Compliance Watch 
As we have described in many places and in many ways on this website, the regulatory environment is constantly evolving at virtually every level of government – all around the world. While we don’t pretend to understand every piece of the regulatory puzzle, we do understand this: the trend is toward more, tighter and tougher.
Our focus is on data that is either at rest or expired. It is here that we see ourselves offering the greatest expertise and value to our customers. And in this regard we intend to help you keep pace with the regulatory environment as it relates to this type of data.
Here you will find both a running log of news items and developments we find germane as well as FAQs that are largely based on the questions we receive from our customers every day. We invite your participation as well. Please submit your questions and observations to compliance@peakdataservices.com so that we can expand the dialog for the benefit of everyone.
Computer with patient data stolen from Jefferson, philly.com, July 30, 2010
“A laptop computer with health and personal information on 21,000 patients was stolen from an office at Thomas Jefferson University Hospital in Philadelphia in June.” more...
South Shore Hospital records lost for months, The Patriot Ledger, July 28, 2010
“A Pennsylvania company hired by South Shore Hospital to dispose of patient records outsourced the work to a second company, contributing to delays announcing the disappearance of 800,000 patients’ files.” more...
Organised crime behind 85 per cent of all data breaches, V3.CO.UK, July 28, 2010
“Organised crime accounted for 85 per cent of all data stolen in external attacks on companies, according to a report carried out by Verizon Business in conjunction with the US Secret Service.” more...
Loss of South Shore Hospital patient data highlights growing danger, The Patriot Ledger, July 25, 2010
“The disappearance of 800,000 patients’ records from South Shore Hospital spotlights the growing danger of medical identity theft, which is an increasingly popular target for organized fraud rings.” more...
Nearly 13 Million Have Been Hit With Identity Theft, Network World, July 21, 2010
“Nearly 13 million people have suffered from identity theft so far this year. That's ridiculous! Lax security threatens to hammer a nail in the coffin for privacy. So far in 2010, the Identity Theft Resource Center (ITRC) reports there have been 371 identity breaches that exposed 12,871,065 records in the United States alone.” more...
Data Loss Affects Thousands Of Patients, WCVB-TV Boston, July 19, 2010
“Back-up computer files containing personal, health and financial information of thousands affiliated with South Shore Hospital may have been lost by a professional data management company.” more...
Data breach reporting law set for four-year rollout, ZDNet UK, July 19, 2010
“A law forcing all organisations to publically declare data breaches is expected to be in place in the UK within four years.” more...
Two Major Breaches Caused By Loss Of Physical Media, DarkReading, July 14, 2010
“Online attacks might be getting more sophisticated every day, but two incidents last week are reminding the industry that the loss of physical storage media is still among the most common causes of data breaches.” more...
Conn. AG, Health Net Reach Settlement Over Medical Data Breach, iHealthBeat, July 7, 2010
“On Tuesday, insurer Health Net reached a $250,000 settlement with Connecticut Attorney General Richard Blumenthal (D), who sued the company after it lost a computer hard drive in 2009, Dow Jones/Wall Street Journal reports.” more...
Aetna Apologizes For Mislaid Files, Insurance Networking News, July 6, 2010
“Some spring cleaning by Hartford, Conn.-based Aetna Inc. has resulted in a serious data breach for the health insurer. Aetna has acknowledged that paper files containing personal information, including name, address, Social Security number and date of birth, were inadvertently left in a file cabinet the company was disposing of as it moved offices. The files in the wayward cabinet were health plan dependent enrollment forms from the 2003 to 2007 period for people who worked for mid-sized employers and lived in New Jersey or Pennsylvania.” more...
American Air parent says worker data compromised, Associated Press, July 2, 2010
“American Airlines parent company said Friday the personal information of about 79,000 retirees, former and current employees has been compromised after a hard drive was stolen from its Fort Worth headquarters.” more...
39 Breaches in 1st Half of 2010, BankInfoSecurity, June 28, 2010
“Already in the first six months of 2010, financial institutions have been involved with more than half the total data breaches they suffered in 2009 - and experts don't see the pace decreasing.” more...
Protecting the data you don't even know you have, Computerworld, June 21, 2010
“Let's assume for a moment that Google's collection of Wi-Fi "payload" data really was unintentional. And that Google never used the data, didn't even know it was there and stored it securely. Is it actually a privacy leak if no one has looked at the private data?” more...
Connecticut AG probes Google over data breach, msnbc.com, June 21, 2010
“Turns out "our bad!" isn’t good enough for the government when it comes to last month’s revelation that Google Street View cars "mistakenly" captured content flowing over wireless networks.” more...
OCR: Patient Data Breaches Nearly Tripled Since February, iHealthBeat, June 14, 2010
“The number of entities that have reported major patient information breaches to HHS' Office for Civil Rights nearly tripled from 32 in February to 93 by June 11, HealthLeaders Media reports.” more...
Calif. Hospitals Hit With Stiff Data Security Fines, eSecurity Planet, June 14, 2010
“Five California hospitals were fined a total of $675,000 last week for failing to secure patient data, a development that signals a change in how state and federal governments are starting to hold companies and organizations accountable for their data security practices.” more...
AT&T security breach exposes iPad 3G customer data, ZDNet, June 10, 2010
“AT&T and Apple have suffered a major privacy breach, exposing the contact information of over 114,000 iPad 3G customers — possibly many more.” more...
£500K data breach fines not enough, V3.co.uk, June 9, 2010
“The recently sanctioned fine of £500,000 for organisations that fail to protect individuals' data is not enough, according to a poll undertaken by the Information Commissioner's Office (ICO) at a privacy event Tuesday.” more...
Insurer refutes liability on $3.3 million data breach, infosecurity.com, June 7, 2010
“A US insurer appears to be taking pro-active action to refute liability on a data breach that the University of Utah has been seeking to recover $3.3 million on. The case is being watched with interest by the world's insurance companies as it could set an important precedent on data breach/losses insurance, which is ostensibly covered in many business insurance policies.” more...
Data Security Remains Top Concern for CPAs, Survey Shows, Journal of Accountancy, June 3, 2010
“Data security will remain the most pressing concern for CPAs and their clients over the next 12 to 18 months, according to the AICPA’s 21st annual Top Technology Initiatives Survey, which was unveiled this week.” more...
Privacy Breaches May Expose More Social Security Data At Penn State, StateCollege.com, June 2, 2010
“As many as 25,572 Social Security numbers once stored on Penn State computer systems may have been exposed during security breaches in recent weeks, the university reported Wednesday.” more...
ICO warns of data breach risk, Broking.co.UK, May 28, 2010
“With the number of personal information data breaches reported to the Information Commissioner’s Office (ICO) reaching 1,000, the privacy watchdog is urging organisations to minimise the risk of mistakes.” more...
Asian firms can do more to protect data, ZDNet Asia, May 27, 2010
“Despite greater awareness among businesses in Asia on the need to protect data assets, security breaches seem to be on the increase across the region over the past year.” more...
Conservative legislation doesn't compel firms to inform victims of privacy breaches, Vancouver Sun, May 25, 2010
“Companies get to decide whether to tell their customers they've lost their personal information or hackers have stolen it, according to legislation tabled Tuesday by the Conservative government.” more...
Commerce Department opens a public discussion on private data, Federal Computer Week, May 19, 2010
“Online commerce offers terrific conveniences for consumers and massive growth opportunities for retailers. But it also poses complex issues for online businesses and consumer advocates alike, particularly over the role that the federal government should play in regulating how companies handle people’s personal data.” more...
FTC Reportedly Investigating Copier Data Security Concern, TMCNet, May 18, 2010
“The US Federal Trade Commission is reportedly investigating whether copy machine makers are properly warning their distributors, resellers and customers about the risks of sensitive data being accessed from the machines’ hard drives.” more...
Watch what data you store, or Massachusetts could get you, AZBiz.com, May 14, 2010
“More and more people are becoming aware of the term “personally identifiable information” (PII). It’s sensitive data that could identify a particular individual. It makes headlines as identity theft and data breaches exposing customer information. As a result federal, and especially state governments, are passing laws that affect businesses that store PII data on customers in any state.” more...
Heartland CIO: "I don't think software will ever be secure again.", FierceCIO, May 13, 2010
“Heartland Payment Systems isn't necessarily synonymous with "great security," these days. The company's colossal data breach, in which as many as 130 million credit and debit card numbers were compromised, has cost it $139.4 million so far. Approximately 18 months ago, Steven Elefant took over as CIO, and, perhaps unsurprisingly, much of his job is focused on encryption technology.” more...
Employees Put Personal Security, Interests Above Company's, Survey Says, DarkReading, May 12, 2010
“More than one-third say loss of personal information is top concern; only 29 percent concerned about loss of company data.” more...
Alberta becomes first province to enact data breach notification law, SC Magazine, May 11, 2010
“Alberta has become the first province to add a data breach notification requirement into its legislation. The new measures were added into its Personal Information Protection Act (PIPA) on May 1 and are now law.” more...
Hard drive containing data of 5,418 patients stolen from Kentucky hospital, HealthcareITNews, May 3, 2010
“A medical center in Kentucky is notifying 5,418 patients of a data breach that occurred when computer equipment, containing information on patients who underwent bone density testing, was stolen from its mammography suite. Hospital officials reported that the information on the hard drive was not encrypted, but was maintained in a locked, non-public, private area.” more...
Data breaches in U.S. cost more, NetworkWorld, Apr 28, 2010
“The average cost to an organization of a data breach in the United States is higher than in four other countries where data-breach costs were compared, specifically Australia, France, Germany and the United Kingdom, according to a Ponemon Institute report published Wednesday.” more...
Data breach notification law coming, says watchdog, ZDNet UK, Apr 27, 2010
“A representative of the Information Commissioner's Office (ICO) said on Tuesday that a European Commission review of data laws will require data-breach notification from a wide range of businesses.” more...
70% Of IT Security Pros Favor A Federal Data Breach Law, Security DarkReading, Apr 22, 2010
“Seventy percent of IT security professionals believe that the federal government should pass data breach / data privacy legislation that overrides the current patchwork of state legislation.” more...
