Posts

Courts side with Consumers in Data Breach

In general, courts don’t tend to side with consumers in data breach incidents. However, a federal court in Florida is the apple among the oranges. It approved a $3 million settlement for victims whose data was on a stolen laptop in December 2009, that contained personal health information.

2D

The laptops belonged to AvMed, a health insurer, and the unencrypted data involved records of tens of thousands of the company’s customers.

Though the consumer-plaintiffs suffered no identity theft or other direct losses, they blamed AvMed of breach of contract and fiduciary duty, negligence and unjust enrichment.

These claims were dismissed by the U.S. District Court for the Southern District of Florida, but the plaintiffs appealed. The U.S. Court of Appeals for the Eleventh Circuit remanded the case.

AvMed’s attempt for another dismissal went down the tubes, prompting the company to enter into settlement talks with the plaintiffs.

The agreement says that each victim will get up to $10 for every year they made an insurance payment to AvMed, with a cap at $30. This is money, say the victims, that AvMed could have spent on better data security. The agreement also requires AvMed to pay damages to anyone who gets stung with identity theft.

AvMed will also employ encryption and new password protocols, plus GPS technology for its laptops.

Apparently, this settlement is the first in which the awarded victims didn’t have to show tangible evidence of loss.

Traditionally, courts nationwide don’t take on such claims, and that a claim lacks merit if it’s based on the possibility of future damages rather than actual concrete losses that have already occurred.

The ruling serves as a precedent for future data breach cases, to support customers’ stance that a segment of their health insurance premiums should fund data security placements.

Robert Siciliano is an Identity Theft Expert to AllClearID. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen See him knock’em dead in this identity theft prevention video. Disclosures.

Data Breach Notification Bill goes to the House

H.B. 224, a newly introduced data breach notification bill for New Mexico, would mandate that organizations notify breached individuals within 10 days of breach discovery (unencrypted credit card data); and within 10 business days notifying the state attorney general if more than 50 NM residents are affected.

4DThe bill allows for a shorter notification deadline and for card carriers to sue for recovery costs linked to the breach; and customers can sue for statutory damages.

Companies operating in NM will also have additional data security and data disposal requirements, due to the bill. Enacting H.B. 224 would make New Mexico join 46 states who have data breach alert laws.

Payment Card Breach

  • Within two business days: Time allowed for card issuers facing a breach to notify all the merchants “to which the credit card number or debit card number was transmitted,” according to H.B. 224.
  • H.B. 224 would also set a risk of harm threshold regarding when an alert is required for card breaches.
  • If the magnetic strip data or other information is revealed, yielding harm or risk of harm to the cardholder and compromise of access device data, the bill would require notification. The card issuer would not need to give approval or direction.
  • Card issuers can sue for recovery of administrative costs if a card reader is breached or if there’s a problem with strip data.

Data Security and Disposal

  • The bill would make companies “implement and maintain reasonable” security measures to ensure protection of personal identifying information from illegitimate access or other fraudulent action.
  • Businesses would also have to include these data security standards in contracts involving “non-affiliated third parties” that they share personal information with.
  • Personal data, however which way it’s contained, be disposed of such that personal identifying information would be impossible to read or decipher.

Enforcement

  • The bill would authorize the state attorney general to seek injunctive relief and recovery of damages via court.
  • Failure of a company to notify of the breach could result in harsh fines, if the bill is enacted.
  • Customers could sue for damages of $100 to $300, depending on circumstances.

Being accountable:

It may be just a matter of time before the Federal government steps in and decides PCI Standards might not fix client data protection problems. Businesses who see the writing on the wall are being proactive and making smarter investments in their customers security.

Robert Siciliano is an Identity Theft Expert to AllClearID. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen See him knock’em dead in this identity theft prevention video. Disclosures.

How Data Breaches happen and how to respond

Here’s four chief ways how data breaches happen:11D

  • Illegal access to information or systems. Personal Identifying Information (PII) data can be illegally accessed via technology such as computer hacking or infecting computers with viruses, Trojans or worms—leading to stolen data or malfunctioning systems.
  • An inside job. Employees (past or present) can commit data breaches. Also, an innocent employee is tricked by social engineering into revealing confidential information or giving out access to that information.
  • Judgment lapse. An employee may leave data unprotected—not on purpose, but due to an oversight, making it easy prey for villains.
  • Device loss. When a device that contains valuable data is lost or misplaced, a thief could get ahold of it—and then all hell can break loose.


Prepare

Don’t wait for a breach to figure out a plan of action. Have the plan in place in anticipation of an attack. The plan should be built around written emergency contacts, clear guidelines to which law enforcement outfits should be contacted for resolution, and a notification timeframe.

Put in place vendor contracts that have a call center unless the company’s staff can handle a big data breach. The contracts should also include a mail-house for letters of notification, and previously agreed rates pertaining to consumer fraud protection should the business need to notify clients or customers.

Fighting back

When a breach occurs, consult with legal counsel, always. In addition, there are certain actions you must take. First, find out how the breach occurred, then contain it. Get a solution started to prevent it from striking again. Alert relevant employees.

Also notify external entities in a timely fashion such as law enforcement, a forensics investigator, consumers, FTC and any affected vendors and suppliers.

