Human errors are the most common threats to exposing a person’s personal information to data breaches according to an analysis of reported data breaches by Rapid7, a security intelligence company. Rapid7 compiled the data breach information for the report based on the number of reported public information data breaches from January 2009 to May 2012 in the Chronology of Data Breaches maintained by the Privacy Rights Clearinghouse, a nonprofit privacy advocacy group.

The data breach statistics from the report totaled 268 incidents affecting 94 million people.  The biggest factor responsible for the largest number of breaches of data was unintended disclosure due to negligence and clerical errors. 78 incidents led to exposing almost 12 million records of private information.  The next highest number was 51 incidents due to the loss of a portable data storage device which resulted in breaching almost 82 million personal records.  Hacking was low on the list, adding up to 40 incidents exposing about 1 million records.   

What can be done about this alarming problem?

Security experts advise implementing nationally mandated data breach protection protocols and developing effective breach response programs in conjunction with cyber security training for employees who handle sensitive public data.  Employing technology such as encryption is another method to counter human error since it is inexpensive, simple to administer and highly effective in protecting data.  Using management software that can track and monitor which devices are being used, monitor downloaded data and has the ability to remotely wipe the memories of lost or stolen devices is another data protection tool.

Some experts even go so far as to suggest that all these initiatives need to be backed by a law that punishes workers who fail to follow these protocols with either firing them from their jobs or jail time, depending on the severity of the data breach.  The bottom line is that protecting the public’s most private information is serious business and those who are entrusted with such sensitive information need to recognize that they have a responsibility to protect the public’s privacy.  And in turn, it’s a responsibility that we, the people must ensure that they take seriously.

Health care fraud and abuse has been in the national spotlight for years. But now that the Affordable Care Act is coming into play, it’s taking center stage.

The Affordable Care Act gives officials tough tools to crack down on groups and individuals who try to defraud Medicare, Medicaid and other types of insurance plans. These tools include technology that’s being used to spot fraud and suspicious activity before any claims are paid.

The law is also creating partnerships between government agencies and private organizations that are working together to fight fraud and health care abuse. One of the more visible examples of this increased collaboration is the Health Care Fraud Prevention and Enforcement Action Team or “HEAT,” which is a joint effort between the U.S. Department of Health and Human Services and the Department of Justice. 

So where do you fit into this battle against health care fraud? What defense counsel advice could you give your clients in this era of increased enforcement?

Join us at the Fraud & Compliance Forum to find out. Experian will be one of the exhibitors at the conference, which will be held Sept. 30-0ct. 2, in Baltimore, MD. The forum is sponsored by the American Health Lawyers Association (AHLA) and the Health Care Compliance Association (HCCA).  It will feature speakers from the Inspector General’s Office, Department of Justice and Centers for Medicare and Medicaid Services, along with private practitioners.

In addition to discussing increased enforcement, there will also be sessions on some of the following topics:

• 50 Shades of Gray: Strategies for hospital-physician alignment in the light of recent developments
• CIAs: What enhanced Corporate Integrity Obligations tell us about OIG expectations for compliance programs
• Compliance, criminal and civil liability for overpayments
• Strategies for a medical necessity case
• Exit strategies for voluntary disclosures

For more information, call HCCA at 888-580-8373 or visit http://www.healthlawyers.org/Events/Programs/2012/Pages/FC12.aspx

Swimmers may be stealing the spotlight, but it’s scammers who are taking home the gold–in the form of stolen credit card numbers, PINs, consumers’ personal identities.

One familiar con trotted out this year (and every Olympics) is ticket fraud, including what Britons call ‘ticket touting’ (scalping) and its more sinister cousin, counterfeiting. Paying for tickets that are never delivered is another way unwary buyers are tricked into giving up personal and/or credit card information.

Beware the cyber threats

Acknowledging the widespread use of smartphones, tablets and similar devices to retrieve Games-related content, the UK’s national fraud reporting center, Action Fraud, cautions fans to browse wisely, warning that worms, viruses and other malware can penetrate mobile devices just as easily as PCs.