Pair Of Fines Levied On Breached Companies Show Real Costs Of Database Hacks, Security DarkReading, Apr 22, 2010
“Two different companies in the past two weeks were fined by regulatory agencies for separate database breaches, totaling well over $1 million. The fines serve as a concrete and eye-opening example of what can happen to a business that fails to lock down its precious data stores, and also a warning that the toothless compliance mandates of yesteryear really do have bite now.” more...
Proposals for the destruction of data will help with computer recycling, SC Magazine, Apr 22, 2010
“Earlier this week, European Data Protection Supervisor (EDPS) Peter Hustinx called for producers to ‘build in' privacy and security safeguards to their solutions.” more...
Mississippi ratifies data protection law, InfoSecurity, Apr 20, 2010
“Mississippi became the most recent state to pass a data breach measure last week, leaving just four states without similar protections. However, the law does not permit citizens of the Magnolia State to sue for damages that result from a data breach.” more...
Does New Breach Law Have Teeth?, BankInfoSecurity, Apr 12, 2010
“In response to the Heartland Payment Systems data breach and similar incidents, Washington has become the third state to pass legislation incorporating the Payment Card Industry Data Security Standard (PCI) to help financial institutions recover costs from credit/debit card breaches.” more...
Data breach costs $2m per incident, AustralianIT, Apr 8, 2010
“One of the first comprehensive local surveys of data breach costs shows organisations sustained financial losses of almost $2 million on average per incident, with an average $123 spent to deal with each compromised record. The 2009 Australian Cost of a Data Breach study, conducted by US-based Ponemon Institute on behalf of data encryption specialist PGP, examined the actual financial losses incurred by 16 organisations from different industry sectors following a data loss, with breaches ranging from around 3300 to 65,000 lost or stolen records.” more...
Medical Data At Risk, InformationWeek, Apr 7, 2010
“A new study from the Healthcare Information and Management Systems Society reports that since January 2008, more than 110 healthcare organizations have reported the loss of sensitive patient data affecting over 5,306,000 individuals.” more...
Security driven by compliance, rather than protection, CNET News, Apr 6, 2010
“A new report by Forrester Research, commissioned by Microsoft and RSA, the security division of EMC, found that even though corporate intellectual property comprises 62 percent of a given company's data assets, security programs are focused on compliance rather than data protection.” more...
John Muir Health to notify 5,450 patients of data breach, San Francisco Business Times, Apr 5, 2010
“John Muir Health, the Walnut Creek-based hospital system, said Monday it has begun notifying 5,450 patients by mail of a “potential breach of their personal and health information.” The move came after the theft two months ago of two laptop computers at the John Muir Physician Network Perinatal office in Walnut Creek, officials said April 5.” more...
Data protection fines ratchet up to £500K - Hundredfold increase to scare firms into shape, TheRegister, Apr 5, 2010
“From Tuesday 6 April, the Information Commissioner’s Office (ICO) will get enhanced powers to fine organisations up to £500,000 for serious breaches of the Data Protection Act. Previously the maximum fine was a paltry £5,000. The tougher measures will be imposed alongside compulsory audit notices to central government departments found culpable for data breaches. The new powers for the UK's privacy watchdog are designed to deal with serious personal data breaches that arise through negligent behaviour. Precautions an organisation had previously applied as well as the circumstances of a breach will be taken into account in deciding a fine.” more...
Budgeting For A Data Breach, StorefrontBackTalk, Apr 2, 2010
“It has been said that there are two kinds of systems in this world: Those that have been breached, and those that are going to be breached. If this premise is true, doesn’t it make sense for CIOs to budget for a serious data breach or similar contingency? So why aren’t you doing it?” more...
New Law Lets Banks Recover Data Breach Costs, eSecurity Planet, Apr 1, 2010
“Washington last week became the third state to pass legislation that will allow banks to recover certain costs and damages from retailers and credit card processors that suffer data breaches after failing to comply with current Payment Card Industry (PCI) standards. The law, which goes into effect on July 1 in Washington, follows similar laws passed in the states of Minnesota and Nevada and marks a fundamental change in the way government and private sector industries assign responsibility and accountability for preventing identity theft.” more...
Data stolen from firm that handles student loans in Virginia, The Washington Post, Mar 27, 2010
“Personal data on 3.3 million people have been stolen from the company that guarantees student loans in Virginia and two other states, authorities said.” more...
Gonzalez Gets 20 Years in Hacker Case, eWeek.com, Mar 26, 2010
“Hacker Albert Gonzalez is sentenced to 20 years in prison for his role in hacking TJX, Barnes & Noble, OfficeMax and other retailers. He faces the possibility of more time behind bars when he is sentenced for his role in hacking a slew of other companies, including Heartland Payment Systems.” more...
HSBC Database Breach Highlights Lack Of Accountability For IT Super Users, DarkReading, Mar 25, 2010
“As new details continue to emerge this month about an initially undetected large-scale database pilfering by a former IT worker at HSBC, security experts hope it will highlight one of the most glaring weaknesses in many a financial institution's database protection scheme: poor accountability for IT super users.” more...
Data Protection Lands on Executives' Radar, Internet Evolution, Mar 24, 2010
“Risk and vulnerability are tough things to plot on a spreadsheet. Maybe that's why security hasn't always gotten the kind of attention or scrutiny it deserves in the "C" suites at midsized and large enterprises. To hear most security professionals tell it, CXOs have two states of being where enterprise data security's concerned: panicked and blissfully ignorant.” more...
Two New Bank Breaches Reported, BankInfoSecurity, Mar 23, 2010
“Two new breaches of debit card data have been reported by a pair of Ohio-based banks, raising the total number of banking-related data breaches to 22 so far this year.” more...
Taxpayer data at risk from IRS security flaws, CNET, Mar 23, 2010
“The Internal Revenue Service's failure to use strong passwords, install patches quickly, and adequately control access to computer systems and information makes the system vulnerable to insider threats and attacks from outside, a new government report concludes.” more...
As health data goes digital, security risks grow, Computerworld, Mar 22, 2010
“The amount of online private medical information is expected to grow from terabytes today to petabytes over the next four years, exposing electronic health records to ever more serious data breach threats.” more...
Data Breaches Are Heaviest at Hotels, The Wall Street Journal, Mar 18, 2010
“Hackers are now stealing credit-card data from hotels more often than any other industry, according to data-security companies.” more...
Card security scheme losing UK support, ZDNet UK, Mar 15, 2010
“Businesses are unconvinced of the benefits of a looming security standard for credit card payments. The Payment Card Industry Data Security Standard (PCI DSS) aims to cut credit card fraud by ensuring that companies which take card payments — such as retailers — have adequate security policies in place.” more...
New reports of data breaches - Thousands are left at risk in Mass, Boston Globe, Mar 13, 2010
“A number of companies, including Boston insurance giant John Hancock Financial Services, have in recent months reported stolen laptops and other breaches of data security, potentially exposing personal information about thousands of Massachusetts residents.” more...
Security breach at Atlanta VA hospital under investigation, Atlanta Journal Constitution, Mar 12, 2010
“The U.S. Veterans Affairs Office of Inspector General has launched a criminal investigation into a security breach of veterans' medical information at the Atlanta Veterans Administration Medical Center, according to an internal document obtained by The Atlanta Journal-Constitution.” more...
HSBC admits huge scale of Swiss data theft, TimesOnline, Mar 11, 2010
“An estimated 24,000 clients of HSBC Private Bank in Switzerland had personal details stolen in a data theft three years ago, a far higher number than originally thought and "highly likely" to include British customers, the bank acknowledged today.” more...
Arkansas National Guard Loses Hard Drive, eSecurity Planet, Mar 10, 2010
“An unencrypted backup storage drive holding the names, social security numbers and other unspecified personal information of more than 35,000 Arkansas National Guardsmen was discovered missing last month, the latest incident in a string of military security gaffes.” more...
Heartland breach still hitting banks, Finxtra.com, Mar 8, 2010
“A bank in Colorado has begun blocking point of sale purchases over concerns debit cards may have been compromised by the massive data breach that hit Heartland Payment Systems in 2008.” more...
Are you sure you're prepared for a data breach?, SCMagazine, Mar. 5, 2010
“We've all seen the sobering stats: Nearly 500 major data breaches have been reported in the United States since the beginning of 2009, impacting more than 220 million records. And that doesn't even account for the many breaches that weren't publicly reported.” more...
Losing sleep over three data breaches in a year, Computerworld, Mar. 5, 2010
“Never mind three strikes and you're out. How about three strikes and I've got to ask myself if I even want to be in one of your hotels in the first place. The question arises after a third reported incident in 12 months involving the Wyndham Hotels chain. Granted, even the most security-conscious of companies can be victimized by hackers, but when you've had to cop to a third data breach in less than a year you'll have to forgive prospective customers for looking elsewhere for shelter. Or to pay in cash.” more...
Companies urged to share data breach information, SearchSecurity.com, Mar. 3, 2010
“Sharing information with law enforcement after a breach is critical to successfully battling increasingly sophisticated and organized cybercriminals, security experts said during a panel discussion at the RSA Conference.” more...
Verizon shares framework to gather, analyze security incident data, Computerworld, Mar. 1, 2010
“The idea behind the Verizon Business incident-sharing metrics framework, which underpins the company's highly regarded data breach investigation reports, is that those who do not learn from security incidents are doomed to repeat them.” more...
Amendments to Massachusetts Data Privacy Law Go into Effect Today, TMC.net, Mar. 1, 2010
“An onslaught of security breaches has prompted several states including Massachusetts to strengthen their data security regulations for businesses. Companies in Massachusetts that have personal information on even one state resident must now furnish proof to the state government that they are in compliance with data security standards, under the amended law that went into effect today, an article on Fosters.com states.” more...
Federal Trade Commission links wide data breach to file sharing, The Washington Post, Feb. 23, 2010
“The Federal Trade Commission said Monday that it has uncovered widespread data breaches at companies, schools and local governments whose employees are swapping music, software and movie files over the Internet.” more...
