Courts side with Consumers in Data Breach

In general, courts don’t tend to side with consumers in data breach incidents. However, a federal court in Florida is the apple among the oranges. It approved a $3 million settlement for victims whose data was on a stolen laptop in December 2009, that contained personal health information.

2D

The laptops belonged to AvMed, a health insurer, and the unencrypted data involved records of tens of thousands of the company’s customers.

Though the consumer-plaintiffs suffered no identity theft or other direct losses, they blamed AvMed of breach of contract and fiduciary duty, negligence and unjust enrichment.

These claims were dismissed by the U.S. District Court for the Southern District of Florida, but the plaintiffs appealed. The U.S. Court of Appeals for the Eleventh Circuit remanded the case.

AvMed’s attempt for another dismissal went down the tubes, prompting the company to enter into settlement talks with the plaintiffs.

The agreement says that each victim will get up to $10 for every year they made an insurance payment to AvMed, with a cap at $30. This is money, say the victims, that AvMed could have spent on better data security. The agreement also requires AvMed to pay damages to anyone who gets stung with identity theft.

AvMed will also employ encryption and new password protocols, plus GPS technology for its laptops.

Apparently, this settlement is the first in which the awarded victims didn’t have to show tangible evidence of loss.

Traditionally, courts nationwide don’t take on such claims, and that a claim lacks merit if it’s based on the possibility of future damages rather than actual concrete losses that have already occurred.

The ruling serves as a precedent for future data breach cases, to support customers’ stance that a segment of their health insurance premiums should fund data security placements.

Robert Siciliano is an Identity Theft Expert to AllClearID. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen See him knock’em dead in this identity theft prevention video. Disclosures.

Cyber Insurance vs. General Liability

One of the biggest data breaches of all time involved that of Sony Corp. The hackers stole confidential information from tens of millions of Sony PlayStation Network users. Despite this humongous breach, something surprising happened: New York Supreme Court Jeffrey Oing ruled that Mitsui Sumitomo Insurance Co. and Zurich American Insurance Co. owed NO defense coverage to Sony Corp. or Sony Computer Entertainment America LLC.

4HAnd why? Oing said that the coverage can’t be triggered through a third-party action: that by the hackers.

It seems, then, in order to get coverage, Sony itself would have to do the hacking. “They’re being held liable even though the wrongdoing was done by a third party,” explains Robin Cohen to Law360. Cohen heads a law firm that handles insurance recovery.

To determine coverage obligations, Zurich filed a lawsuit against Sony, which had to shut down its PlayStation Network for a month.

Oing’s ruling will likely motivate companies to obtain policies that specifically insure against data breach claims. However, many companies believe that such specific insurance is already built into their current general liability policy.

Insurers all across the nation are wanting to put language in their policies that exclude coverage of losses stemming from data breaches, which include loss of credit card information. However, courts have the final say-so in just how far these exclusions can go.

Companies need to seriously consider cyber insurance policies that specialize in coverage of data breach losses.

K&L Gates LLP partner Roberta Anderson told Law360, “Irrespective of whether the Sony trial court’s view is widely adopted, it’s ill-advised for policyholders to rely on general liability policies for data breaches.”

It’s expected that Sony, which has strong arguments for their appeal according to policyholder attorneys, will challenge Oing’s decision.

Robert Siciliano is an Identity Theft Expert to AllClearID. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen See him knock’em dead in this identity theft prevention video. Disclosures.

Insurance Company fined BIG for Breach

Why would an insurance company be fined for a data breach?

2DThere was a security breach at Triple-S Salud, Inc. (TSS), which is a subsidiary of Triple-S Management GTS. The Puerto Rico Health Insurance Administration plans on imposing a $6.8 million fine on TSS.

The breach involved 13,336 of TSS’s Dual Eligible Medicare beneficiaries. The penalty includes suspending all new DEM enrollments and alerting enrollees of their right to back out.

The PRHIA says that Triple-S failed to implement all the required steps in response to the security breach.

TSS sent out a pamphlet last September that unintentionally showed the Medicare Health Insurance Claim Number of some of the recipients. This is a unique number that’s assigned by the Social Security Administration. It’s considered to be protected health information.

An investigation was carried out by TSS, and this subsidiary did report the incident to federal government agencies and Puerto Rico. TSS complied with the PRHIA’s requests for information pertaining to the DEM beneficiaries. TSS also took additional measures, one of which was that of issuing an alert of the breach through local media; all of the affected beneficiaries were notified by mail of the breach.