Additional Points

  • A strong prevention strategy for data breaching depends upon top management, to ensure that the company’s budget covers fiscal and personnel resources.
  • From the get-go, the company’s most high-up individuals should be included in devising any plans to protect against and mitigate data breaches.
  • Getting upper management involved is critical for establishing a solid groundwork for security.
  • Keeping up to date and re-evaluations should be carried out on an ongoing basis to always stay on top of the latest trends in data breach and security technologies.
  • Also ongoing should be training and practice of the company’s response plan to data breaching.

Robert Siciliano is an Identity Theft Expert to AllClearID. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen See him knock’em dead in this identity theft prevention video. Disclosures.

Data Breaches hurt Businesses’ Brand

That very newsworthy data breach that’s still in the news struck 110 million customers, not the more commonly reported 40 million; that’s one-third of the U.S. population.

4HThere was also another, but less publicized, breach of huge proportions that occurred to a major retailer in mid-December of 2013. And some reports say another 6 or more retailers may be affected in a similar breach.

The major-news retailer that got kicked in the butt by cyber criminals has run full page newspaper ads apologizing for not effectively protecting customers’ data, and hoping to win back consumers’ trust and loyalty. Kind of sounds like the Tylenol poisoning scare in the 1980s when the drug maker went on a massive ad campaign to win back consumers’ trust.

But with each new revelation of more data being compromised and growing concern of additional fraud, has come more media and customer scrutiny resulting in compounded brand damage.

Trust and Security

Feeling secure and trusting the brand is a major force behind consumer loyalty. Prior to that massive December breach, the retailer was right up there with its huge competitors as far as meeting reasonable consumer expectations.

That data breach has severely tainted the retailer’s customers’ trust. The 2014 Customer Loyalty Engagement Index accesses the retailer’s brand engagement level to be about 6 percent.

Sales have plummeted since the breach hit the news. Recovery is expected to be slow and arduous, and social media is fueling the sensationalism. It can take years to build up trust, but just a few hours of news “going viral” to crush it.

All is not lost.

The adage “What doesn’t kill us makes us stronger” plays a vital role when companies embrace their failures, learn from them and do right by their customers. The next few months will have a serious impact on the future of the breached companies and every retailer who accepts credit cards for payment.

Now is the time to beat the drum of customer security and bring awareness to how your company protects customer data. Move up http://i.forbesimg.com t Move down

Robert Siciliano is an Identity Theft Expert to AllClearID. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen See him knock’em dead in this identity theft prevention video. Disclosures.

New Consumer Electronics Security Lacking

Early adopters of new technology often discover bugs, quirks, imperfections, and security issues before a product is widely adopted. That’s why I usually wait six to eight months for companies to fix their flaws.

Researchers discovered they could hack into Internet-ready HDTV’s. One of the top five best-selling TVs left its security process vulnerable to attack, allowing a hacker to compromise the data transmitted between the TV and websites that provide content. The report states that any website could be spoofed, and the spoofed site made to appear onscreen. The fake site could resemble a video download site, for example, and request credit card information for a movie purchase. Researchers also found that they were able to monitor data being sent from the TV to the Internet.

The New York Times reports:

“[This] test also illustrates what security experts have long warned: that the arrival of Internet TVs, smartphones and other popular Web-ready gadgets will usher in a new era of threats by presenting easy targets for hackers. As these devices become more popular, experts say, consumers can expect to run into familiar scams like credit card number thefts as well as new ones that play off features in the products. And because the devices are relatively new, they do not yet have as much protection as more traditional products, like desktop computers, do.”

Proposed solutions include software fixes and biometric authenticators, such as fingerprint readers and facial recognition technologies. Intel, the chip maker, recently bought McAfee a security software company , saying that they plan to incorporate McAfee’s security into gadget hardware.

In the meantime, consider waiting it out before you jump in. If already own this type of TV, be cognizant of the scam and beware of unauthorized charges to your card.

Robert Siciliano, personal security expert contributor to Just Ask Gemalto, discusses another databreach on Fox News. Disclosures



Data Leakage is a Correctable and Solvable Problem

WNYT.com reports “the Social Security Administration in New York City says that 15,000 Social Security numbers were stolen by a subcontractor who was working in Office of Temporary Disability Assistance making computer infrastructure upgrades.”

In this case the culprit is a subcontractor and succeeded either because he had the contractor’s credentials/passwords and/or the files containing the SSN info weren’t encrypted.

The problem with protecting only with userid/passwords is well understood. Passwords are generally 123456 or otherwise easily cracked. Even if the password is a good one, chances are it is used on dozens of other sites that don’t do a good job of protecting it.

In this case the password gave a “good guy” access and he went rougue.

Some organizations think that deploying Full Disk Encryption (FDE) or File and Folder Encryption (FFE) provides them the desired security level. The point often missed is that even with Full Disk Encryption or File and Folder Encryption in place, users with correct credentials can access, copy, transfer/download to USB sensitive data without any problem.

I’ve said this before and I’ll say it again: Zafesoft can prevent such incidents from both of the above. Company administrators can remove access for a suspected malicious insider at any time and even if they have the physical file with them, it’ll be in encrypted format which they won’t be able to open.

Secondly, the Zafe technology travels with the information so they wouldn’t have been able to open the files even they were a legitimate user unless they were also using an approved laptop that has been registered and authorized with the company.

Moreover the moment they copied the data and tried to open it on a non-authorized laptop an alert would have gone to Company administrators alerting them of a possible theft and they could have prevented the incident from happening.

Robert Siciliano is a Personal Security and Identity Theft Expert. See him discussing another databreach on Good Morning America. (Disclosures)