The Breach Notification Obligations in the Data Accountability and Trust Act, InformationLawGroup, Feb. 22, 2010
“The Information Law Group has been following various Federal data security bills as they wind their way through the House and Senate. In December 2009, the Information Law Group commented on the passage of the Data Accountability and Trust Act ("DATA") by the House. I was recently asked by Data Protection Law and Policy (an excellent publication out of the UK focusing on data security and privacy issues) to take a closer look at the data breach obligations of the current version of DATA. The end result was my article entitled: "Potential changes to the US breach notice risk landscape".” more...
Cutting corners in testing brings risk of serious data leak, Financial Times, Feb. 22, 2010
“Countless organisations, both in the public and private sector, have reported losing sensitive data in recent years – whether through leaving a laptop on a train or being subject to an external hack. With breaches still occurring , it seems many organisations still fail to take the necessary precautions to secure their data, despite the fact there are plenty of solutions available.” more...
Shell hit by massive data breach, ITPro.UK, Feb. 16, 2010
“A database containing contact details of 170,000 workers of oil giant Royal Dutch Shell has been emailed to campaigning groups opposed to the company’s activities.” more...
Meeting of the Minds - Data Security, Computerworld, Feb. 15, 2010
“Adam Shostack is co-author of The New School of Information Security, security specialist at Microsoft and ringleader of the popular Emergent Chaos blog. Forrester Research senior analyst Andrew Jaquith is former senior project manager at Symantec and former program director and cofounder of @stake.” more...
Breach Prevention is Critical as HIPAA Compliance Worlds Collide, HealthLeadersMedia, Feb. 12, 2010
“Privacy and security officers have to comply with more rules than ever. The Federal Trade Commission's Red Flags rule, existing HIPAA laws, and the new Health Information Technology for Economic and Clinical Health (HITECH) Act require that covered entities: * Protect patient information with technical, administrative, and physical safeguards (HIPAA); * Lessen the negative effect of unauthorized disclosure (HIPAA); * Notify patients within 60 days of breaches that involve unsecure personal health information (PHI) and pose a significant risk of financial, reputational, or other harm (HITECH; enforcement effective February 17); * Inform HHS of breaches (HITECH; enforcement effective February 17); * Establish an identity theft prevention program with policies and procedures to detect, prevent, and mitigate identity theft (Red Flags Rule; enforcement effective June 1).” more...
Why Data Breaches Can Go Unnoticed By Their Victims, eWeek, Feb. 11, 2010
“An analysis of data breaches by Trustwave found just 9 percent were uncovered internally by the companies' that were breached. The report mirrors other studies, and underscores the importance of having visibility into your IT environment as well as being able to correlate disparate events on a network.” more...
Calif. health officials apologize for data breach, San Jose Mercury News, Feb. 8, 2010
“California's Department of Health Care Services is apologizing to nearly 50,000 Medi-Cal recipients whose Social Security numbers were disclosed on the outside of envelopes.” more...
Security Chip That Does Encryption in PCs Hacked, ABC News, Feb. 8, 2010
“Deep inside millions of computers is a digital Fort Knox, a special chip with the locks to highly guarded secrets, including classified government reports and confidential business plans. Now a former U.S. Army computer-security specialist has devised a way to break those locks.” more...
Hospitality Industry Hit Hardest By Hacks, DarkReading, Feb. 5, 2010
“Hackers checked into hotel networks more than any other in 2009, and all organizations hit by attacks didn't discover breaches for an average of 156 days, according to a new report based on real-world attacks worldwide.” more...
Minn.-based Ceridian reports data security breach, Minnesota Public Radio, Feb. 4, 2010
“The names, Social Security numbers and bank account numbers of some 27,000 people were exposed when a hacker breached a Twin Cities-based payroll company's pay system.” more...
Highmark tells customers personal information lost, Pittsburgh Post-Gazette, Feb. 4, 2010
“Some 3,700 Highmark Inc. customers are being notified that documents bearing their personal information - including names and Social Security numbers - were lost and have yet to be recovered.” more...
Cost of a Data Breach - Dr. Larry Ponemon, Ponemon Institute, BankInfo Security, Feb. 2, 2010
“What's the cost of a data breach? The Ponemon Institute is out with its 5th annual "Cost of a Data Breach" study, and in an exclusive interview Dr. Larry Ponemon discusses: The current cost of a data breach - and how it's risen since 2009; Data breach trends across industry; What organizations should do to respond to or prevent breaches. Ponemon is the Chairman and Founder of the Ponemon Institute, a research "think tank" dedicated to advancing privacy and data protection practices. Dr. Ponemon is considered a pioneer in privacy auditing and the Responsible Information Management or RIM framework.” more...
Health Net Sued Over Data Breach, Information Week Healthcare, Feb. 1, 2010
“The Connecticut attorney general has sued Health Net, claiming the insurance company failed to adequately protect the medical records of 446,000 customers whose private data was contained in a computer disk drive that was found to be missing last spring.” more...
'Data Privacy Day' Celebrated Today, PC Magazine, Jan. 28, 2010
“Thursday, January 28, 2010, is Data Privacy Day in North America and Europe. (Sorry I didn't get you a card. What's your address and social security number so I can send you one?).” more...
Third Annual UK Ponemon Study Shows the Cost of a Data Breach Continues to Increase, PR Newswire U.K., Jan. 28, 2010
“Privacy and information management research firm Ponemon Institute, together with PGP Corporation, a global leader in enterprise data protection, today announced the results of the third annual study into the costs incurred by UK organisations after experiencing a data breach. The "2009 Annual Study: UK Cost of a Data Breach" report, compiled by the Ponemon Institute and sponsored by PGP Corporation, found that each lost customer record cost on average 64 pounds Sterling in 2009, a seven percent increase on 2008's figure of 60 pounds. In 2007 the cost per lost record stood at just 47 pounds. Lost business due to reduced consumer trust was the main contributor to this expense, making up 29 pounds per record.” more...
Nation's toughest personal info law about to take effect, Government Comupter News, Jan. 27, 2010
“Businesses that hold personally identifiable information on Massachusetts residents have one month to comply with what security experts are calling the toughest data security requirements in the nation.” more...
Data Security Is A Federal Issue Now, Network Computing, Jan. 27, 2010
“Just when you think you have dodged the data security bullet, here come the Feds. My view on data security of late has been that those who thought they needed to secure information have done it, and those who didn't were not in a big hurry to do it. Times are changing. The Federal Data Breach Notification Law that recently passed through the house is now on its way to the Senate and then on its way to you.” more...
National Archives Warns Former Clinton Staff, Visitors of Major Data Breach, Fox News, Jan. 27, 2010
“Personal information for 250,000 Clinton administration staff and White House visitors sent to the National Archives was compromised after a computer hard drive containing confidential material disappeared nearly a year ago, RollCall.com reported Wednesday.” more...
Feds to boost fines for health data breaches, San Francisco Business Times, Jan. 25, 2010
“Breaches of health data security, such as recent episodes involving missing laptops or storage devices at Kaiser Permanente and Health Net, could be subject to tougher federal regulations by mid-February — including up to $1.5 million in fines for privacy violations.” more...
Data breach costs top $200 per customer record, NetworkWorld, Jan. 25, 2010
“The cost of a data breach increased last year to $204 per compromised customer record, according to the Ponemon Institute's annual study. The average total cost of a data breach rose from $6.65 million in 2008 to $6.75 million in 2009.” more...
Heartland's $60M breach settlement offer not enough, lawyers say, Computerworld, Jan. 21, 2010
“Lawyers representing financial institutions in a data breach lawsuit against Heartland Payment Systems Inc are calling a recently proposed $60 million settlement offer from the company as way too meager.” more...
Patient Data Safety Rules Widely Disregarded, Unenforced, Center for Public Integrity, Jan. 19, 2010
“As the federal government prepares to spend up to $27 billion in stimulus funds to promote electronic medical records, a health technology industry survey suggests that a number of hospitals, health clinics, and insurance firms are violating federal security rules on patient data and putting sensitive health information at risk.” more...
Drive, Patient Data Go Missing in California Theft, eSecurityPlanet.com, Jan. 15, 2010
“More than 15,000 Kaiser Permanente patients in Northern California this week are being notified that their personal information, including birth dates, addresses, phone numbers and medical-record numbers, was exposed last month after an unencrypted external storage drive was stolen from an employee's car.” more...
Health Net Sued for HIPAA Violations, Health Data Management, Jan. 14, 2010
“Connecticut Attorney General Richard Blumenthal has filed a lawsuit charging Health Net of Connecticut Inc. with violations of the HIPAA privacy and security rules following a large breach of identifiable medical records and Social Security numbers. Blumenthal's office believes this is the first lawsuit by a state's chief legal officer since the HITECH Act last year gave state attorneys general authority to prosecute HIPAA privacy and security violations.” more...
Half a million pound penalty introduced for personal data security breaches by the Information Commissioner's Office, SC Magazine UK, Jan. 13, 2010
“A £500,000 penalty has been introduced by the Information Commissioner's Office (ICO) for personal data security breaches. As revealed by SC Magazine last year, there are plans to increase the punishing powers of the ICO and an announcement revealed that it will be able to order organisations to pay up to £500,000 as a penalty for serious breaches of the Data Protection Act.” more...
Report reveals hacking to be top cause of data breaches in 2009, InfoSecurity, Jan. 12, 2010
“Although the total number of reported data breach incidents fell year over year in 2009, the number of compromised records was still estimated at over 222 million. For the first time this past year, malicious attacks, which include hacking and insider theft, overtook human error as the leading cause of data breach in the US. This is according to a recent report compiled by the Identity Theft Resource Center, a San Diego-based non-profit that tracks occurrences of identity theft.” more...
Bad publicity changing attitudes to data security, The Irish Times, Jan. 8, 2010
“NUMEROUS data-loss cases in headlines over the past two years have made Irish companies far more aware of privacy and data security policies and protections within their own companies, compared to their international colleagues.” more...
