Data Breaches: How To Protect Your Business From Internal Threats

/in /by

The biggest threat to your data may not come from external hackers. Find out how to guard against intentional or accidental internal cyber breaches.

14DThe NSA leaks we keep hearing about are a constant reminder of just how vulnerable data is and how this vulnerability can result in data breaches by organization insiders. As Reuters reported, “Edward Snowden may have persuaded between 20 and 25 fellow workers at the NSA regional operations center in Hawaii to give him their logins and passwords by telling them they were needed for him to do his job as a computer systems administrator.” It’s apparent now that the nation’s most significant intelligence and security team failed to install the most up-to-date, anti-leak software.

This news coincides with two recent reports that show insiders are becoming the most significant reason data breaches proliferate. While threats to data security and privacy are often perceived to come from the outside via criminal hackers, recent research has marked internal threats as equally dangerous to customer/client data—whether breached on purpose or by accident.

According to a recent Forrester Research report titled “Understand the State of Data Security and Privacy,” 25 percent of survey respondents said that abuse by a malicious insider was the most common way in which a breach occurred in the past year at their company, while 36 percent of breaches were caused by employee mistakes, making it the current top cause of most data breaches.

Another report, from MeriTalk, which focuses on the federal government, found that 49 percent of breaches happen when employees bypass existing security measures, such as when they’re Web surfing or downloading email or other files. If the federal government can’t protect itself against data leaks, how can small-business owners expect to adequately protect their business data? Let’s take a look at how these data leaks are happening to find out how you can protect against them.

Cracking The Code

We’re at a point where companies interested in protecting their data have invested significant resources into fighting off network attacks from outsiders by incorporating numerous layers of security, such as firewalls, antivirus software, antispyware, antiphishing software and security awareness training, but they’re leaving their data vulnerable to their employees. Companies may have malicious, Edward Snowden-like insiders who hack the network for information, including fellow employees’ passwords.

Or, on the less malicious end of the spectrum, employees may just make simple mistakes that leave the network vulnerable to data breaches. Because of this “hidden” vulnerability, company networks are often compared to candy bars that are hard on the outside and soft and chewy on the inside. Additional risks revolve around savvy employees who might have good intentions but may make the network vulnerable when they go outside existing security measures. They may find themselves forced to do this because of restrictions that prevent them from getting their jobs done.

The Meritalk study found:

  • 66 percent of federal network users believe security is time-consuming and restrictive.
  • 69 percent say their work takes longer because of additional cyber security measures.
  • One in five users report an inability to complete work because of security measures.
  • 31 percent of users work around security measures at least once a week.

Forrester found:

  • 36 percent of breaches stem from inadvertent misuse of data by employees.
  • 42 percent received training on how to remain secure at work, which means 58 percent haven’t had training at all.
  • 57 percent say they’re not even aware of their organization’s current security policies.
  • 25 percent say a breach occurred because of abuse by a malicious insider.

Guarding What’s Yours

The most important thing companies can do is to put the right security measures in place. Employees who need identification include those who are known to access critical data resources, such as those in accounting, human resources, administration, legal, personnel and account management as well as company officers and various contractors. Looking at data flow—that is, where data might be either vulnerable, shared across departments or bottle-necked—companies should work with each critical department to gradually implement security controls that create a delicate balance of security and productivity for day-to-day activities.

Data loss prevention begins with data discovery, classifying data in need of protection, and then determining what level of risk your company may face. Then you should complete a cost/benefit analysis and review the various technologies that can integrate with your existing systems. These include data loss prevention (DLP) technologies that provide real-time network activity monitoring, as well as system status monitoring from the inside out and the outside in.

The goal is to limit who has access to what data as well as determine why the person needs it. It’s also important to look for your vulnerabilities from outside attacks. DLP can simultaneously determine when employees are circumventing security because the system may be prohibiting them from getting their job done.

Other procedures and tools you might want to consider implementing include:

  • System-wide encryption
  • Tools that report alerts and events
  • Inspection access controls
  • Password management
  • Multifactor authentication
  • Device recognition
  • Data disposal for e-data, paper data and discarded devices
  • Transparency

This last one is critical because the more transparent your network security and security policies are, the more effective each department will be when communicating its requirements, needs, wants and differences.