Top malware delivery threats listed on Action Fraud’s blog site include:

• Search Engine Poisoning – The most prevalent form of malware delivery (40% of all malware infections), in which attackers link what appear to be legitimate search result “bait” pages to malware infected sites.
• Drive-by-Downloads – Technique that automatically downloads malware when devices interact with an infected website, email, pop-up ad or other apparently authentic Olympic content.
• Information Phishing – Disguised links from Facebook and Twitter abound this year. When clicked, infected links, in the shortened bit.ly/ format, for example, can instantly extract, disable or destroy a device’s content or operating system.

Staying off the scammers’ scorecards

A fraudster’s goal is to rip you off in record time and disappear into the shadows with their
ill-gotten gains.  To avoid being victimized during the Olympics (or anytime) follow these common-sense rules for browsing and buying:

• Never click a link from someone you don’t know.
• Avoid giving personal or credit card information to anyone whose identity and organization you can’t positively confirm.
• For Olympics news or memorabilia, frequent only sites known to be credible and trustworthy, such as London2012.com.

Such simple precautions can make for a winning Olympics experience, and help send the fakes, frauds and phonies home empty handed.

Have you or a friend encountered scammers during the Olympics? Take a minute to briefly share your story.

Like Blanche Dubois in A Streetcar Named Desire, we’d all like to think that we can depend upon the kindness of strangers.  Unfortunately, Symantec recently reminded us (in case there was any doubt) that strangers are bound to let you down.

In its Smartphone Honey Stick Project, Symantec intentionally “lost” 50 smartphones, all programmed with fake corporate and personal information.  The phones included a tracking device so Symantec could monitor what happened once the devices were found.  The purpose of the test was to assess the human threats to a lost smartphone’s data and the connected corporate systems.  Specifically, Symatec set out to assess the following circumstances: 

● Likelihood of a finder attempting to access data on the smartphone
● Likelihood of a finder attempting to access corporate applications and data
● Likelihood of a finder attempting to access personal applications and data
● Likelihood of attempted access to particular types of apps
● Amount of time before a lost smartphone is moved or accessed
● Likelihood of a finder attempting to return a device to its owner
 
On every count, the results were a disappointment to anyone hoping for better from their fellow mankind.  Bottom line: if you lose your business-connected mobile device, there’s more than an 80% chance that an attempt will be made to breach corporate data and/or networks.  A total of 83% of the devices showed attempts to access corporate-related apps or data, and attempts to access a corporate email client occurred on 45% of the devices.  A file titled “HR Salaries” was accessed on 53% of the phones and another titled “HR Cases” was accessed on 40% of the devices.

The study underscored yet again that businesses must impress upon employees the importance of adhering to strict security guidelines regarding their mobile devices.  What does that look like?  Here are five key reminders:
   
1. Require that employees use password protection on all electronic devices especially if they use it to access work related files and email.
2. Implement software that allows you to use remote wiping so a device can be killed if its lost or untraceable.
3. Invest in employee training and education about data breaches and the impact it has not only on the business but also on the employees themselves since most people also program their personal information into business devices.
4. Account for every device that has access to your company’s networks and take inventory often so nothing slips through the cracks or gets lost.
5. Use business security software for all your electronic devices and implement a security management program. When a device is lost or stolen, have a recovery system in place so employees know what to do immediately in order to prevent any lost of data.

Internet safety isn’t just for the employees who handle your most sensitive data. It’s for each and every one. With June being National Internet Safety Month, it’s the perfect time to brush up on exactly what that means for your employees and business.

In a recent study, 78% of organizations had experienced at least one data breach due to the actions of a careless or malicious employee.¹ It’s important to educate and empower your employees to do their part for data security, and that means being safe online.

Anyone who uses the Internet in your office needs to be mindful of Internet safety. Even if someone doesn’t handle sensitive data directly, his/her actions could infect your network with a virus that leads to data loss.

One of the obstacles to Internet safety is that cyber risk is so intangible it doesn’t seem like an immediate threat at all.  Cyber threats are oftentimes the opposite. A virus could slowly siphon data from your network for weeks, months or longer without anyone knowing.

Because cyber risk is often veiled, regular educational sessions with your employees are vital. Be sure they know and follow your Internet usage policy. Don’t have one in place? National Internet Safety Month is the perfect time to organize and implement your guidelines. You can find examples online to help shape your own policies.