Beware Who Fixes That Broken Laptop, Forbes, Jan. 5, 2010
“Next time you spill a latte on your laptop or drop your hard drive, you may want to think twice about who you pay to salvage your data. You may recover your precious PowerPoint presentation--but you could lose something far more valuable.” more...
Medical/Healthcare Privacy and Fraud Outlook for 2010, HealthNewsDigest.com, Jan. 4, 2010
“You may not be aware of this, but medical-related fraud and identity theft are growing problems in America. With the exploding cost of healthcare, increasing bureaucratic administrative healthcare systems, and a large, aging Baby Boomer population requiring increased medical care, it would seem that we are entering into a kind of “perfect storm” for medical fraud.” more...
EWU exposes 130 000 student records, InfoSecurity-US.com, Jan. 4, 2010
“Eastern Washington University has notified present and former students of a massive data breach of its systems that could affect up to 130 000 people.” more...
Hacker pleads guilty to orchestrating Heartland credit card heist, SearchSecurity.com, Dec. 30, 2009
“A Miami-based hacker plead guilty this week for his role in orchestrating a series of massive data security breaches that bilked retailers and financial firms of tens of millions of credit and debit cards.” more...
Penn State Breach Continues University Data Woes, InternetNews.com, Dec. 29, 2009
“Penn State University gave its students an unwelcome gift over the holiday break, notifying some 30,000-plus students that a series of malware-induced data breaches at computers hosted at three different campus locations had exposed their personal information for an unknown period of time.” more...
“Security is always a big issue in IT, and 2009 was no different, with Conficker attacking, the Heartland data breach breaking records, and more.” more...
“While the proverbial jury is still out concerning retailers’ sales success this 2009 holiday season, Massachusetts’s highest court (the Supreme Judicial Court or “Supreme Court” as referenced herein) delivered retailers a significant holiday gift in the form of an opinion slamming the door on some financial institutions seeking to recover reissuance costs arising out a retailer’s payment card data breach.” more...
The top 10 security threats of 2009, Reuters, Dec. 22, 2009
“2009 was a banner year for information security news. Rarely did a day go by where a data breach of some sort wasn’t announced. What would once have been headline news for at least a week now barely makes the ticker on the bottom of CNN. That being said, as we enter 2010 we are seeing more and more regulatory control, fines being levied, lawsuits being filed, and much more. Data security breaches are nasty business and should be avoided at all costs.” more...
Heartland Pays Amex $3.6 Million Over 2008 Data Breach, PCWorld, Dec. 17, 2009
“Heartland Payment Systems will pay American Express US$3.6 million to settle charges relating to the 2008 hacking of its payment system network. This is the first settlement Heartland has reached with a card brand since disclosing the incident in January of this year.” more...
The 2009 data breach hall of shame, Computerworld, Dec. 17, 2009
“If there was anything even vaguely comforting about the data breaches that were announced this year, it was that many of them stemmed from familiar and downright mundane security failures.” more...
Plugging The Government's Biggest Data Leak, Forbes, Dec. 16, 2009
“When David Ferriero was named head of the federal government's National Archive and Records Agency last month, he didn't just become America's most important librarian. He also took on one of the toughest tasks in government IT today: plugging the source of a continual stream of information leaks, including what may have been the biggest federal data breach of all time.” more...
Symantec CEO says data breach laws are coming downunder, Computerworld, Dec. 16, 2009
“Symantec has been advising the Australian government on forthcoming data breach notification laws, laws that the company's CEO Enrique Salem predicts will be passed in both New Zealand and Australia in the near future. The US-style laws require that customers be notified when a business has lost or compromised data linked to them. And that means many more data breaches become public, almost certainly damaging the reputation of companies affected.” more...
Businesses still plagued by data breaches, MassHiTech.com, Dec. 11, 2009
“As businesses face a March deadline under an oft-delayed state law to protect customer and employee personal information, data breaches affecting Massachusetts residents remain strikingly frequent.” more...
New Guilty Plea for Breach Mastermind, American Banker, Dec. 11, 2009
“Albert Gonzalez, the Miami man who pleaded guilty in September to charges related to the 2007 data breach at TJX Cos. Inc., pleaded guilty recently to additional charges that he engineered breaches at Heartland Payment Systems Inc., Hannaford Bros. Co., 7-Eleven Inc. and two unnamed retailers.” more...
Verizon report goes deep inside data breach investigations, SearchStorage.com, Dec. 9, 2009
“Hackers are using a variety of weapons and exploiting errors such as default passwords and weak or misconfigured access control lists (ACLs), according to the latest Verizon Business Data Breach Investigations Report. ” more...
Blumenthal: Data breach more serious than first thought, TheDay, Dec. 7, 2009
“Attorney General Richard Blumenthal said today that a data breach affecting up to 450,000 Connecticut residents’ personal information was more serious than first thought. Blumenthal said an independent investigation has determined that two laptops involved in the Health Net data breach most likely were stolen.” more...
Health Net data loss second major insurer breach of 2009, Amednews.com, Dec. 7, 2009
“Health Net in November announced that thousands of its members and network physicians could be at risk for identity theft due to a lost portable disk drive that the company said had "gone missing" six months earlier. However, the disk drive containing millions of image and text files could only be interpreted with software proprietary to Health Net, spokeswoman Alice Ferreira said. "For a layperson it would be difficult to understand what was on the drive.” more...
Man loses fight against firm that suffered data breach, The Register, Dec. 3, 2009
“A Missouri man has lost his legal battle against an online prescription processor that suffered a security breach that exposed highly sensitive subscriber information. John Amburgy alleged that Express Scripts was negligent because it failed to adequately safeguard customer data, including names, dates of birth, social security numbers, and prescription drug histories. He argued that the breach in October 2008 that exposed an unknown number of subscribers' details put him at risk of identity theft for which he was entitled to compensation.” more...
11 Reasons Why Privacy Helps the Bottom Line, www.law.com, Dec. 2, 2009
“In dire economic times such as these, companies are scouring their internal functionalities seeking ways to run "leaner and meaner." Operations and personnel that do not ostensibly contribute to profit are at risk. And nowhere are employees more vulnerable than in New York City, the nation's center for financial services, an industry particularly devastated.” more...
Shredded patient records deliver a gift-wrapped data breach, ComputerWeekly.com, Nov. 30, 2009
“A Leicestershire businesswoman discovered shredded records of NHS patients, with some information still showing, in packaging material used to protect gift boxes. The records originated from Papworth Hospital NHS Foundation Trust in Cambridge, which is investigating the incident.Kerry Wilkinson of PennyDog Jewellery in Rothley, Leicestershire, found the patient records when she took delivery of the boxes and bags for her gift-wrapping service. It appears that the records were sent by the hospital to a solicitor which acts for patients, and were inadequately shredded before they turned up at the jewellers for use as packing for gift boxes.” more...
The Year Of The Mega Data Breach, Forbes, Nov. 24, 2009
“Glance at 2009's data breach statistics, and you might think the IT world had scored a rare win in the endless struggle against cybercrime. According to the Identity Theft Resource Center, government agencies and businesses reported 435 breaches as of Nov. 17, on track to show a 50% drop from the number of breaches reported in 2008. That would make 2009 the first year that the number of reported data breaches has dropped since 2005, when the ITRC started counting.” more...
Health Insurer Loses 1.5 Million Patient Records, Wired, Nov. 19, 2009
“A health insurer lost 1.5 million patient records last May but waited six months to disclose the incident. The data, which was stored on a portable disk drive that disappeared from the insurer’s office, was unencrypted and included patient Social Security numbers, bank account numbers and health data, according to the Hartford Courant. The disk also contained personal information on at least 5,000 physicians.” more...
Trashing IT Hardware the Responsible Way, TechNewsWorld, Nov. 19, 2009
“IT hardware that reaches the end of its usable life cannot be treated like common garbage. Improperly discarded equipment can come back to haunt an organization in the form of sensitive data breaches or environmental regulation violations.” more...
Healthcare Affiliates Unprepared For Data Breaches, InformationWeek Healthcare, Nov. 18, 2009
“Companies that do business with healthcare providers, including accounting firms and offshore transcription vendors, are unprepared to meet data breach obligations included in new federal regulation, according to a survey released Tuesday.” more...
Reports are being investigated of a major credit card scam in Spain, BBCNews, Nov. 18, 2009
“Anyone who used a Visa or Mastercard credit card when in Spain may have had their card data compromised. In Germany, as many as 100,000 cards are reportedly being recalled. UK customers will be contacted directly if they are thought to be at risk.” more...
T-Mobile in data breach scandal, FinancialAdvice.UK, Nov. 17, 2009
“The government’s privacy watchdog has today revealed that an employee of T-Mobile, one of the U.K.'s best-known mobile network operations, took the details of thousands of customers and ultimately they ended up in the hands of rival firms.” more...
Only Half Of CEOs Strongly Support Data Security Efforts, DarkReading, Nov. 17, 2009
“More than half of IT and security professionals worldwide believe their company's laptops and other mobile devices pose security risks to their organizations, and only half of them have CEOs who are strong advocates and supporters of data security efforts, according to new report issued today.” more...
Companies Face Stiff Penalty For Data Breaches, eWeekEurope, Nov. 13, 2009
“Companies in the UK that suffer a data breach may run the risk of being fined up to £500,000, according to government plans announced this week.” more...
Federal data breach notification standard must pre-empt state laws, nextgov.com, Nov. 10, 2009
“Two Senate measures would regulate how both public and private sector organizations protect personal information and respond to data breaches, but the real impact of any federal standards will depend on whether they pre-empt existing state laws.” more...
Connecticut Attorney General Investigating BCBS Data Breach, iHealthBeat, Nov. 10, 2009
“On Monday, Connecticut Attorney General Richard Blumenthal (D) said he is investigating whether the BlueCross BlueShield Association violated state law by waiting nearly two months to inform affected individuals about a data security breach, the Hartford Courant reports.” more...