In the filing, Triple-S affirms that it takes the matter very seriously and is “working to prevent this type of incident from happening again.” However, it’s currently not able to assess the financial impact of the breach on TSS, nor can it estimate the sanctions’ impact.

Triple-S adds that a response is being prepared by TSS to give to the PRHIA, and that TSS has a right to make a request for an administration hearing.

Robert Siciliano is an Identity Theft Expert to AllClearID. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen See him knock’em dead in this identity theft prevention video. Disclosures.

Health Care Information Breaches rise

Medical errors can also mean medical identity theft—accounting for 43 percent of all 2013 identity theft in the U.S., says the Identity Theft Resource Center. Medical identity theft kicks other forms of ID theft to the curb: banking, finance, government, military and education.

2DFraudsters invade health data to illegally obtain prescription drugs, services or devices and to get insurance reimbursements.

Making the situation stiffer is the Affordable Care Act, as the implementation of federal and state health insurance exchanges involved malfunctioning online marketplaces. Plus, the Act promotes digitizing medical records, and you know what that means.

What about an honor system?

HIPAA—Health Insurance Portability and Accountability Act (now you know why it’s not “HIPPA”)—and the HITECH Act define what health care providers must do to protect patient privacy. Violations of these acts can net stiff fines including up to 10 years’ prison time.

However, HIPAA has exceptions, such as “public health activities” and “health oversight activities” in which confidential information is shared.  People who know that HIPAA isn’t airtight can be turned off from revealing they have an STD or a psychiatric disorder to their doctor unless absolutely necessary.

Patients must be notified by their health plan, medical institution or medical provider when it’s been determined that their health information has been breached, says HITECH law. The Department of Human Health must also be notified. The Department will reveal breaches that involve at least 500 patients.

The discovery, though, doesn’t solve the problem that has already occurred: the fallout from the leak. It’s fairly straightforward to have the right information put back in a patient’s files, but another story to get the fraudulent information taken out, due to fear of medical liability.

Take action:

The time is now to bring attention to how a business is protecting their clients’ data. The public wants to know their information is safe and the companies they hand it over to are doing everything possible to protect it.

Robert Siciliano is an Identity Theft Expert to AllClearID. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen See him knock’em dead in this identity theft prevention video. Disclosures.

How Data Breaches happen and how to respond

Here’s four chief ways how data breaches happen:11D

  • Illegal access to information or systems. Personal Identifying Information (PII) data can be illegally accessed via technology such as computer hacking or infecting computers with viruses, Trojans or worms—leading to stolen data or malfunctioning systems.
  • An inside job. Employees (past or present) can commit data breaches. Also, an innocent employee is tricked by social engineering into revealing confidential information or giving out access to that information.
  • Judgment lapse. An employee may leave data unprotected—not on purpose, but due to an oversight, making it easy prey for villains.
  • Device loss. When a device that contains valuable data is lost or misplaced, a thief could get ahold of it—and then all hell can break loose.


Prepare

Don’t wait for a breach to figure out a plan of action. Have the plan in place in anticipation of an attack. The plan should be built around written emergency contacts, clear guidelines to which law enforcement outfits should be contacted for resolution, and a notification timeframe.

Put in place vendor contracts that have a call center unless the company’s staff can handle a big data breach. The contracts should also include a mail-house for letters of notification, and previously agreed rates pertaining to consumer fraud protection should the business need to notify clients or customers.

Fighting back

When a breach occurs, consult with legal counsel, always. In addition, there are certain actions you must take. First, find out how the breach occurred, then contain it. Get a solution started to prevent it from striking again. Alert relevant employees.

Also notify external entities in a timely fashion such as law enforcement, a forensics investigator, consumers, FTC and any affected vendors and suppliers.

Additional Points

  • A strong prevention strategy for data breaching depends upon top management, to ensure that the company’s budget covers fiscal and personnel resources.
  • From the get-go, the company’s most high-up individuals should be included in devising any plans to protect against and mitigate data breaches.
  • Getting upper management involved is critical for establishing a solid groundwork for security.
  • Keeping up to date and re-evaluations should be carried out on an ongoing basis to always stay on top of the latest trends in data breach and security technologies.
  • Also ongoing should be training and practice of the company’s response plan to data breaching.

Robert Siciliano is an Identity Theft Expert to AllClearID. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen See him knock’em dead in this identity theft prevention video. Disclosures.

Ways small businesses are preventing Breaches

How did that huge recent data breach of a major retailer occur in the first place? Well, valuables can’t be stolen if there aren’t any valuables to begin with. Large merchants will store customers’ credit/debit card data to facilitate faster transactions. But small retailers keep minimal or zero data—this will not attract thieves.

