles. But unlike large companies, SMBs may not have the time, financial resources or technical expertise to protect their data. Or perhaps, they don’t realize that preventing a data breach may not be as difficult as it sounds.

Data Breach Prevention Tips for SMBs

The Hartford www.hartforddatabreach.com offers the following tips for SMBs to try and prevent a data breach:

• Lock and secure sensitive data
• Restrict employee access to sensitive information
• Shred or securely dispose of unnecessary documents
• Use password protection and data encryption for sensitive files
• Have a privacy policy
• Update systems and software on a regular basis
• Use firewalls
• Ensure that remote access is secure

Smaller business, bigger risks

Perhaps not so surprisingly, researchers also uncovered a greater prevalence of human factor risks among small to medium sized businesses (SMBs), compared with enterprise-sized organizations. In every risk factor category polled, SMBs fared worse than their larger counterparts–as high as 19% worse, in such basic breach prevention measures as:

• Credential management (changing usernames/passwords frequently)
• Deleting spammy or suspicious email attachments
• Avoiding websites deemed by management as ‘off limits’
• Secure, responsible use of social media
• Masking computer screens in public venues
• Deleting unused data files and performing regular backups

Staying off the evening news

Headlines constantly remind us why businesses—large and small—need to be proactive and intentional about deterring outside threats. But, as the study shows, internal policies and practices may also need attention.

Ponemon experts suggest these measures to mitigate insider risk:

• Increase security awareness. Spend more time educating employees (and anyone with insider access) about breach prevention and security best practices.
• Audit your policies. Regular reviews of data protection and governance policies can expose previously hidden gaps and vulnerabilities. Update policies to require immediate reporting of a lost or stolen laptop or mobile device.
• Neutralize the social media threat. Create or strengthen policies that explicitly govern the use of social media at work.
• Review credentials. Ensure that those who have privileged data access really need it, and regularly remind users of their personal charge to handle data responsibly.

Poet Alexander Pope reminds us that to err is human. With greater security awareness and training, companies can reduce the risks that human errors cause. And that’s good news for everyone.

As mobile banking grows in popularity, so do the dangers of data breach and identity theft.

In fact, these data security dangers are so significant they could threaten the future of the mobile financial services industry.

To get a better understanding of the industry’s cyber security woes, a powerful trade group conducted a comprehensive survey of mobile experts from 50 financial institutions. BITS, the technology division of the Financial Services Roundtable, conducted the poll to find out the top mobile data protection threats and the best way to combat them.

Here’s what they found:

1) Mobile data protection must keep up with the lighting-speed pace of innovation.

2) Consumers are scared to use mobile banking. Financial institutions must change public perception of data security measures, which means data protection measures must work.

3) Cooperation on mobile data protection and data security is a must. Everyone involved, such as device manufacturers, network operators, financial institutions and app developers, must work together to develop effective mobile data protection solutions.

4) Consumers must take greater responsibility for their own data security. Consumers need to be more careful about not losing their smart phones and protecting the data inside of them. They should guard their phones the same way that they guard their wallets.

5) Balancing data security and data privacy. As consumers want more convenience, financial institutions need to find the right balance between allowing them to conduct more transactions, but still making sure their personal data is protected from data breach and identity theft. Financial institutions need to educate their customers on data protection methods, like having them lock their smart phone with a password.

Do you have similar concerns? What are your biggest worries regarding mobile banking and data security/identity theft issues? Let us know. We’d like to hear them.

Unfettered mayhem, raining down from cyberspace, has birthed the need for new protection few would have envisioned just a few years ago: cyber insurance coverage.

As coverage goes, cyber insurance is still a relatively new and emerging option that, despite its newness, is rapidly gaining traction among threat-weary businesses in every sector—healthcare, in particular, where protecting high-risk information in EHRs (electronic health records) is among the top priorities. 

Why cyber insurance?
For most, the goal of adding cyber insurance is to mitigate threats, liabilities and costs sustained from (what else?) “cyber incidents” – a broad term covering an ever-growing range of mishaps and misuse, from hacked accounts and stolen credentials to pilfered laptops and wayward thumb drives.  

Given the frequency and severity of recent breaches, and the financial fallout that invariably results, who can blame companies for wanting an extra layer of protection?

Certainly not attorneys Theodore J. Kobus III and Kimberly M. Wong, data security experts and co-authors of a new paper entitled “Risk Management: Cyber Insurance & Your Data Response Plan.” In fact, Kobus and Wong strongly suggest that, depending on budget, exposure profile and potential loss scenarios, cyber insurance may be a risk-reduction remedy that businesses sorely need.

Surprisingly customizable coverage
Companies seeking first-party cyber insurance coverage have a surprisingly diverse range of choices, say the authors, including protection against losses stemming from: data destruction and theft, extortion and hacking, and revenue lost from network intrusion or interruption.

Notification expenses, such as printing, mailing, credit monitoring and call center support may be included in a policy, along with third-party cyber liability coverage for vendors and partners.

Procuring the proper policy
The paper also includes suggestions for working with your broker, including:  

1. Determine what coverage you have under current general commercial liability or professional liability policies.  Identify potential gaps and opportunities to increase long-term protection.
2. Assess your current level of exposure and types of cyber incidents that pose the biggest threats.
3. Inventory the nature and location of all sensitive data. Is it stored in areas that are vulnerable to physical or digital theft? Knowing this will inform cyber coverage decisions.
4. Step through potential employee/non-employee loss scenarios, such as: hacking, theft of data or computer equipment and unauthorized publication of information online.

Still using the less-is-more approach to notification letters? As it turns out, consumers want more – much more than they’re getting.

In a new study, 72% of consumers who recall receiving a notification letter express disappointment. The Ponemon Institute explores why in the 2012 Consumer Study on Data Breach Notification.

Among all survey respondents, those who do and do not recall receiving a notice, 85% verify that learning about the loss or theft of their data is pertinent to them. But only if there’s a certainty of risk, a belief shared by 57% of respondents. An even larger percentage (63%) feels entitled to compensation, such as credit monitoring or identity protection, if their data is lost.

Yet, despite having clear ideas on what they do or don’t want following the loss of their data, most consumers aren’t paying attention to breach notices, according to Ponemon. Only 25% of participants in the study could recall receiving one. Among that group, 35% recalled receiving at least three.

It’s this subset of the study that provides valuable insight into why today’s notifications aren’t working. Here are three flaws:

1. Too Few Details
Sixty-seven percent of respondents who recall receiving a breach notice did not receive enough information about the incident. That includes 44% who did not know what type of data had been lost or stolen, leaving them unsure of what steps to take to protect themselves.

2. Difficult to Understand
Sixty-one percent did not understand the notification, largely due to the length of the letter and complexity of the language. In addition, 37% had no idea what the incident was about even after reading the notice. This led 41% to assume their data had been stolen.

3. Not Believable
Forty-five percent found the message in the letter unbelievable, and 44% of them believed the company was hiding key facts about the breach.

Consumers acted on their disappointment to varying degrees:
• 15% planned to terminate their relationship with the breached company
• 39% contemplated doing so
• 35% would continue the relationship so long as the organization doesn’t experience another breach

The numbers reflect poorly on today’s notification efforts, confirming the need for change. Consumers want simple language and clear explanations of what happened and the risks they face, plus a protection product to compensate for the data exposure, according to the study.

So why not work with your legal counsel to deliver just that in a way that protects your company and satisfies your consumers? Otherwise, your breach notices will continue to alienate and confuse. As this study shows, that only serves to erode customer loyalty and trust, making data loss even more costly in the long run.