U.S. Alleges $9 Million Debit-Card Hacking Ring, The Wall Street Journal, Nov. 10, 2009
“Federal prosecutors alleged that members of an elaborate hacking ring broke into debit-card systems and stole $9 million from automated teller machines in hundreds of cities world-wide.” more...
Data breach notifications one step closer to law... again, ars technica, Nov. 9, 2009
“It's frustrating to be a consumer these days, especially knowing that your personal information could be exposed anytime there's a major data breach. Two new Senate bills aim to improve notification to customers when their information is exposed to thieves and, despite their shortfalls, experts are still holding out hope.” more...
NARA admits violating internal policy on personal info, FederalComputerWeek, Nov. 6, 2009
“The National Archives and Records Administration violated its information security policies by returning failed hard drives from systems containing personally identifiable information of current government employees and military veterans back to vendors. By agency policy, NARA is supposed to destroy the hard drives rather than return them, according to a top NARA official.” more...
Senate Panel Clears Data Breach Bills, Government Health IT., Nov. 5, 2009
“The Senate Judiciary Committee Thursday approved two companion bills that would require businesses and government agencies to notify individuals of security breaches involving sensitive personally identifiable information. Both bills go to the Senate for consideration.” more...
HHS: tougher HIPAA rules apply Nov. 30, Government Health IT., Oct. 30, 2009
“The Health & Human Services Department today published a rule that strengthens its enforcement of the Health Insurance Portability and Accountability Act (HIPAA) by aligning it with tougher privacy terms of the stimulus law.” more...
Data breach calculations fail to pay off, ZDNet U.K., Oct. 30, 2009
“With data breaches regularly making the headlines — from the Home Office to NHS Education for Scotland — it is right that the protection of information is taking centre stage. But the problem is there are so many reports on what a data breach could cost an organisation, too many hours are being spent trying to assess the return on investment (ROI) of any security deployment. Such calculations will only be a frustrating, time-wasting and ultimately fruitless exercise.” more...
Where to Find Coverage for Increasing Data Breach Exposure, Insurance Journal, Oct. 29, 2009
“Traditional insurance products are inadequate to cover the new types of events that can result from privacy invasion or misuse of technology. Neither standard property/business interruption policies nor the commercial general liability policy have provisions for losses arising out of the wrongful breach of data held by the insured. The risk of experiencing a data breach pervades all of modern society. Simply stated: all institutions that hold any sort of confidential data regarding any of their constituencies---are now held to this higher standard of care to protect their confidentiality. This obligation will only continue to increase in the coming years.” more...
FBI: National Data-breach Law Would Help Fight Cybercrime, PCWorld, Oct. 28, 2009
“A U.S. law that would require businesses to report data breaches to potential victims could help law enforcement agencies fight the growth of cybercrime, a U.S. Federal Bureau of Investigation official said Wednesday.” more...
Data breach alerts linked to increased risk of ID theft, SC Magazine, Oct. 28, 2009
“Consumers who have received a data breach notification letter are four times more likely than others to be the victim of identity theft, according to a survey released this week by Javelin Strategy and Research.” more...
“A new report from Javelin Strategy and Research suggests that many credit and debit card holders fail to understand the importance of a notice saying that a credit card or debit card has been breached and do not protect themselves from fraud.” more...
Over 350 data breaches (U.K) reported last year, ITPro, Oct. 27, 2009
““UK businesses reported 356 data breaches in the last year to the Information Commissioner’s Office (ICO). The statistics, obtained by Software AG using a Freedom of Information request, show that UK businesses reported 71 lost memory sticks or discs and 127 stolen laptops and other devices.” more...
Groups Take Opposing Stances on Data-Breach Notification Rule, IHealthBeat, Oct. 23, 2009
“On Thursday, the advocacy group Consumer Watchdog sent a letter urging HHS Secretary Kathleen Sebelius to repeal the agency's health data-breach notification rule, Health Data Management reports. The group said HHS' interpretation of the rule violates the original language Congress laid out in the federal economic stimulus package.” more...
Britain needs data breach notification laws, ITPro, Oct. 23, 2009
“Data breach notification laws will make a big difference to the speed at which UK businesses put security controls like encryption in place.” more...
Insurance firm loses tape with customer details, timeslive.com, Oct. 22, 2009
“Zurich South Africa says that it has lost a tape containing customer information data and advises customers to alert their banks of the potential risk of financial fraud. ” more...
E-Health Records Put Patient Privacy At Risk, InformationWeek, Oct. 20, 2009
“Healthcare providers aren't adequately protecting patient privacy in implementing e-health records, according to a recent survey of healthcare IT managers. Some 80% of healthcare organizations have experienced at least one incident of lost or stolen health information in the past year.” more...
NASA Told To Plug IT Security Holes, InformationWeek, Oct. 16, 2009
“NASA was hit with more malware than any other federal agency in 2007 and 2008, according to a new report issued by the Government Accountability Office. During that two-year period, NASA reported 1,120 security incidents, including the installation of malicious software on agency computers and unauthorized access to sensitive information, according to GAO. NASA laptops were stolen that stored unencrypted data on a prototype hypersonic jet (the X-51 scramjet) and test plans pertaining to a space telescope and lunar orbiter. ” more...
UK lags behind trading partners in data security, report says, ComputerWeekly, Oct. 16, 2009
“UK businesses are lagging behind many of their overseas trading partners in protecting data, according to PricewaterhouseCoopers. Nearly half (49%) of UK executives do not know how many security incidents their organisations have experienced in the past year, the report said.” more...
Laptop containing doctors' personal data is stolen from car, The Chicago Tribune, Oct. 15, 2009
“About 800,000 doctors -- virtually every practicing physician in the country -- have been warned that their business and personal information may be vulnerable to a possible breach after an insurance trade group employee's laptop was stolen in August from a car in Chicago.” more...
Va. Lost Data for More Than 100,000 Students, The Washington Post, Oct. 14, 2009
“A flash drive containing personal information for more than 103,000 former adult education students in Virginia was misplaced last month, state education officials reported Wednesday. ” more...
Schwarzenegger Vetoes Update to California Privacy Law, PCWorld, Oct. 13, 2009
“Governor Arnold Schwarzenegger has vetoed an update to California's landmark data-breach notification law, saying that the new bill would be too hard on businesses without adequately benefiting consumers.” more...
Data breach decision may go to Maine's high court, Computerworld, Oct. 13, 2009
“A federal judge in Maine is asking the state's Supreme Court to clarify whether consumers can seek restitution from merchants for the time and effort involved in changing payment cards and bank accounts after a data breach.” more...
“A data breach can have a serious impact on your business, costing an organization $4.1 million on average (Javelin Strategy & Research). Investing in data breach preparation up front will determine how and if a financial institution recovers after one occurs.” more...
BRIEF-2 lawmakers demand JPMorgan detail customer data breach, Forbes, Oct. 8, 2009
“U.S. Republican Reps. Joe Barton and George Radanovich in a letter to JPMorgan Chase & Co chief executive Jamie Dimon: * Ask bank about a lost data tape from one of the bank's offsite storage facilities which may contain customers' sensitive information. * Ask Dimon to respond by Oct. 31 with how many customers affected by he lost data tape, how many have been notified, and whether the affected customers were offered a one-year free enrollment in the Chase Identity Protection plan.” more...
Heartland, After The Hacking, InformationWeek, Oct. 7, 2009
“The data breach at Heartland Payment Systems was a disaster for the company. But after picking up the pieces, the company is looking ahead to a more secure future.” more...
Probe Targets Archives’ Handling of Data on 70 Million Vets, Wired, Oct. 1, 2009
“The inspector general of the National Archives and Records Administration is investigating a potential data breach of tens of million of records about U.S. military veterans, after the agency sent a defective hard drive back to its vendor for repair and recycling without first destroying the data. At issue is a hard drive that helped power eVetRecs, the system veterans use to request copies of their health records and discharge papers. When the drive failed in November of last year, the agency returned the drive to GMRI, the contractor that sold it to them, for repair. GMRI determined it couldn’t be fixed, and ultimately passed it to another firm to be recycled.” more...
Express Scripts:Breacher Moves To Prove More Records Breached, The Wall Street Journal, Sept. 30, 2009
“Express Scripts Inc. (ESRX), the object of a 2008 extortion attempt by someone threatening to expose the personal data of patients in its drug plans, recently learned that the perpetrator took steps to prove he or she possesses more member records.” more...
Old credit-card breaches still causing headaches for banks, consumers, NetworkWorld, Sept. 29, 2009
“When Citigroup's credit card division, out of the blue, sent Massachusetts resident Bill Laberis a replacement MasterCard with a new number and told him to immediately activate it, he got curious. Laberis called the 800 number and a recording told him "your number is changed because your card was stolen or compromised." He followed up with a Citi representative, who said his personal card hadn't been stolen, but that "hundreds of thousands of cards" are being replaced because credit-card information had been stolen from a database somewhere. ” more...
Privacy groups blast new health care notification rule, SCMagazine, Sept. 23, 2009
“The new health care data breach notification law, which is set to go into effect Wednesday, has drawn harsh criticism from privacy advocates. Late last month, the U.S. Department of Health and Human Services (HHS) issued an interim final rule requiring health care organizations subject to the Health Insurance Portability and Accountability Act (HIPAA) regulations to notify individuals whose information has been breached. But privacy advocates contest a “harm threshold” provision of the interim final rule, which states that if a breach occurs, organizations should conduct a risk assessment and only need to issue breach notifications if they believe disclosure of the information “poses some harm to the individual.” more...
“As many tape backup users -- and all tape vendors will tell you, tape storage is the unsung, unglamorous mainstay of data retention. Despite the low and declining costs of disk storage, tape, which is comparatively cheap to buy and has low energy costs, remains one of the most economical ways to store and back up data. But what happens when you move up to a more modern format of tape, to disk backup, or simply choose to dispose of old tapes?" more...
