Now that your data breach response plan is in place and you’re confident that your company is safeguarded from malicious  data breach attempts, what can possibly be still the biggest threat to your data breach protection plan?  Answer: the plan itself. All the planning and preparation in the world won’t protect your business from a data breach if the response plan fails to work.  The business world is ever changing so it’s necessary to ensure that your response plan stays current and functional.

That is why it’s imperative that you regularly audit, test and update your plan on preferably, a quarterly basis.

Here are 7 checklist items to keep in mind when auditing your response plan:

1) Update your data breach response team contact list – Employees come and go therefore it’s important that the contact information for the members of your internal and external breach response team is current.  Make sure department heads are noted and once updated, re-distribute the list to the appropriate people.

2) Verify that your data breach response plan is comprehensive – Revise the plan to include any major company changes, such as new departments or adjustments in data management policies.  Check in with each response team member to ensure their department understands its role and what they need to do during a data breach.  Set up a mock breach of data scenario so that your response team can practice trial runs. Practice a full scale rehearsal annually so the plan is fully vetted and any adjustments can be made before an event occurs.

3) Double check your vendor contracts – Check that your contracts with your forensics firm, data breach resolution provider and other vendors are current and easily accessible.  Review your vendors and contracts and make sure they both still match your data protection and security needs.

4) Review notification guidelines – Verify that the data breach notification section of your response plan reflects the latest state legislation and that your notification letter templates address any new laws.  Ensureyour contact list of attorneys, government agencies and media is updated so you can easily notify them after a breach.  For medical data breaches, healthcare providers need to verify that Department of Health & Human Services contacts are updated and their response team understands data breach information reporting procedures.

5) Check up on third parties that have access to your data – Evaluate how third parties are managing your data and if they are following your data protection rules.  Educate them on any new legislation that may affect you during a data breach.  Stress to third parties the importance of reporting a data breach to you immediately and what is expected in the resolution process. Healthcare companies need to meet HIPAA requirements and should check that business associate agreements (BAAs) are established.

6) Evaluate IT Security – Ensure proper data access controls are in place. Check that automated software and operating system updates for the entire company are installed properly. Verify that any automated security monitoring and reporting system is up to date and working.  Store backup copies of data securely.

7) Review staff security awareness – Verify that your staff is up to date on company policy regarding data security procedures, including what digital and paper documents to keep and how to securely discard what is not needed.  Train staffto identify signs of cyber security threats in their daily work life and know the proper course of action in reporting a breach.  Check that employees are keeping their work related laptops, mobile and digital devices secure at all times and remind them to change passwords every three months.

While technology undoubtedly has made accessing medical information much easier and faster, it also has also provided an increased potential for medical data breaches especially as health personnel begin to use unsecure mobile devices for personal and work use.  With an increase in health care employees using their own tablets and smartphones in the workplace, many healthcare companies are considering adopting a Bring Your Own Device (BYOD) policy.  However, many companies have failed to implement mobile data breach protection, breaking the HIPAA Security Rule which requires healthcare companies to perform a risk analysis of the processes by which they protect the confidentiality of electronic patient health information maintained by their organization.  Companies are required to use the information gathered from the analysis to take measures to ensure the confidentiality of patient data and to reduce risks to a reasonable level.  If companies don’t comply and there is a data security breach, they can be heavily fined by the U.S. Department of Health & Human Services.

Just recently, a teaching hospital and medical practice associated with a large university was fined $1.5 million in a data breach of patient information when a laptop computer containing unencrypted data on 3,621 patients and research subjects was stolen.  Hospital and practice officials were found guilty of violating the HIPAA Security Rule by not implementing data protection and security on their mobile devices.  The loss of laptops, portable storage gadgets like thumb drives and cell phones have already cost insurance companies, drugstores, medical practices and even a government health and social services department, millions of dollars in fines.

Unfortunately, this troubling trend doesn’t just affect the medical industry.  In August 2012, Coalfire (a firm that provides IT audit and risk assessment) surveyed 400 individuals across North America covering a variety of industries about their company’s mobile device security practices. The data revealed that many organizations lack policies addressing mobile cyber security threats.

Key statistics from the survey:

• 84 percent use the same smartphone for personal and work usage.
• 47 percent don’t have a password on their mobile phone.
• 51 percent said their companies cannot remotely wipe data from mobile devices if they are lost or stolen.
• 49 percent said their IT departments have not discussed mobile/cyber security with them.

Clearly, companies are not doing enough to protect themselves and their employees from the expensive cost of a data breach.  As mobile devices become popular and less expensive, workers will naturally want to use them for their jobs.  Therefore, it is prudent for companies to adopt business data breach protection and security policies to protect not only their company data but also their pocketbook.

Our guest blogger this week is Gant Redmon, General Counsel & Vice President of Business Development at Co3 Systems.