The battle to fight criminal hackers from the outside must not hinder your employees’ progress on the inside. At the same time, you must protect against internal threats from employees, which is an equally dangerous risk that your IT department must acknowledge—and work to secure quickly.

Robert Siciliano CEO of IDTheftSecurity.com, personal security and identity theft expert and speaker is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen. See him knock’em dead in this identity theft prevention video.

Courts side with Consumers in Data Breach

/in /by

In general, courts don’t tend to side with consumers in data breach incidents. However, a federal court in Florida is the apple among the oranges. It approved a $3 million settlement for victims whose data was on a stolen laptop in December 2009, that contained personal health information.

2D

The laptops belonged to AvMed, a health insurer, and the unencrypted data involved records of tens of thousands of the company’s customers.

Though the consumer-plaintiffs suffered no identity theft or other direct losses, they blamed AvMed of breach of contract and fiduciary duty, negligence and unjust enrichment.

These claims were dismissed by the U.S. District Court for the Southern District of Florida, but the plaintiffs appealed. The U.S. Court of Appeals for the Eleventh Circuit remanded the case.

AvMed’s attempt for another dismissal went down the tubes, prompting the company to enter into settlement talks with the plaintiffs.

The agreement says that each victim will get up to $10 for every year they made an insurance payment to AvMed, with a cap at $30. This is money, say the victims, that AvMed could have spent on better data security. The agreement also requires AvMed to pay damages to anyone who gets stung with identity theft.

AvMed will also employ encryption and new password protocols, plus GPS technology for its laptops.

Apparently, this settlement is the first in which the awarded victims didn’t have to show tangible evidence of loss.

Traditionally, courts nationwide don’t take on such claims, and that a claim lacks merit if it’s based on the possibility of future damages rather than actual concrete losses that have already occurred.

The ruling serves as a precedent for future data breach cases, to support customers’ stance that a segment of their health insurance premiums should fund data security placements.

Robert Siciliano is an Identity Theft Expert to AllClearID. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen See him knock’em dead in this identity theft prevention video. Disclosures.

Cyber Insurance vs. General Liability

/in /by

One of the biggest data breaches of all time involved that of Sony Corp. The hackers stole confidential information from tens of millions of Sony PlayStation Network users. Despite this humongous breach, something surprising happened: New York Supreme Court Jeffrey Oing ruled that Mitsui Sumitomo Insurance Co. and Zurich American Insurance Co. owed NO defense coverage to Sony Corp. or Sony Computer Entertainment America LLC.

4HAnd why? Oing said that the coverage can’t be triggered through a third-party action: that by the hackers.

It seems, then, in order to get coverage, Sony itself would have to do the hacking. “They’re being held liable even though the wrongdoing was done by a third party,” explains Robin Cohen to Law360. Cohen heads a law firm that handles insurance recovery.

To determine coverage obligations, Zurich filed a lawsuit against Sony, which had to shut down its PlayStation Network for a month.

Oing’s ruling will likely motivate companies to obtain policies that specifically insure against data breach claims. However, many companies believe that such specific insurance is already built into their current general liability policy.

Insurers all across the nation are wanting to put language in their policies that exclude coverage of losses stemming from data breaches, which include loss of credit card information. However, courts have the final say-so in just how far these exclusions can go.

Companies need to seriously consider cyber insurance policies that specialize in coverage of data breach losses.

K&L Gates LLP partner Roberta Anderson told Law360, “Irrespective of whether the Sony trial court’s view is widely adopted, it’s ill-advised for policyholders to rely on general liability policies for data breaches.”

It’s expected that Sony, which has strong arguments for their appeal according to policyholder attorneys, will challenge Oing’s decision.

Robert Siciliano is an Identity Theft Expert to AllClearID. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen See him knock’em dead in this identity theft prevention video. Disclosures.

Insurance Company fined BIG for Breach

/in /by

Why would an insurance company be fined for a data breach?

2DThere was a security breach at Triple-S Salud, Inc. (TSS), which is a subsidiary of Triple-S Management GTS. The Puerto Rico Health Insurance Administration plans on imposing a $6.8 million fine on TSS.

The breach involved 13,336 of TSS’s Dual Eligible Medicare beneficiaries. The penalty includes suspending all new DEM enrollments and alerting enrollees of their right to back out.