Notification Rule on HIPAA Data Breach Effective Soon, HR.BLR.com, Sept. 16, 2009
“A rule requiring healthcare providers, health plans, and other entities covered by the Health Insurance Portability and Accountability Act (HIPAA) to notify individuals of a breach of their unsecured protected health information will become effective September 23, 2009." more...
“According to a new survey conducted by Goodwin Procter LLP and the International Association of Privacy Professionals (IAPP), companies face three significant challenges - cost, time and number of vendors involved - in complying with new data security rules issued by the Commonwealth of Massachusetts earlier this year." more...
A guide to storage decommissioning, ComputerWeekly, Sept. 14, 2009
“Organisations of any size should be looking at decommissioning as an ongoing rather than an ad hoc process if they are to fully realise the benefits. Sustainability is a topic that is being increasingly talked about in many organisations as they look to maximise the value of their IT. Certainly one area where the sustainability mantra should apply is when it comes to the decommissioning of servers and storage hardware." more...
Chase Bank Notifies Customers of Breach, BankInfoSecurity, Sept. 11, 2009
“Chase Bank has sent out data breach notification letters to an undisclosed number of customers after a computer tape with customers' personal information was reported missing from a third-party vendor's storage facility. Tom Kelly, spokesperson for New York-based Chase, the commercial/consumer banking arm of financial giant JPMorgan Chase, says the vendor -- which he would not name -- confirmed it received and maintained the tape, and that its offsite facility had been searched thoroughly after the tape disappeared. Kelly would not say if the data on the tape was encrypted, but says its data can be read only with special equipment and software. "We have no evidence to indicate any of the information has been viewed or used inappropriately," Kelly says." more...
“PGP Corporation has announced the results of its inaugural annual study by The Ponemon Institute, identifying the steps French organisations are taking in order to safeguard their confidential data. The 2009 Annual Study: France Enterprise Encryption Trends study, which polled 414 security professionals at enterprises and public sector organisations, found that 67 percent of French organisations have been hit by at least one data breach incident within the last year, with 18 percent having been hit by more than five incidents." more...
TJX agrees to settle another breach lawsuit for $525,000, Computerworld, Sept. 3, 2009
“TJX Companies Inc. has agreed to pay $525,000 to settle a lawsuit brought by several banks in connection with the massive data breach disclosed by the retailer in January 2007. The money will reimburse AmeriFirst Bank, HarborOne Credit Union, SELCO Community Credit Union, and Trustco Bank a portion of the expenses they incurred in connection with the breach, TJX said in a statement. As part of the agreement, the banks will drop all other claims against TJX. The discount retailer admit no wrongdoing." more...
Data leakage prevention going mainstream, Computerworld Security, Sept. 1, 2009
“Data leakage or data loss prevention systems have gradually entered the mainstream as their increasing maturity has allowed increasing adoption. From barely registering in our research two years ago, we now find different forms of DLP in about one-third of enterprises in Nemertes Research's spring 2009 benchmark study." more...
Consumers can't yet count on companies to protect data from identity thieves, Philadelphia Inquirer, Aug. 31, 2009
“It happens all the time: You swipe a credit card to buy a new pair of jeans, pay for a fancy dinner or withdraw some cash. Each time a transaction occurs, a flurry of digits and codes moves from one location to another. And each time, you're putting your financial data in jeopardy." more...
Under Pressure, Small Banks Outsource Security, Information Management, Aug. 24, 2009
“Facing increased pressure to improve their data security, a growing number of small and midsize banks are looking for outside help. Some have outsourced the entire job of information security management. Others have created new positions in-house to oversee data security, but are shifting much of the compliance tasks to systems hosted by vendors. Whatever lengths they go to, more companies will consider outsourcing, observers say, as auditors and regulators step up their efforts to ensure that banks of all sizes are safeguarding financial data." more...
Massachusetts Data Protection Law Amended, Delayed - Again, GovInfo Security, Aug. 20, 2009
“Once again, Massachusetts is delaying the compliance deadline for its toughest-in-the-nation data protection rules. The new effective date is March 1, 2010. Saying that the state must balance the needs of consumer privacy protection with the needs of small business, the Massachusetts Office of Consumer Affairs and Business Regulation (OCABR) has also amended its data security regulations. Earlier this week the OCABR announced the revised rules will facilitate a "risk-based approach" to data security - an approach that is expected to help the small-business community." more...
“New regulations requiring health care providers, health plans, and other entities covered by the Health Insurance Portability and Accountability Act (HIPAA) to notify individuals when their health information is breached were issued today by the U.S. Department of Health and Human Services (HHS). These “breach notification” regulations implement provisions of the Health Information Technology for Economic and Clinical Health (HITECH) Act, passed as part of American Recovery and Reinvestment Act of 2009 (ARRA).” more...
FTC extends breach notification to Web-based health repositories, SearchSecurity.com, Aug. 18, 2009
“The Federal Trade Commission has issued a rule that broadens the reach of data breach notification rules covered by the Health Insurance Portability and Accountability Act (HIPAA). The new FTC rule applies to companies that provide an online repository of health information, such as vendors that provide Web-based tools that track and maintain blood pressure readings and other health related data.” more...
TJX Hacker Charged with Heartland, Hannaford Breaches, Wired, Aug. 17, 2009
“The constellation of hacks connected to the TJX hacker is growing. Albert “Segvec” Gonzalez has been indicted by a federal grand jury in New Jersey — along with two unnamed Russian conspirators — on charges of hacking into Heartland Payment Systems, the New Jersey-based card processing company, as well as Hannaford Brothers, 7-Eleven and two unnamed national retailers, according to the indictment unsealed Monday. Gonzalez, a former Secret Service informant, is already awaiting trial over his involvement in the TJX hack.” more...
UPS encrypts laptops and smartphones after data breach, computing.co.uk, Aug. 12, 2009
“Parcel service UPS has encrypted all its UK laptops and smartphones, following a breach of the Data Protection Act last year. The firm has also signed an undertaking to assure the Information Commissioner’s Office that personal information will be kept securely in future. An unencrypted, password-protected laptop was stolen from a UPS employees while on business abroad in October 2008. The laptop, which was never recovered, contained the payroll data of 9,150 UK based employees, including personal, salary and bank details. All UK employees were notified by UPS of the theft and precautionary measures were organised.” more...
What to do in case of a data breach, ITPro, Aug. 11, 2009
“How to batten down the hatches after a data breach - is it possible to prevent further damage to your firm's reputation?” more...
Cloud Storage and Security Not a New Concept, Cloud Computing Journal, Aug. 7, 2009
“Articles and blog posts associated with security and cloud computing are a daily occurrence, unless some well-publicized breach occurs in the cloud. At that point the number of commentaries and discussions will increase exponentially, and then, over the following week, return to normal frequency.” more...
Universal imperatives for protecting data, SC Magazine, Aug. 7, 2009
“The Obama administration has urged closer cooperation between public and private sectors to address cybersecurity. Though collaboration between security vendors and practitioners across all sectors is a must, many cooperative efforts has been attempted and have met with only modest success. So what must be done to bridge the information-sharing gap between the public and private sectors and ensure that digital assets are properly protected?” more...
Improve data protection or face govt intervention, NetworkWorld, Aug. 5, 2009
“Enterprises in the Asia Pacific have been warned they need to sharpen up their data security or soon face the prospect of having governments forcing them to do so. Organisations of all types are facing a massive increase in data loss, and yet too many major enterprises lack a comprehensive data protection strategy across their complex networks.” more...
Civil rights office to enforce HIPAA security, GovernmentHealthIT, Aug. 4, 2009
“The Department of Health and Human Services (HHS) has taken steps it believes will make the monitoring and enforcement of health information security and privacy more efficient. HHS Sec. Kathleen Sebelius said in an announcement Aug. 3 that she transferred authority for the enforcement of the security provisions of the Health Insurance Portability and Accountability Act (HIPAA) to the department’s Office for Civil Rights (ORC).” more...
How will California's tougher-than-HIPAA privacy laws impact U.S.?, FierceHealthIT, July 27, 2009
“As the recent case of records snooping at California's Kaiser Bellflower hospital demonstrates, state health data protection laws can be tougher than federal HIPAA law--and enforcement on the state-level can be tougher too, as the pair of six-figure fines suffered by the hospital suggests. And while California may be a pioneer, don't expect it to be the last. Expect states to crack down on health data privacy across the United States, at least if the California measures prove to have teeth, experts suggest.” more...
“Hackers have broken into Web servers owned by domain registrar and hosting provider Network Solutions, planting rogue code that resulted in the compromise of more than 573,000 accounts during the past three months, Security Fix has learned.” more...
What's German for 'Data Security'?, LAW.com, July 24, 2009
“Business starts with trust, which is why, when PETCO.com opened for business in 2001 to sell pet supplies to consumers, it made some reassuring promises. "At PETCO.com, protecting your information is our number one priority, and your personal information is strictly shielded from unauthorized access," the Web site said. It also said, "Entering your credit card number via our secure server is completely safe. The server encrypts all of your information; no one except you can access it. If only that had been true.” more...
Leahy trying again with data breach bill, internetnews.com, July 23, 2009
“Senate Judiciary Chairman Patrick Leahy (D-Vt.) has reintroduced a data breach bill that would set tougher rules for government agencies and private sector firms regarding consumers' personal information. This will be the third time around the block for the Personal Data Privacy and Security Act, which has cleared the Judiciary Committee, but never come to a vote on the Senate floor.” more...
FSA fines HSBC £3.2 million, Reuters, July 22, 2009
“HSBC Holdings, Europe's biggest bank, was fined 3.2 million pounds on Wednesday for information security breaches, the biggest fine the country's financial regulator has ever imposed for data security lapses. The lapses include sending confidential data of 180,000 insurance policy holders through the post by unrecorded delivery and leaving customer data in open sacks in a reception area.” more...
MOD Admits Losing An Entire Server, eWeekEurope, July 21, 2009
“During 2008, the UK Ministry of Defence admits it lost an entire server from a secure building - as well as 1.7m individuals' personal data.” more...