Working for a company that navigates 46 different state breach notice laws and a plethora of sector based federal breach notice laws, I’m often asked what I think the likelihood is that the Federal Government will pass a comprehensive data breach notification law that supersedes all the state laws. While I don’t rule out a federal law passing at some point, I see it setting a floor of breach response responsibility rather than superseding everything already in place.

Put yourself in the shoes of a legislator trying to harmonize all the different state laws. That legislator is going to have three big political challenges.

The first challenge is choosing a single standard in the face of wildly different state standards. How will affected states feel about the Federal government imposing a different standard than the one they’ve settled on? Changing the rules in dozens of states will cause upheaval with political fallout.

The second challenge will be dealing with state attorneys general and treasurers. State AG’s are becoming more and more active in tracking breaches and cracking down on companies that don’t provide proper notice or have adequate security procedures. Part of that crackdown includes fines collected that go to the state treasury. A federal law will strip those AGs of the rule of privacy protectors and redirect funds to the federal government and away from the states.

The third challenge is that some states, like California and Virginia, go above even Federal notice requirements. What legislator wants to be known as the one who diluted people’s privacy rights by pre-empting strong protections and replacing them with weaker ones?

When trying to solve a problem, the first thing I ask is if I’m dealing with a problem worth solving. Privacy professionals and law firms have become well versed in the different state laws. Software solutions also exist that track all the different laws and provide incident response plans that are easy to follow. If the problem here is the complexity involved in dealing with disparate state breach notice laws, then we don’t have a problem worth solving.

“The opinions reflected in this article are solely those of the author and do not reflect the views of Experian Data Breach Resolution or any of its sister companies.”

Get ready, Connecticut. A new data breach law is now in effect that brings the Office of the Attorney General (OAG) into the reporting loop.

The new law requires notifying the OAG by email no later than when affected consumers are notified. Previously, businesses were only required to report a breach to consumers. Yet Attorney General George Jepsen and his office were tasked with enforcing state breach laws – hard to do when you don’t know about the incidents.

But that’s all changed. Assistant Attorney General Matthew Fitzsimmons and the office’s Privacy Task Force will monitor the incoming emails. The new reporting requirement and newish task force (it was created last year) give the OAG more oversight of breach activity that may be putting consumers at risk. With more oversight comes better enforcement – at least that’s certainly what the OAG hopes.

Connecticut requires consumer notification when a breach involves unencrypted, computerized personal data. The state’s definition of “personal data” includes someone’s first and last names in combination with at least one of three data types: a Social Security number; a driver’s license or state identification number; or a financial account number, such as a credit card number, along with the access code for the account.

Businesses that don’t comply with the new law may find themselves in violation of the state’s Fair Trade Practices Act. Remember that sooner is better than later when it comes to breach reporting. At least if you want to avoid fines and violations.

Here’s the new email address for reporting breaches in Connecticut: ag.breach@ct.gov.

You see stories about data breaches all the time. Earlier this month, in fact, a small medical facility was fined $1.5 million following a data breach that resulted from a stolen, unencrypted laptop. News like that makes security, legal and compliance professionals shudder. But could the medical facility have avoided that fine? Absolutely. What about after a data breach? What happens during the recovery and remediation process? Do you know what you should do and shouldn’t do to avoid fines and litigation?    

Join us for an interactive discussion on key data breach mistakes and how to overcome them on October 11 at the IAPP Privacy Academy in San Jose. Also, stop by the Experian booth to meet our team, network with your peers, and enter for a chance to win an Apple® MacBook Air.

I will be participating on the data breach panel to discuss the best ways to respond to a breach to avoid potential fines and legal action. The panel will also discuss how to protect your customers or patients to maintain their loyalty and how to recover losses through insurance. You’ll leave with:

• Key lessons from significant breaches and  issues arising from their investigations, including consequences and challenges
• Best practices for handling some of the most unusual situations
• Tips for handling notification and communication effectively

For more information about the IAPP Privacy Academy click here.

Can you imagine losing backup disks containing information for 300,000 patients? Or having computer back-up tapes stolen? What if someone hacked into your network servers or lost important laptops? These aren’t hypothetical scenarios. They’re real data breach cases that have occurred in recent years. Can this happen to you? You bet. The key is being prepared for the inevitable.

I would like to invite you to participate in an informative webinar on this important issue. I will be joined by Dr. Larry Ponemon, a data protection “think tank” pioneer and Chairman of the Ponemon Institute, and Karen Murray, Vice President, Chief Compliance Officer of Steward Health Care System in a discussion focusing on the latest data breach trends, how to prepare for a data breach and the best ways to respond to a breach.

The 90-minute webinar, delivered in conjunction with the Health Care Compliance Association (HCCA), will be held at noon CST on July 25, 2012 and participants may be eligible for CEUs.