The PRHIA says that Triple-S failed to implement all the required steps in response to the security breach.

TSS sent out a pamphlet last September that unintentionally showed the Medicare Health Insurance Claim Number of some of the recipients. This is a unique number that’s assigned by the Social Security Administration. It’s considered to be protected health information.

An investigation was carried out by TSS, and this subsidiary did report the incident to federal government agencies and Puerto Rico. TSS complied with the PRHIA’s requests for information pertaining to the DEM beneficiaries. TSS also took additional measures, one of which was that of issuing an alert of the breach through local media; all of the affected beneficiaries were notified by mail of the breach.

In the filing, Triple-S affirms that it takes the matter very seriously and is “working to prevent this type of incident from happening again.” However, it’s currently not able to assess the financial impact of the breach on TSS, nor can it estimate the sanctions’ impact.

Triple-S adds that a response is being prepared by TSS to give to the PRHIA, and that TSS has a right to make a request for an administration hearing.

Robert Siciliano is an Identity Theft Expert to AllClearID. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen See him knock’em dead in this identity theft prevention video. Disclosures.

Health Care Information Breaches rise

/in /by

Medical errors can also mean medical identity theft—accounting for 43 percent of all 2013 identity theft in the U.S., says the Identity Theft Resource Center. Medical identity theft kicks other forms of ID theft to the curb: banking, finance, government, military and education.

2DFraudsters invade health data to illegally obtain prescription drugs, services or devices and to get insurance reimbursements.

Making the situation stiffer is the Affordable Care Act, as the implementation of federal and state health insurance exchanges involved malfunctioning online marketplaces. Plus, the Act promotes digitizing medical records, and you know what that means.

What about an honor system?

HIPAA—Health Insurance Portability and Accountability Act (now you know why it’s not “HIPPA”)—and the HITECH Act define what health care providers must do to protect patient privacy. Violations of these acts can net stiff fines including up to 10 years’ prison time.

However, HIPAA has exceptions, such as “public health activities” and “health oversight activities” in which confidential information is shared.  People who know that HIPAA isn’t airtight can be turned off from revealing they have an STD or a psychiatric disorder to their doctor unless absolutely necessary.

Patients must be notified by their health plan, medical institution or medical provider when it’s been determined that their health information has been breached, says HITECH law. The Department of Human Health must also be notified. The Department will reveal breaches that involve at least 500 patients.

The discovery, though, doesn’t solve the problem that has already occurred: the fallout from the leak. It’s fairly straightforward to have the right information put back in a patient’s files, but another story to get the fraudulent information taken out, due to fear of medical liability.

Take action:

The time is now to bring attention to how a business is protecting their clients’ data. The public wants to know their information is safe and the companies they hand it over to are doing everything possible to protect it.

Robert Siciliano is an Identity Theft Expert to AllClearID. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen See him knock’em dead in this identity theft prevention video. Disclosures.

How Data Breaches happen and how to respond

/in /by

Here’s four chief ways how data breaches happen:11D

  • Illegal access to information or systems. Personal Identifying Information (PII) data can be illegally accessed via technology such as computer hacking or infecting computers with viruses, Trojans or worms—leading to stolen data or malfunctioning systems.
  • An inside job. Employees (past or present) can commit data breaches. Also, an innocent employee is tricked by social engineering into revealing confidential information or giving out access to that information.
  • Judgment lapse. An employee may leave data unprotected—not on purpose, but due to an oversight, making it easy prey for villains.
  • Device loss. When a device that contains valuable data is lost or misplaced, a thief could get ahold of it—and then all hell can break loose.


Prepare

Don’t wait for a breach to figure out a plan of action. Have the plan in place in anticipation of an attack. The plan should be built around written emergency contacts, clear guidelines to which law enforcement outfits should be contacted for resolution, and a notification timeframe.

Put in place vendor contracts that have a call center unless the company’s staff can handle a big data breach. The contracts should also include a mail-house for letters of notification, and previously agreed rates pertaining to consumer fraud protection should the business need to notify clients or customers.

Fighting back

When a breach occurs, consult with legal counsel, always. In addition, there are certain actions you must take. First, find out how the breach occurred, then contain it. Get a solution started to prevent it from striking again. Alert relevant employees.