Here are a few things to consider addressing:

Personal Internet Use
Blocking employees from logging in and using their personal accounts at work isn’t just an issue of lost productivity. It’s also a security issue. Links, videos and attachments online and in emails can contain unseen threats, such as a virus or malware that undermines the security of your data. That could include your employees’ own personal data. Be sure they understand that the precautions are for their benefit as well as for the stability of the business and their jobs. You can use the honor system for off-limit sites or use software that blocks unsecure and other URLs.

Software Downloads
Have your IT team handle all software downloads and ensure operating systems and software are updated regularly. Automatic updates implemented across the entire network at once help ensure there isn’t a weak link, an outdated computer, in your system. Again, you can use the honor system and ask employees not to install any software themselves or block them from doing so for added security. After all, accidents and human error do occur.

Email Dos and Don’ts
Some employees handle a hundred or more emails a day. Considering the high volume and the ease of communicating by email, mistakes are bound to occur. Sensitive data sent to the wrong email address could be detrimental for your business and customers. Be sure your employees understand what type of data is and isn’t permissible to send by email. And that they don’t open any attachments, click on any links or respond to any requests for sensitive data if the source is not verified.

As part of your Internet usage policy and National Internet Safety Month, impart on your staff the importance of not only being mindful and careful but also sounding the alarm when anything goes wrong. The sooner you know about threats to your network, the sooner you can protect your data and business.

1 The Human Factor in Data Protection, Ponemon Institute (2012)

For a company, a data breach can seem like it comes out of the blue. Yet, according to analysis by the Identity Theft Resource Center (ITRC), the three primary causes of data breaches have remained the same since 2009:

• Hacking
• Data on the move
• Insider theft

ITRC has been releasing an annual Breach Report since 2007. For the first time, hacking outpaced all other triggers to account for just more than a quarter of the 419 breaches in 2011. Incidents of hacking rose from 17.1% in 2010 and, the previous high, 19.5% in 2009 to 25.8% in 2011.

Data on the move* was the second highest trigger, accounting for 18.1% of the breaches in 2011. Insider theft, falling slightly from 2010, caused 13.4% of the breaches as the third trigger. ITRC further counts hacking and insider theft together as a malicious attack, adding up to nearly 40% of breaches in 2011.

The numbers make it clear that companies can’t rely on one form of data breach prevention alone. The 2011 Breach Report further illustrates that no company is immune. Of the entities reporting data breaches, 47% fell into the business category. Both business and educational entities experienced an upswing in data loss incidents in 2011.

The report also considers government/military, financial/credit and health/medical entities, the third of which accounted for 20.5% of the breaches in 2011.

Among the more alarming findings is that 61.6% of the reported breaches in 2011 exposed Social Security numbers (SSN), one of the most valuable pieces of personal data an individual has. Such exposure can leave a consumer vulnerable to identity theft indefinitely. Individuals can’t easily exchange their SSN for a new number like they can with credit or debit cards. (Loss of credit and debit card data was a factor in 26.5% of incidents in 2011.)

Drawing on what’s known about how breaches occur, companies can plan ahead to prevent and respond to incidents in order to protect themselves and the consumer data they use and collect. A comprehensive prevention and response plan should account for all of the various ways, including accidental exposure and subcontractor loss, that breaches occur.

Staying aware of vulnerabilities can only help companies strengthen their defense. Data breaches are here to stay, so there’s no time like the present to take prevention and preparation seriously.

*“Data on the move” refers to data that has left its usual place of rest, i.e. its proper storage place. This includes data in transport to a new storage location as well as data that has left an office on an electronic drive, a mobile device or paper.

The winter holidays are upon us and that means the travel season is pivoting into high gear.  Employees everywhere are preparing to trot off hither and yon, likely with their laptops and mobile devices in tow – and, accordingly, with your company’s data, as enticing to prowling cyber-thieves as overstuffed Christmas stockings.  While holiday travelers unwind and turn their focus to hearth and family, fraudsters focus on snatching precious data from unwary targets at airports, wi-fi hotspots, hotels and beyond.

What can companies do to mitigate the risk to their holiday-traveling data?