2DIf customers want increased security of their card data, they’re going to have to give up the speedy transactions and automatic debits, because currently, they can’t have it both ways.

A smaller outfit may keep only the last four numbers of a credit card on file; no SSN or anything else. This isn’t much for thieves to work with. Yet at the same time, every time a customer makes a purchase, they must give all the required information.

Some small retailers are completely technology-free, though this seems like an impossible undertaking in this modern e-age. For example, a small business that bills monthly for services may not honor automatic withdrawal of a member’s monthly fees. Members may pout, unaware that this inconvenience has a protective feature.

Banks also have a role in protecting customers and businesses. A good start would be to require a PIN from cardholders for every transaction.

Another maneuver would be for the U.S. to ditch the magnetic strip on cards and replace with a digital chip. This would prevent thieves from stealing data off the strip. Thanks to the magnetic strip, America is the hacking capital of the world.

Additional Tips

  • Hardware: firewall security appliances and routers.
  • Software: Think anti: virus, spyware, phishing. Also think full disk encryption and total protection suites.
  • E-mail security: It must be hammered into employees NEVER to click on any link in an e-mail from an unfamiliar sender.
  • Physical security: The building should be equipped with video surveillance (outside and indoors), alarm systems and solid core doors of commercial grade.
  • The test: Find someone, known as a “penetration tester” who knows all about hacking, but whom you can trust, to “hack” your network to see what needs to be done to protect it from a real villain.

Robert Siciliano is an Identity Theft Expert to AllClearID. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen See him knock’em dead in this identity theft prevention video. Disclosures.

Been Breached? A Response Plan

Should victims of a data breach be notified? This situation can be confusing due to various state laws. Certain issues must be considered, including differences among state laws. Differences include what exactly defines personally identifiable information; which agency (e.g., law enforcement, credit reporting) should be alerted; when victims should be notified; and what the notification letter should say.

4DLegal counsel can tell you what level of notification you’re entitled to. Not every data breach case requires that consumers or businesses be alerted. But not alerting has its own set of negative consequences.

When an incident does require notification, the information that follows must be considered: (these are general guidelines – review any and all steps with your attorney)

  • Treat all victims equally; all get notified, even if this means out of state. Not doing so can yield legal consequences or the media might pounce.
  • Though there aren’t really any notification laws regarding overseas victims, they too should be notified.

Notification

The sooner victims are alerted, the better. Under what circumstances, though, should victims be notified? The nature of the breach should be considered, along with type of information stolen and whether or not it may be misused, and the possible fallout of this misuse.

Damage from misuse can be significant, such as with stolen SSNs and names.

When in doubt, consult with legal counsel. Don’t be surprised if you’re informed that breached consumers must be notified; most states require this. And within 30 days. Some states mandate that the Attorney General’s office also be notified.

FTC Recommendations for Notification

  • Inform law enforcement when notification takes place so they don’t cross lines with it.
  • Also find out from them precisely what information the consumer notification should contain.
  • Select someone from your organization to manage release of information.
  • This contact individual should be given updated information concerning the breach, plus your official response, as well as guidelines for how victims should respond.
  • To aid victims’ communication options, consider providing a toll-free number, posting a website or mailing letters.
  • Explain clearly to victims just what you know of the breach. How did it happen? What information was stolen or compromised? How might the thieves misuse it? What actions have the organization taken for mitigation? What reactions are appropriate?
  • Make sure victims know how to reach the contact person.
  • Make sure the law enforcement official who’s working your case has contact information for victims to use.The officer should also know that you’re sharing this contact information.
  • Victims should ask for a copy of the police report, then make copies to give to credit card companies that have honored unauthorized charges.

Robert Siciliano is an Identity Theft Expert to AllClear ID. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen See him knock’em dead in this identity theft prevention video. Disclosures.

What is a Data Breach and how do I protect Myself?

When protected, sensitive or confidential data is accessed or used by someone without authority, this is a data breach. This can involve any kind of data such as personal health, financial, or business related.

3DNot all data breaches result from hacking into a computer. One can breach data simply by peering over someone’s shoulder at the computer screen when they shouldn’t be. It can also be elaborately planned: A company’s new employee may actually be working for an extensive crime ring to steal data from the inside. Needless to say, a data breach can lead to identity theft (among many other problems).

In the workplace, especially retail, where credit cards are processed, the Payment Card Industry Data Security Standard is designed to provide retailers with guidelines to eliminate data breaches. In a healthcare workplace, HIPAA (Health Insurance Portability and Accountability Act) helps control who has access to personal health information.