Also notify external entities in a timely fashion such as law enforcement, a forensics investigator, consumers, FTC and any affected vendors and suppliers.

Additional Points

  • A strong prevention strategy for data breaching depends upon top management, to ensure that the company’s budget covers fiscal and personnel resources.
  • From the get-go, the company’s most high-up individuals should be included in devising any plans to protect against and mitigate data breaches.
  • Getting upper management involved is critical for establishing a solid groundwork for security.
  • Keeping up to date and re-evaluations should be carried out on an ongoing basis to always stay on top of the latest trends in data breach and security technologies.
  • Also ongoing should be training and practice of the company’s response plan to data breaching.

Robert Siciliano is an Identity Theft Expert to AllClearID. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen See him knock’em dead in this identity theft prevention video. Disclosures.

Ways small businesses are preventing Breaches

/in /by

How did that huge recent data breach of a major retailer occur in the first place? Well, valuables can’t be stolen if there aren’t any valuables to begin with. Large merchants will store customers’ credit/debit card data to facilitate faster transactions. But small retailers keep minimal or zero data—this will not attract thieves.

2DIf customers want increased security of their card data, they’re going to have to give up the speedy transactions and automatic debits, because currently, they can’t have it both ways.

A smaller outfit may keep only the last four numbers of a credit card on file; no SSN or anything else. This isn’t much for thieves to work with. Yet at the same time, every time a customer makes a purchase, they must give all the required information.

Some small retailers are completely technology-free, though this seems like an impossible undertaking in this modern e-age. For example, a small business that bills monthly for services may not honor automatic withdrawal of a member’s monthly fees. Members may pout, unaware that this inconvenience has a protective feature.

Banks also have a role in protecting customers and businesses. A good start would be to require a PIN from cardholders for every transaction.

Another maneuver would be for the U.S. to ditch the magnetic strip on cards and replace with a digital chip. This would prevent thieves from stealing data off the strip. Thanks to the magnetic strip, America is the hacking capital of the world.

Additional Tips

  • Hardware: firewall security appliances and routers.
  • Software: Think anti: virus, spyware, phishing. Also think full disk encryption and total protection suites.
  • E-mail security: It must be hammered into employees NEVER to click on any link in an e-mail from an unfamiliar sender.
  • Physical security: The building should be equipped with video surveillance (outside and indoors), alarm systems and solid core doors of commercial grade.
  • The test: Find someone, known as a “penetration tester” who knows all about hacking, but whom you can trust, to “hack” your network to see what needs to be done to protect it from a real villain.

Robert Siciliano is an Identity Theft Expert to AllClearID. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen See him knock’em dead in this identity theft prevention video. Disclosures.

Been Breached? A Response Plan

/in /by

Should victims of a data breach be notified? This situation can be confusing due to various state laws. Certain issues must be considered, including differences among state laws. Differences include what exactly defines personally identifiable information; which agency (e.g., law enforcement, credit reporting) should be alerted; when victims should be notified; and what the notification letter should say.

4DLegal counsel can tell you what level of notification you’re entitled to. Not every data breach case requires that consumers or businesses be alerted. But not alerting has its own set of negative consequences.

When an incident does require notification, the information that follows must be considered: (these are general guidelines – review any and all steps with your attorney)

  • Treat all victims equally; all get notified, even if this means out of state. Not doing so can yield legal consequences or the media might pounce.
  • Though there aren’t really any notification laws regarding overseas victims, they too should be notified.

Notification

The sooner victims are alerted, the better. Under what circumstances, though, should victims be notified? The nature of the breach should be considered, along with type of information stolen and whether or not it may be misused, and the possible fallout of this misuse.

Damage from misuse can be significant, such as with stolen SSNs and names.

When in doubt, consult with legal counsel. Don’t be surprised if you’re informed that breached consumers must be notified; most states require this. And within 30 days. Some states mandate that the Attorney General’s office also be notified.

