Posts

Data Breach Notification Bill goes to the House

H.B. 224, a newly introduced data breach notification bill for New Mexico, would mandate that organizations notify breached individuals within 10 days of breach discovery (unencrypted credit card data); and within 10 business days notifying the state attorney general if more than 50 NM residents are affected.

4DThe bill allows for a shorter notification deadline and for card carriers to sue for recovery costs linked to the breach; and customers can sue for statutory damages.

Companies operating in NM will also have additional data security and data disposal requirements, due to the bill. Enacting H.B. 224 would make New Mexico join 46 states who have data breach alert laws.

Payment Card Breach

  • Within two business days: Time allowed for card issuers facing a breach to notify all the merchants “to which the credit card number or debit card number was transmitted,” according to H.B. 224.
  • H.B. 224 would also set a risk of harm threshold regarding when an alert is required for card breaches.
  • If the magnetic strip data or other information is revealed, yielding harm or risk of harm to the cardholder and compromise of access device data, the bill would require notification. The card issuer would not need to give approval or direction.
  • Card issuers can sue for recovery of administrative costs if a card reader is breached or if there’s a problem with strip data.

Data Security and Disposal

  • The bill would make companies “implement and maintain reasonable” security measures to ensure protection of personal identifying information from illegitimate access or other fraudulent action.
  • Businesses would also have to include these data security standards in contracts involving “non-affiliated third parties” that they share personal information with.
  • Personal data, however which way it’s contained, be disposed of such that personal identifying information would be impossible to read or decipher.

Enforcement

  • The bill would authorize the state attorney general to seek injunctive relief and recovery of damages via court.
  • Failure of a company to notify of the breach could result in harsh fines, if the bill is enacted.
  • Customers could sue for damages of $100 to $300, depending on circumstances.

Being accountable:

It may be just a matter of time before the Federal government steps in and decides PCI Standards might not fix client data protection problems. Businesses who see the writing on the wall are being proactive and making smarter investments in their customers security.

Robert Siciliano is an Identity Theft Expert to AllClearID. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen See him knock’em dead in this identity theft prevention video. Disclosures.

How Data Breaches happen and how to respond

Here’s four chief ways how data breaches happen:11D

  • Illegal access to information or systems. Personal Identifying Information (PII) data can be illegally accessed via technology such as computer hacking or infecting computers with viruses, Trojans or worms—leading to stolen data or malfunctioning systems.
  • An inside job. Employees (past or present) can commit data breaches. Also, an innocent employee is tricked by social engineering into revealing confidential information or giving out access to that information.
  • Judgment lapse. An employee may leave data unprotected—not on purpose, but due to an oversight, making it easy prey for villains.
  • Device loss. When a device that contains valuable data is lost or misplaced, a thief could get ahold of it—and then all hell can break loose.


Prepare

Don’t wait for a breach to figure out a plan of action. Have the plan in place in anticipation of an attack. The plan should be built around written emergency contacts, clear guidelines to which law enforcement outfits should be contacted for resolution, and a notification timeframe.

Put in place vendor contracts that have a call center unless the company’s staff can handle a big data breach. The contracts should also include a mail-house for letters of notification, and previously agreed rates pertaining to consumer fraud protection should the business need to notify clients or customers.

Fighting back

When a breach occurs, consult with legal counsel, always. In addition, there are certain actions you must take. First, find out how the breach occurred, then contain it. Get a solution started to prevent it from striking again. Alert relevant employees.

Also notify external entities in a timely fashion such as law enforcement, a forensics investigator, consumers, FTC and any affected vendors and suppliers.

Additional Points

  • A strong prevention strategy for data breaching depends upon top management, to ensure that the company’s budget covers fiscal and personnel resources.
  • From the get-go, the company’s most high-up individuals should be included in devising any plans to protect against and mitigate data breaches.
  • Getting upper management involved is critical for establishing a solid groundwork for security.
  • Keeping up to date and re-evaluations should be carried out on an ongoing basis to always stay on top of the latest trends in data breach and security technologies.
  • Also ongoing should be training and practice of the company’s response plan to data breaching.

Robert Siciliano is an Identity Theft Expert to AllClearID. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen See him knock’em dead in this identity theft prevention video. Disclosures.

Data Insecurity causes Customer Headaches

Imagine not being able to use cash for even the smallest purchases because your bank—still shaking from news of the recent retail data breach that affected at least 110 million accounts—has decided to block all customer transactions. This actually happened.

12DIn many recent interviews I have been asked the question numerous times “Is it time to go back to cash?” The answer is NO, but consumers should definitely have cash on hand. Not having cash will severely limit consumers in the event of a massive power outage and we are seeing that massive data breaches have big time negative effects too.

Large banks, in response to that 110-million-account breach, may be putting limits on card usage, and can have cards replaced relatively quickly. But smaller financial institutions do not have the means to replace cards quickly. They also lack budgets to cover potential breach incidents.

As a result, a customer may learn that their card is blocked from transactions that don’t involve a PIN. Many consumers got stung by this during the holidays. One customer reported he had to contact his bank first to confirm any online purchases. His card then gets unblocked for an hour, but then blocked again. Supposedly this ban has since been lifted.

In a litigious society, don’t bet against the possibility of consumers suing retailers for these kinds of consequences; it’s already begun happening. One woman filed a class-action lawsuit on Dec. 23, 2013, citing a giant retailer’s alleged failure to secure its data, leading to the massive breach.