In addition, the webinar will feature:

• The latest research about consumer notification from the Ponemon Institute
• A look at healthcare data breach statistics
• Best practices for data breach preparation from a compliance officer’s perspective.
• Examples of what works – and doesn’t work – when responding to a data breach
• How and why data breaches happen
• How to budget the resources for a  potential breach
• What do regulators expect from an organization that experienced a breach?
• A question and answer period for participants

Come learn the best ways to try and prevent a data breach and the most effective methods to respond to one. Learn to minimize your costs and help protect your reputation.

Still using the less-is-more approach to notification letters? As it turns out, consumers want more – much more than they’re getting.

In a new study, 72% of consumers who recall receiving a notification letter express disappointment. The Ponemon Institute explores why in the 2012 Consumer Study on Data Breach Notification.

Among all survey respondents, those who do and do not recall receiving a notice, 85% verify that learning about the loss or theft of their data is pertinent to them. But only if there’s a certainty of risk, a belief shared by 57% of respondents. An even larger percentage (63%) feels entitled to compensation, such as credit monitoring or identity protection, if their data is lost.

Yet, despite having clear ideas on what they do or don’t want following the loss of their data, most consumers aren’t paying attention to breach notices, according to Ponemon. Only 25% of participants in the study could recall receiving one. Among that group, 35% recalled receiving at least three.

It’s this subset of the study that provides valuable insight into why today’s notifications aren’t working. Here are three flaws:

1. Too Few Details
Sixty-seven percent of respondents who recall receiving a breach notice did not receive enough information about the incident. That includes 44% who did not know what type of data had been lost or stolen, leaving them unsure of what steps to take to protect themselves.

2. Difficult to Understand
Sixty-one percent did not understand the notification, largely due to the length of the letter and complexity of the language. In addition, 37% had no idea what the incident was about even after reading the notice. This led 41% to assume their data had been stolen.

3. Not Believable
Forty-five percent found the message in the letter unbelievable, and 44% of them believed the company was hiding key facts about the breach.

Consumers acted on their disappointment to varying degrees:
• 15% planned to terminate their relationship with the breached company
• 39% contemplated doing so
• 35% would continue the relationship so long as the organization doesn’t experience another breach

The numbers reflect poorly on today’s notification efforts, confirming the need for change. Consumers want simple language and clear explanations of what happened and the risks they face, plus a protection product to compensate for the data exposure, according to the study.

So why not work with your legal counsel to deliver just that in a way that protects your company and satisfies your consumers? Otherwise, your breach notices will continue to alienate and confuse. As this study shows, that only serves to erode customer loyalty and trust, making data loss even more costly in the long run.



Experian will be at the annual HCCA 2012 Compliance Institute conference at Caesar’s Palace in Las Vegas. This conference offers an important opportunity to meet industry professionals with solid credentials in a number of areas related to medical information and data security. Some of the topics to be addressed at the conference include healthcare reform, compliance effectiveness and HIPAA privacy/data breach.

Attendees at the Compliance Institute can choose from 128 sessions and 225 speakers. Special conference tracks address legal and regulatory issues and privacy and security concerns, as well as general compliance. Also offered are advanced discussion groups, industry immersions, speed networking and more. For more information, go to http://www.compliance-institute.org/.

Come and visit our booth. We’ll talk about ProtectMyID^®, Surveillance Alerts^TM and ProtectMyID^® ExtendCARE^TM, as well as other Experian products that can play a critical role in protecting your organization, informing patients of a data breach and helping your organization recover from an incident. You can also enter your name in a drawing for a chance to win a new iPad.

Customers see a data breach and the loss of their personal data as a threat to their security and finances, and with good reason. Identity theft occurs every four seconds in the United States, according to figures from the Federal Trade Commission.

As consumers become savvier about protecting their personal data, they expect companies to do the same. And to go the extra mile for them if a data breach occurs. That means providing protection that holds up under scrutiny. Protection that offers peace of mind, not just in the interim but years down the line.

The stronger the level of protection you provide to individuals affected in a breach, the stronger their brand loyalty. Just like with any product, consumers can tell the difference between valid protection products that work and ones that just don’t.

Experian® Data Breach Resolution takes care to provide the former, protection that works for your customers or employees affected in a breach and that reflects positively on you, as the company providing the protection.

Experian’s ProtectMyID® Elite or ProtectMyID Alert provides industry-leading identity protection and, now, extended fraud resolution care. ExtendCARE™ now comes standard with every ProtectMyID data breach redemption membership, at no additional cost to you or the member.

With ExtendCARE, the identity theft resolution portion of ProtectMyID remains active even when the full membership isn’t. ExtendCARE allows members to receive personalized assistance, not just advice, from an Identity Theft Resolution Agent. This high level of assistance is available any time identity theft occurs after individuals redeem their ProtectMyID memberships.

Extended protection from a global leader like Experian can put consumers’ minds at ease following a breach. If we can help you with pre-breach planning or data breach resolution, please contact us at 1 866 751 1323 or databreachinfo@experian.com.