First, remind employees about the importance of protecting their laptops and other data-carrying devices. According to the Ponemon Institute, close to 637,000 laptops are lost each year, most commonly at security checkpoints.  Ponemon notes that 10,278 laptops are reported lost every week at 36 of the largest U.S. airports, and 65 percent of those laptops are not reclaimed.  The airports with the highest number of lost, missing or stolen laptops include (in this order) Los Angeles International, Miami International, Kennedy International, and Chicago O’Hare.  While Atlanta’s Hartsfield-Jackson International is the busiest airport in the U.S., it is tied for eighth place (with Washington’s Reagan National) for lost, stolen or missing laptop computers.

The average value of a lost laptop is $49,246, a number based on several factors: replacement cost, detection, forensics, data breach, lost intellectual property costs, lost productivity and legal, consulting and regulatory expenses.  Given the damage associated with laptops that go MIA, it might be wise to restrict access to corporate information while employees are traveling.  If full access to server information isn’t needed, consider using other systems such as read-only export files.  Suggest that employees transfer sensitive data from laptops to your company’s secure central server, or move it to a disk that may be stored safely until they return.  And don’t forget that encryption can serve as an endpoint protection, which allows employees to perform a remote data erase if a device is lost.

A few other tips:

• Encourage the use of privacy filters, which block the ability to view computer screens from an angle.
• Guard against open wi-fi prowlers by setting computer defaults to require owners’ authority before connecting to a new network.
• Discourage the use of public computers.  Many of them contain “keylogger spyware” that can monitor every keystroke.

Our guest blogger this week is Karen Barney of the Identity Theft Resource Center (ITRC).

It can be unnerving to be told that your information has been compromised in a data breach.  The uncertainty of not knowing all the details and the anxiety over what information has been exposed is deeply troubling to many consumers.  A breach notice makes us aware of a new risk to our lives that we can’t measure easily.

Often times, there is a lot of speculation surrounding the company’s timing of the breach notification.  The timing of notification may depend upon a variety of state laws, some of which may delay notification if law enforcement is doing an investigation of the incident and has requested a delay to make the investigation easier.  In most breach cases, the company will want to investigate internally prior to making public notice.  It is important to the consumer and the company that they provide a notice which is accurate.  No one is happy when a notice is made public, and then has to be changed as further information comes to light.  Everyone is better served when the company gets the information right the first time.

It is also important to understand the complexities which may surround various types of data breaches. Not all breaches are equal in the amount of risk posed to the consumer.  For instance, some pieces of information about you are generally available and public, and pose little risk to you taken alone, such as your email address, or first and last name.  Credit card numbers that are exposed are a risk, but not a long term problem, as the issuer will provide a new card with a different account number very quickly.

Additionally, malicious attacks on a company’s server, insider (employee) theft, or the theft of mobile devices (i.e. storage devices, laptops) may be more likely to lead to identity theft than accidental posting on a long-ago cached website or papers left behind in an old abandoned building.  Knowing whether or not the breach incident was malicious or accidental in nature may help you to put the level of risk into a better perspective.

Just remember, unless you know otherwise, the fact that your data was compromised does NOT mean you are an identity theft victim.  In fact, there have been millions of people notified that their information may have been breached who have not become identity theft victims. Your response to the breach will depend on the type of information that was compromised.  Here are some steps you can take at this time:

Financial Account Numbers:

This includes checking accounts, credit cards, money market funds, stocks, and bank accounts:

• Close ONLY the affected accounts and have account numbers changed.
• Password-protect all your accounts, the new ones as well as the closed.  This restricts thieves from re-opening closed accounts.
• Monitor your account and billing statements closely
• Report any fraudulent activity immediately to the bank and law enforcement.

Social Security Numbers:
Call the credit reporting agencies.  These are automated and secure systems.   Place a fraud alert with each agency and request a free copy of each of your credit reports.  It is free because your information was breached and you are a potential victim of identity theft.  Do this for any person whose Social Security Number (SSN) was compromised. If the SSN belongs to a child, you should find that there is no credit report available for that child.  If there is a credit report for a child, it indicates that the child’s information may have been used. In that case, you need to get a copy of the credit report in order to repair the incorrect items.

It is also recommended that you call all three credit reporting agencies and not just one.  Check your report carefully for any irregularities.  Sometimes people see errors on the report that were on the report before the data breach occurred.