Tips for Businesses

  • Always update. Your software should always be up to date. Thieves can easily overcome old software and invade your sensitive data.
  • Control access. Who has access to your servers? Do you know? Make sure that only trusted users/administrators have access.
  • App testing. If a custom application code is running on your servers, it should be tested for the top 10 security issues regarding web applications.
  • Be alert. Keep a tight rein on your server, and your cloud provider’s bill. A traffic surge that you don’t expect can signal a spam attack.

Don’t pass the buck. Business owners, and consumers as well, have been playing key roles in cyber crimes—though not with malicious intentions, but rather, being uninformed as well as not wanting to step up to the plate.

Stepping up to the plate is the only option retailers have in order to survive. The time to show your customers you are serious about preventing credit card fraud and the lengths you’ll go to protect their identities is right now.

Robert Siciliano is an Identity Theft Expert to AllClearID. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen See him knock’em dead in this identity theft prevention video. Disclosures.

Data Breaches hurt Businesses’ Brand

That very newsworthy data breach that’s still in the news struck 110 million customers, not the more commonly reported 40 million; that’s one-third of the U.S. population.

4HThere was also another, but less publicized, breach of huge proportions that occurred to a major retailer in mid-December of 2013. And some reports say another 6 or more retailers may be affected in a similar breach.

The major-news retailer that got kicked in the butt by cyber criminals has run full page newspaper ads apologizing for not effectively protecting customers’ data, and hoping to win back consumers’ trust and loyalty. Kind of sounds like the Tylenol poisoning scare in the 1980s when the drug maker went on a massive ad campaign to win back consumers’ trust.

But with each new revelation of more data being compromised and growing concern of additional fraud, has come more media and customer scrutiny resulting in compounded brand damage.

Trust and Security

Feeling secure and trusting the brand is a major force behind consumer loyalty. Prior to that massive December breach, the retailer was right up there with its huge competitors as far as meeting reasonable consumer expectations.

That data breach has severely tainted the retailer’s customers’ trust. The 2014 Customer Loyalty Engagement Index accesses the retailer’s brand engagement level to be about 6 percent.

Sales have plummeted since the breach hit the news. Recovery is expected to be slow and arduous, and social media is fueling the sensationalism. It can take years to build up trust, but just a few hours of news “going viral” to crush it.

All is not lost.

The adage “What doesn’t kill us makes us stronger” plays a vital role when companies embrace their failures, learn from them and do right by their customers. The next few months will have a serious impact on the future of the breached companies and every retailer who accepts credit cards for payment.

Now is the time to beat the drum of customer security and bring awareness to how your company protects customer data. Move up http://i.forbesimg.com t Move down

Robert Siciliano is an Identity Theft Expert to AllClearID. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen See him knock’em dead in this identity theft prevention video. Disclosures.

It’s Data Privacy Day, and It’s a Mess

Target continues to be tangled up in chains due to its December 2013 data breach that current estimates say affected 110 million customers.

2P Target is known as proficient and prolific in the use of mobile devices and other means for collecting consumer data. This proficiency has backfired, resulting in the retail giant struggling to regain consumer trust and brand name reputation, not to mention figuring out how this mess happened in the first place and how to prevent a repeat performance.

  • Was there a lapse in Target’s IT security?
  • Did “Big Data” go too far and get way too ahead of security?

And let’s not put all the focus on Target, either. What happened with Target is a sign of the times and perhaps a sign of things to come in this world of cyber transactions. The questions above should also be asked of Facebook, Google, Yahoo and others who waited until the fiasco involving Edward Snowden’s NSA scandal to better encrypt their user data.

Big Data is like a drug; so addictive you can’t get off it, and of course, a huge potential for danger. Companies like Facebook, Google and Twitter love to sell consumers’ data to advertisers—this is how these giants stay giants; otherwise, they’d shrink into nothing. And there’s no end in sight with Big Data. Big Data is on course to become the Big Bang Data—to forever expand consumers’ personal information into cyber space.

But all of these entities—retailers, social media, the government—need to take responsibility for what they’re doing with our data.

Just when you thought that your privacy couldn’t be violated any more, Big Data has now spread its tentacles into the realm of selling lists of sexual assault victims, people with AIDS and HIV, and seniors with dementia to marketers. The World Privacy Forum, in the midst of researching how data brokers gather up and sell consumers’ private information, discovered these lists, and unfortunately, there are more disturbing list categories that were uncovered. Marketers are actually purchasing this kind of data to target shoppers from every which way.

When are lawmakers going to catch up to Big Data and grab it by the horns?

In the meantime, consumers need to take control of their information online; it just takes one hacker to wreak havoc. Here are 6 tips every consumer should take to stay protected online.

#1 Install/update your devices antivirus, antispyware, antiphishing and firewall.

#2 Update your devices operating system ensuring the critical security patches are current.

#3 Password protect your devices and use strong passwords with upper/lower case, numbers and characters. Never use the same password twice.

#4 Protect your wireless communications from prying eyes with a virtual private network that encrypts your data. Hotspot Shield masks your IP address and prevents data leakage.

#5 Limit your exposure on social networks. Consider what you post and how it can be used against you by criminals, predators and your government.

#6 Before giving out your name, address, phone, email, or account numbers consider how it will be used and read the services terms of service and privacy policies.

Robert Siciliano is an Identity Theft Expert to Hotspot Shield VPN. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen See him discussing internet and wireless security on Good Morning America. Disclosures.