FTC Recommendations for Notification

  • Inform law enforcement when notification takes place so they don’t cross lines with it.
  • Also find out from them precisely what information the consumer notification should contain.
  • Select someone from your organization to manage release of information.
  • This contact individual should be given updated information concerning the breach, plus your official response, as well as guidelines for how victims should respond.
  • To aid victims’ communication options, consider providing a toll-free number, posting a website or mailing letters.
  • Explain clearly to victims just what you know of the breach. How did it happen? What information was stolen or compromised? How might the thieves misuse it? What actions have the organization taken for mitigation? What reactions are appropriate?
  • Make sure victims know how to reach the contact person.
  • Make sure the law enforcement official who’s working your case has contact information for victims to use.The officer should also know that you’re sharing this contact information.
  • Victims should ask for a copy of the police report, then make copies to give to credit card companies that have honored unauthorized charges.

Robert Siciliano is an Identity Theft Expert to AllClear ID. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen See him knock’em dead in this identity theft prevention video. Disclosures.

What is a Data Breach and how do I protect Myself?

/in , /by

When protected, sensitive or confidential data is accessed or used by someone without authority, this is a data breach. This can involve any kind of data such as personal health, financial, or business related.

3DNot all data breaches result from hacking into a computer. One can breach data simply by peering over someone’s shoulder at the computer screen when they shouldn’t be. It can also be elaborately planned: A company’s new employee may actually be working for an extensive crime ring to steal data from the inside. Needless to say, a data breach can lead to identity theft (among many other problems).

In the workplace, especially retail, where credit cards are processed, the Payment Card Industry Data Security Standard is designed to provide retailers with guidelines to eliminate data breaches. In a healthcare workplace, HIPAA (Health Insurance Portability and Accountability Act) helps control who has access to personal health information.

How can you protect yourself?

  • As a consumer you must keep your operating system updated to the latest secure version.
  • Run antivirus, antispyware, antiphishing and a firewall.
  • Protect your wireless communications with encryption and use a VPN for portable devices.
  • Use secure passwords with upper/lower case and numbers.
  • In the event someone else is responsible for a breach read very carefully any notification of a data security breach and don’t assume that the breach was accidental or that identify theft is not likely.
  • Use an identity theft protection product. It will scavenge cyberspace for any unauthorized use of personal information such as from your credit cards and Social Security number; will keep track of personal credit information; and will send an alert if suspicious activity is detected—maybe even prior to you receiving a consumer notification.

Robert Siciliano is an identity theft expert to BestIDTheftCompanys.com discussing  identity theft prevention. For Roberts FREE ebook text- SECURE Your@emailaddress -to 411247. Disclosures.

Half Billion Records Breached in 5 Years

/in , , , , /by

In the late 90s and early 2000s, hacking had evolved from “phreaking” (hacking phone systems) to “cracking” (breaking into networks). At the time, hackers hacked for fun, for the challenge, and for fame and popularity within the hacking community. But soon enough, the public began spending more time online, shopping, banking, and managing personal affairs. Hackers are no longer wreaking havoc for its own sake, deleting files, or tormenting IT administrators. Now, they’re stealing proprietary data. Instead of fun and fame, today’s hackers are motivated by illegal financial gain.

Over the past five years, criminal hackers from all over the world have been targeting huge databases of Social Security and credit card numbers. The endgame for criminal hackers is identity theft. Once they obtain stolen data, their objective is to turn it into cash as quickly as possible. This either entails selling the data to identity thieves on black market forums, or using the information to create new accounts or to take over existing credit card accounts.

According to the Privacy Rights Clearinghouse’s Chronology of Data Breaches, more than 500 million sensitive records have been breached in the past five years. The Chronology of Data breaches lists specific examples of incidents in which personal data is compromised, lost, or stolen: “employees losing laptop computers, hackers downloading credit card numbers and sensitive personal data accidentally exposed online.”

So when a so-called “identity theft expert” claims that you can protect yourself from identity theft for free, simply by shredding documents, not giving out your Social Security number, locking your mailbox, and monitoring your online accounts, that person does not have the full picture. You should take all these precautions. But when almost everyone’s personal information has been stolen or compromised once or twice, as a result of breaches that are entirely out of our control, it’s clear that you simply can’t protect yourself on your own. This is why identity theft protection is a must.

McAfee Identity Protection includes proactive identity surveillance to monitor subscribers’ credit and personal information, as well as access to live fraud resolution agents who can help subscribers work through the process of resolving identity theft issues. For additional tips, please visithttp://www.counteridentitytheft.com.

Robert Siciliano is a McAfee consultant and identity theft expert. See him discuss an identity theft pandemic on CNBC. (Disclosures)