Companies offer to pay breach fines, SC Magazine, July 21, 2009
“Two credit-card payment processors are offering to cover merchants' fines and penalties in the event of a data breach. However, the two companies, Heartland Payment Systems and Mercury Payment Systems, have different requirements that must be met before a merchant would qualify for coverage.” more...
“The problem with securing data and insuring its safety is that there is simply so much more stored electronically these days that opportunities for outside hackers or insiders to steal valuable, confidential information off a company’s computer systems are growing exponentially, according to those in the insurance industry who make it their business to cover this expanding exposure.” more...
Ruling limits class actions in data breaches, New Hampshire Business Review, July 17, 2009
“At a time when data breaches affecting large numbers of consumers are becoming more common, and 45 states have enacted breach notification laws, a recent ruling from the U.S. District Court for the District of Maine might make it even more difficult for consumers to successfully bring claims against stores that fail to protect their personal data.” more...
CEOs underestimate security risks, survey finds, Computerworld, July 15, 2009
“Compared to other key corporate executives, CEOs appear to underestimate the IT security risks faced by their own organizations, according to a survey of C-level executives released today by the Ponemon Institute.” more...
Lessons from Twitter's security breach, news.cnet.com, July 15, 2009
“Twitter's latest security hole has less to do with its users than it does with its staff, but lessons can be learned on both sides. In the case of Jason Goldman, who is currently Twitter's director of product management, the simplicity of Yahoo's password recovery system was enough to let a hacker get in and gain information from a number of other sites, including access to other Twitter staff's personal accounts.” more...
New Utah school district apologizes for lost employee data, Salt Lake City Tribune, July 13, 2009
“Canyons School District officials are investigating the disappearance of a thumb drive that may have contained the personal information of more than 6,000 current and recent employees.The flash drive is believed to have contained employee addresses, phone numbers, dates of birth and Social Security numbers.” more...
New Law Floods California With Medical Data Breach Reports, Wired.com, July 9, 2009
“California officials have received more than 800 reports of health data breaches in the first five months after a new state law went into effect January 1.” more...
UK data breach incidents on the rise, The Register, July 9, 2009
“Seven in ten UK organisations experienced a data breach incident over the last year, up from 60 per cent in the previous year. The third edition of an annual survey by the Ponemon Institute, sponsored by PGP, also found that 12 per cent of 615 public and private sector organisations probed were hit by five data loss incidents over the previous year. Less than half of these breaches (43 per cent) were disclosed publicly, while disclosure of the remainder was neither a legal or regulatory requirement.” more...
How and Why to Create Data Destruction Policies, Computerworld Hong Kong, July 8, 2009
“We are collecting data at ever-increasing rates as the costs of data storage go down. Why get rid of our beloved data when we can always buy more storage space? Some companies like Google love collecting and working with data, and these companies will rarely or never get rid of their data. But odds are your company is not like Google and does not need all of that old data. This column will focus on crafting an effective data destruction policy.” more...
“The Information Commissioner’s Office (ICO) has taken action against an insurance company following a data breach affecting 2,100 policyholders. Kent-based Jubilee Managing Agency, part of Lloyd's, lost an unencrypted disk holding the information, and was forced by the ICO to sign a “formal undertaking” – essentially a promise to improve its data protection methods. The ICO blamed the breach on the firm’s lack of staff training and poor data handling procedures.” more...
A Treasure Trove For Hackers, IrishTimes.com, July 3, 2009
“Forensics experts at the Dublin office of consultancy Ernst & Young have found evidence that prominent companies in Ireland are allowing home-based employees to download sensitive company and client data to their personal computers. Second-hand computer hard drives containing sensitive information - including hundreds of customer bank, Laser and credit-card account details, car registration information, staff PPS numbers, internal corporate information and e-mail details - were purchased on Irish auction website eBay.ie from owners who, in most cases, had not even bothered to erase the drives.” more...
“Growing awareness of data breaches that industry experts have been working to combat for years, leads 62 per cent of consumers to feel particularly worried about using their card and PIN to make a purchase if the outlet had suffered a data breach. Eighty-four per cent say that companies that suffer a data breach should be required to make the incident public, reinforcing the idea that vendors and retailers run the risk of devastating their brand if a breach occurs.” more...
Deleting may be easy, but your hard drive still tells all, The Globe and Mail, July 2, 2009
“Digital storage of information has become ubiquitous. In 2003, the School of Information Management and Systems at the University of California, Berkeley, estimated that 92 per cent of new information was being stored on some form of magnetic media. As a result, digital forensics — the acquisition and analysis of digital information — has become an important legal tool.” more...
“A House committee chairman with jurisdiction over the Homeland Security Department is urging DHS' Transportation Security Administration (TSA) to get more involved in safeguarding personal data for about 165,000 people held by a defunct former partner in the Registered Traveler program.” more...
Northrop Grumman disks bought for $40 in Africa, internetnews.com, June 25, 2009
“It's not the first time a military institution has lost a hard drive. Earlier this year, the RAF lost a disk containing data about retired officers. Today, the CBC is reporting that Canadian journalists purchased several disks, including one containing military contracts between Northrop Grumman and the U.S. government from a market in Accra, Ghana, in Africa, that they purchased for $40. Companies need to do everything right. The need to protect servers and data on end user PCs. They also need to dispose of hardware in the right way.” more...
TJX reaches $9.75 million breach settlement with 41 states, Computerworld, June 25, 2009
“More than two years after TJX Companies Inc. acknowledged that it was hit with a massive data breach, the Framingham, Mass.-based retailer agreed to boost its security measures and pay 41 states nearly $10 million to cover the costs of investigating the incident. Under the terms of the settlement announced yesterday, TJX will pay the states a total of $7.25 million for the investigations and will also create a $2.5 million data security fund available to the states for projects that "advance" effective data security and technology, the company said in a statement.” more...
Security Breach Leaves 45,000 at Risk of Identity Theft, The Cornell Daily Sun, June 24, 2009
“On Tuesday Cornell informed more than 45,000 current and former members of the University community that their sensitive personal information — including name and social security number — had been exposed when a University-owned laptop was stolen earlier this month. The breach exposes many Cornellians to the possibility of identity theft, and the University said it will provide protective services to those affected, including free credit reporting, credit monitoring and identity theft restoration services to those affected by the breach.” more...
Malicious Attacks Most Blamed in '09 Data Breaches, The Washington Post, June 19, 2009
“Rogue employees and hackers were the most commonly cited sources of data breaches reported during the first half of 2009, according to figures released this week by the Identity Theft Resource Center, a San Diego based nonprofit. The ID Theft Center found that of the roughly 250 data breaches publicly reported in the United States between Jan. 1 and Jun. 12, victims blamed the largest share of incidents on theft by employees (18.4 percent) and hacking (18 percent). Taken together, breaches attributed to these two types of malicious attacks have increased about 10 percent over the same period in 2008.” more...
Vets Can't Get Damages For Computer Breach, Associated Press, June 17, 2009
“Two Vietnam veterans are not entitled to damages from a 2007 Department of Veterans Affairs computer security breach in Birmingham, Ala., an appeals court panel ruled Wednesday. Jim Henry Perkins and Jessie Frank Qualls had to prove in their lawsuit that there were actual damages from the disappearance of a VA hard drive containing Social Security numbers and health care files of 198,000 living veterans, the 11th U.S. Circuit Court of Appeals panel said.” more...
Heartland CEO says data breach was 'devastating', Computerworld, June 17, 2009
“Heartland Payment Systems chief executive Robert Carr remembers what it felt like when he first heard about the massive data breach at his company earlier this year. "I wanted to throw up. It was devastating," says Carr, recalling how he felt upon realizing that one of his worst fears had come true. "People had asked me for years 'what keeps you awake at night' and I would keep telling them it was the fear of a data breach," he told Computerworld.” more...
Credit Card Processors Fail To Ensure Security For Consumers, redOrbit.com, June 15, 2009
“Banks and other financial firms that deal with consumer credit card information are lacking proper security measures despite meeting industry standards, according to an investigative report from the Associated Press on Monday.” more...
Former Employee Sues Aetna Over May Data Breach, Security DarkReading, June 12, 2009
“A former employee of Aetna Inc. has filed a class action lawsuit against the company following the breach of an employment Website that contained personal data and emails from some 450,000 current, former, and prospective employees.” more...
Should We Just Shut Up About Data Security?, Insurance Networking News, June 11, 2009
“At this year’s IASA Business Show and Education Conference I had the privilege of chairing a panel on what I believed was a critical topic for insurance enterprises, namely data security challenges for the insurance industry. Apparently others at the conference viewed the issue as important, too, since attendance at the session exceeded the registered roster by 25%. Imagine my surprise, then, when one of my learned panelists began bemoaning all the attention being paid to data security. His attitude—one I believe is increasingly being shared by many—was that people are tired of talking about data security, mostly because they believe there’s not much they can do about it.” more...
Stolen T-Mobile Data Not Hacked, Company Says, The New York Times, June 10, 2009
“A hacker called pwnmobile claims to have broken into T-Mobile’s servers and to have stolen confidential documents and valuable programming information. The company concedes that the hacker has some information, but none of it is damaging, and it wasn’t stolen through a hack, a spokesman said.” more...
T-Mobile confirms company records taken, USA Today, June 9, 2009
“T-Mobile has now confirmed that a hacker, known as "Pwnmobile," did, indeed, gain unauthorized access to its records and that the stolen data Pwnmobile posted here is authentic.” more...
Breach Data-Sharing Site Started, Securities Industry News, June 8, 2009
“The risk management technology company Intersections Inc. and the Identity Theft Assistance Center were expected to unveil Breachcenter.com today, a Web site where companies that have suffered a data breach can share their experiences.” more...
T-Mobile Investigates Alleged Data Breach, PC World, June 8, 2009
“T-Mobile is investigating a claim that a massive amount of internal data has been stolen from the telecommunication operator's servers, a company spokesman said Monday.” more...