You can use, without charge, the annual credit reports system www.annualcreditreport.com to monitor your credit report over the next year. Stagger them throughout the year by ordering one every four months.

Or, if you want real-time updates on your credit report, you may want to consider a paid service which monitors your credit report and alerts you immediately upon any change.

Other:

• If your auto or medical insurance policy information is involved, ask the company about their policy to protect compromised policies.
• If it is HR data that was compromised, change account numbers for your 401-K, life insurance, and accounts holding your stock options.  Password-protect these accounts.
• Driver’s License’s – contact your state Department/Bureau of Motor Vehicles and notify them of the theft.  They most likely will not change your number.

Quick – conjure the image that comes to mind when you hear the term cybercriminal.

Perhaps an unkempt, lone operator working out of a boiler room late at night?

How about – more commonly these days – a sophisticated fraud businessman running a high-stakes organization with international teams of experts, raking in millions through his illegal tactics.

When Albert Gonzalez was arrested for hacking into the networks of TJ Maxx, Barnes and Nobles, and OfficeMax, amongst others, and stealing 45 million credit and debit card numbers, he had $1.65 million in cash, a crew of international co-conspirators, and secret bank accounts across the world stuffed with millions more.  Gonzalez, who formerly worked for the Secret Service busting other cyber criminals, was later indicted for an even bigger, separate attack that compromised 140 stolen credit card numbers.

These days, the fraud economy has matured to a point where it is run like a global marketplace, with specialists for every aspect of fraud – from identity thieves to the consumers of stolen identities.  Data theft is only one part of what fuels this economy – the second and equally important aspect is the conversion of these thefts into cash, which is where the fraud economy connects illegal data traffickers with underground data buyers.

First Data’s report on this topic offers a cheat sheet of the cheating way of life:

1.       According to a study from Symantec Corp. which followed a year in the life of the underground economy, the value of the advertised goods on underground economy Web servers in a given year was more than $276 million

2.       The Symantec study found that the most popular item for sale, as well as the most requested for purchase, is credit card data, which are inexpensive to buy and have the potential for high profit

3.       The price for stolen credit card data ranges from 10 cents to $25 per card, with discounts offered for bulk purchases

4.       The average stolen credit card has a credit limit of $4,000

5.       The potential worth of all credit cards observed for sale during Symantec’s yearlong reporting period was estimated to be $5.3 billion

6.       Stolen financial account information is the second most popular item for sale in the underground economy, selling for $10 to $1,000 per account (with an average account balance of nearly $40,000)

7.       The potential value of all bank accounts advertised on underground economy servers during the reporting period was $1.7 billion

8.       Fraud as a Service (FaaS) has evolved as an infrastructure that helps fraudsters operate efficiently, just as software as a service (SaaS) has evolved to help the online needs of businesses.  FaaS includes online Fraud Forums, which serve as web-based marketplaces for illegal goods and services

As ever-developing fraud techniques challenge the wits of security experts, it’s important to understand as much as possible about the underground fraud economy that orchestrates advanced methods to rob businesses and consumers as well as how to address these concerns.

Legislation has been introduced in Congress to crack down on Medicare and Medicaid fraud. This legislation comes at a time when incidents of medical fraud are on the rise and the Obama Administration is poised to role out sweeping healthcare reform.  Medical fraud is estimated to cost the U.S. health care system $100 billion a year.

The new rules will give federal health officials key powers to detect fraud early and prevent improper payments from being made.  For example, medical provider employees will be subject to fingerprinting, payments will be suspended to health organizations that are under investigation and medical programs will be required to stop using providers kicked out of Medicare or Medicaid programs.

These rules have serious implications for the health care industry that must also comply with stringent new HITECH rules. As I mentioned in a previous blog entry, some professionals feel the best way to comply with the new requirements is to be proactive.  For example, providers should consider actively working with their vendors to ensure all parties comply with the new standards.

Another recommendation is to conduct an internal risk assessment. A thorough assessment can identify where a business is not complying with the HITECH Act or HIPAA standards and provide an opportunity to make the right adjustments. Non-compliance can result in up to $1.5 million in fines or even civil action from a State Attorney General.

Learn more about risk assessments and act now before it’s too late.