How can you protect yourself?

  • As a consumer you must keep your operating system updated to the latest secure version.
  • Run antivirus, antispyware, antiphishing and a firewall.
  • Protect your wireless communications with encryption and use a VPN for portable devices.
  • Use secure passwords with upper/lower case and numbers.
  • In the event someone else is responsible for a breach read very carefully any notification of a data security breach and don’t assume that the breach was accidental or that identify theft is not likely.
  • Use an identity theft protection product. It will scavenge cyberspace for any unauthorized use of personal information such as from your credit cards and Social Security number; will keep track of personal credit information; and will send an alert if suspicious activity is detected—maybe even prior to you receiving a consumer notification.

Robert Siciliano is an identity theft expert to BestIDTheftCompanys.com discussing  identity theft prevention. For Roberts FREE ebook text- SECURE Your@emailaddress -to 411247. Disclosures.

Half Billion Records Breached in 5 Years

In the late 90s and early 2000s, hacking had evolved from “phreaking” (hacking phone systems) to “cracking” (breaking into networks). At the time, hackers hacked for fun, for the challenge, and for fame and popularity within the hacking community. But soon enough, the public began spending more time online, shopping, banking, and managing personal affairs. Hackers are no longer wreaking havoc for its own sake, deleting files, or tormenting IT administrators. Now, they’re stealing proprietary data. Instead of fun and fame, today’s hackers are motivated by illegal financial gain.

Over the past five years, criminal hackers from all over the world have been targeting huge databases of Social Security and credit card numbers. The endgame for criminal hackers is identity theft. Once they obtain stolen data, their objective is to turn it into cash as quickly as possible. This either entails selling the data to identity thieves on black market forums, or using the information to create new accounts or to take over existing credit card accounts.

According to the Privacy Rights Clearinghouse’s Chronology of Data Breaches, more than 500 million sensitive records have been breached in the past five years. The Chronology of Data breaches lists specific examples of incidents in which personal data is compromised, lost, or stolen: “employees losing laptop computers, hackers downloading credit card numbers and sensitive personal data accidentally exposed online.”

So when a so-called “identity theft expert” claims that you can protect yourself from identity theft for free, simply by shredding documents, not giving out your Social Security number, locking your mailbox, and monitoring your online accounts, that person does not have the full picture. You should take all these precautions. But when almost everyone’s personal information has been stolen or compromised once or twice, as a result of breaches that are entirely out of our control, it’s clear that you simply can’t protect yourself on your own. This is why identity theft protection is a must.

McAfee Identity Protection includes proactive identity surveillance to monitor subscribers’ credit and personal information, as well as access to live fraud resolution agents who can help subscribers work through the process of resolving identity theft issues. For additional tips, please visithttp://www.counteridentitytheft.com.

Robert Siciliano is a McAfee consultant and identity theft expert. See him discuss an identity theft pandemic on CNBC. (Disclosures)

Organized Web Mobsters Getting Jobs Inside Corps

In 2009, there were a reported 140 million records compromised, compared to 360 million in 2008. In 2010 there have been almost 13 million records stolen. But don’t have a party just yet. Criminals are fine-tuning their craft and getting better. The industry just isn’t making it as easy. 97% of those records were stolen using malware – malicious software designed to attack the target’s existing systems and software in place.

A reported 50% of the malware was installed remotely. Almost 20% came from visiting infected websites and almost 10% was installed when employees clicked infected links that conned or “socially engineered” them.

A recent Verizon report stated, “Over the last two years, custom-created code was more prevalent and far more damaging than lesser forms of customization, the attackers seem to be improving in all areas: getting it on the system, making it do what they want, remaining undetected, continually adapting and evolving, and scoring big for all the above.”

This may be also attributed to an inside job. A rogue employee on the inside always has the advantage of knowing exactly how to remain undetected.

The report further stated that organized crime rings may “recruit, or even place, insiders in a position to embezzle or skim monetary assets and data, usually in return for some cut of the score, the smaller end of these schemes often target cashiers at retail and hospitality establishments while the upper end are more prone to involve bank employees and the like.”

In the past three years that’s a total of 513 million records. On average, every citizen has had his or her data compromised almost twice. Where’s your Social Security number in that mix?

To ensure peace of mind, subscribe to an identity theft protection service, such as McAfee Identity Protection, which offers proactive identity surveillance, lost wallet protection, and alerts when suspicious activity is detected on your accounts. For additional tips, please visit http://www.counteridentitytheft.com

Robert Siciliano is a McAfee consultant and identity theft expert. See him discuss another data breach on Fox News. (Disclosures)