Batteries.com, insurance firm report data breaches, Computerworld, June 2, 2009
“Batteries.com, an online seller of batteries for consumer electronics, and Aviva USA, one of the largest insurance companies in the world, have both reported data breaches in recent days. Both companies reported the data breaches to the New Hampshire Department of Justice in May, with Batteries.com reporting that 865 residents of New Hampshire may be affected. New Hampshire's population is about 0.4 percent of the entire U.S. population, meaning the number of affected U.S. residents could be much greater.” more...
“In this day and age, virtually every business is a "data" or "Internet" company by virtue of handling various types of personal information, and thus has exposure to privacy and data security related claims. Whether the claims arise from a "hacking" incident on a company's website or network, a misplaced laptop containing customer or employee information, or allegations of improperly collecting or using personal information, companies that have even transitory possession of customers' or employees' personal confidential information face potential liability and regulatory risk.” more...
National Archives Offers Reward for Missing Hard Drive, Washington Post, May 29, 2009
“The National Archives offered a $50,000 reward today for information leading to the recovery of a missing computer hard drive containing a large store of sensitive personnel data from the Clinton administration, including the Social Security numbers and other private information of White House employees in the 1990s. ” more...
Cyber Attacks Continue to Grow, MSNBC, May 29, 2009
“Cyber espionage, attacks, breaches, viruses — they are all among the concerns President Barack Obama cited Friday when he announced he will create a new White House office of cyber security, with that cyber czar reporting to the National Security Council as well as to the National Economic Council. ” more...
Aetna Contacts 65,000 After Web Site Data Breach, PCWorld, May 28, 2009
“Insurance company Aetna has contacted 65,000 current and former employees whose Social Security numbers (SSNs) may have been compromised in a Web site data breach. ” more...
U.K. Information Group Urges NHS To Overhaul Data Security Measures, iHealthBeat, May 26, 2009
“The United Kingdom's Information Commission has called for an overhaul of the National Health Service's security measures after the agency lost tens of thousands of patients' electronic health records, London's Independent reports. On Monday, the Department of Health confirmed that 140 security breaches occurred between January and April of this year. In addition, the information commissioner has taken action against 14 NHS facilities for security lapses during the past six months. The data breaches included stolen or discarded computers containing EHRs and missing discs with attached passwords to encrypted information. ” more...
Royal Air Force Breach Exposed Potential Blackmail Data, eWeek Security Watch, May 26, 2009
“In case anyone thought the U.S. government was the only one with problems protecting information, the British Ministry of Defense (MoD) experienced a breach of its own last September when three portable USB drives went missing. The most interesting part however is not that data went missing - it's the nature of the information itself. According to BBC News, the missing records included personnel information from the Royal Air Force (RAF) with details of extra-marital affairs, debt, drug abuse and prostitution involving senior officers.” more...
Sensitive data missing from National Archives, Associated Press, May 20, 2009
“The National Archives lost a computer hard drive containing massive amounts of sensitive data from the Clinton administration, including Social Security numbers, addresses, and Secret Service and White House operating procedures, congressional officials said Tuesday.” more...
Congressional Committee Revives Data Security Legislation, Center for Democracy and Technology, May 18, 2009
“A House committee has revived data security legislation that has languished for the last several years. The legislation could provide some useful safeguards for the privacy and security of consumer data, but the incremental nature of the potential gains highlights the need for general baseline privacy legislation. Key members of the same committee have expressed their intention to work on such general legislation as well.” more...
Data Security Breaches Hit an All Time High, dBusinessNews Los Angeles, May 18, 2009
“Data theft has exploded in 2008 as the total number of records compromised stands over 285 million for 90 confirmed breaches1 – exceeding the four preceding years combined. A trend that is continuing according to a recent report from the Identity Theft Resource Center® (ITRC), a nonprofit which supports and educates consumers on identity theft. Breaches in 2009 already amount to over 1.5 million records compromised with more unreported cases on the horizon according to the ITRC’s report.” more...
Avoiding gotchas of security tools and global data privacy laws, SearchCIO.com, May 12, 2009
“IT practices such as identity management, email and URL filtering, virus scanning and electronic monitoring of employees can get companies that do business globally into a heap of trouble if deployed without an understanding of global data privacy laws.” more...
10 tips for secure computer disposal, ZDNet Asia, May 12, 2009
“If you're in charge of IT resources at an organization with more than a handful of computer users, you might need this advice for secure equipment disposal. Even in the best of times, computers get rotated out of use and we have to figure out how we should dispose of them. In a recession economy, people get laid off, systems running software with high licensing costs get decommissioned, and system breakdowns may lead to consolidation of functionality rather than repairs, perhaps increasing the rate at which we dispose of computer equipment. This can expose us to security threats if we aren't careful about how we do it.” more...
Missile data found on hard drives, BBC, May 7, 2009
“Sensitive information for shooting down intercontinental missiles as well as bank details and NHS records was found on old computers, researchers say. Of 300 hard disks bought randomly at computer fairs and an online auction site, 34% still held personal data.” more...
LexisNexis says its data was used by fraudsters, Computerworld, May 1, 2009
“LexisNexis acknowledged Friday that criminals used its information retrieval service for more than three years to gather data that was used to commit credit card fraud. LexisNexis has started warning about 32,000 people that "a few" customers used its service to help them illegally obtain credit cards.” more...
Data breach CEOs should face jail: survey, CBR Security, Apr. 30, 2009
“A new survey of security executives has revealed that they believe CEOs and board members should face imprisonment for exposing consumers’ confidential data.” more...
Study: Many Employees Undermine Data Breach Prevention Strategies, InsuranceJournal, Apr. 27, 2009
“Many employees disable the encryption solutions on their laptops, putting their employers at risk for data breaches, according to a study by Absolute Software Corp. and the Ponemon Institute.” more...
Infosec 2009: Nine steps to halt data breaches, ComputerWeekly, Apr. 27, 2009
“The high-profile data-handling fiascos of recent months have underlined the importance of data protection. The loss of millions of child benefit records by HM Revenue and Customs, and the mislaying of laptops and security dossiers by MoD staff - as well as the recent disclosure of BNP members' details are part of the same problem - institutional failures to define and implement basic compliance procedures in line with the requirements of the Data Protection Act, writes Alan Calder, chief executive of IT Governance Limited.” more...
“A typical lost or stolen laptop costs employers $49,246, mostly due to the value of the missing intellectual property or other sensitive data, according to an Intel-commissioned study made public Wednesday.” more...
British Council found in breach of Data Protection Act, ComputerWeekly, Apr. 20, 2009
“The information Commissioner's office has found the British Council in breach of the Data Protection Act for losing an unencrypted disk containing personal data of more than 2,000 employees.The disk was lost in December 2008 while being transported by a courier service employed by the British Council, which reported the data breach to the ICO.Data on the disk included trade union membership and bank account details, which the ICO said could cause significant distress to the individuals concerned.” more...
Organized crime caused big data breach spike, says Verizon, NetworkWorld, Apr. 15, 2009
“A new study from Verizon Business claims that organized crime is responsible for a large increase in the number of breached corporate electronic records, which totaled roughly 285 million last year. According to the study, which Verizon Business compiled using data from the 90 confirmed corporate network breaches it recorded last year, roughly 93% of all records breached came from the financial sector. The company also says that nine out every 10 of these breaches involved "groups identified by law enforcement as engaged in organized crime.” more...
Why a national data breach notification law makes sense, CNET News, Apr. 14, 2009
“As of the end of December, 44 states, the District of Columbia, Puerto Rico, and the U.S. Virgin Islands have enacted security breach notification legislation. While most of these laws are modeled on the original California legislation (SB-1386) that took effect in 2003, there are subtle differences in terms of deadlines for notifications, definitions, and civil penalties. Massachusetts and Nevada have gone the furthest so far by mandating that private data be encrypted in certain circumstances. Obviously, this creates a legislative mess that could be streamlined by one central federal regulation.” more...
Five Ways To Survive a Data Breach Investigation, Computerworld, Apr. 14, 2009
“Security experts say it all the time: If a company thinks it has suffered a data security breach, the key to getting at the truth unscathed is to have a response plan in place for what needs to be done and who needs to be in charge of certain tasks. And, as SANS Institute instructor Lenny Zeltser advised in CSOonline's recent How to Respond to an Unexpected IT Security Incident article, "ask lots and lots of questions" before making rash decisions.” more...
Less Than Half of Self-insured Organizations Addressing HIPAA, advance.com, Apr. 11, 2009
“Following far behind insurance companies and health care providers, only about 40 percent of self-insured organizations have started work on HIPAA security at their organizations, according to META Group, Inc.” more...
UK. gov delays new data breach powers, The Register, Apr. 10, 2009
“The government has failed to meet its own deadlines to bring in new powers for the Information Commissioner's Office (ICO) to fine companies who lose personal data. The Ministry of Justice won't say when it plans to publish the secondary legislation needed to set the fines or why it did not meet its March target.” more...
Heartland data breach damages still mounting, creditcards.com, Apr. 1, 2009
“More than two months after the first announcement of the Heartland Payment Systems security breach, the processor has continued to draw fire from merchants and issuers. Damages from what may be the largest PCI data breach in history continue to snowball into public relations disputes, lawsuits and government probes aimed at the company.” more...
Visa, MasterCard In Security Hot Seat, Forbes.com, Mar. 31, 2009
“Criminal hackers aren't just hard to catch. They're also hard to blame. In security breach cases last year, such as Hannaford Bros. supermarket and the card processing firm Heartland Payment Systems, the cybercriminals who gained access to millions of consumers' credit card details haven't been--and may never be--identified or prosecuted.” more...
55% of people would switch bank accounts over data breach, QCK.com, Mar. 31, 2009
“A new survey has shown that 55% of British bank account holders would switch to a different provider if their existing bank lost their personal details. The Ipsos MORI survey for ArmstrongAdams revealed that 19% of bank account holders were “certain” to switch accounts, with 22% saying they were “very likely” to switch, and 14% “fairly likely”. With the number of British bank account holders estimated at 43.2m, that would mean that just over 23 million people are “likely” to switch accounts if their existing provider were to lose their personal details.” more...
Concern about Secure Disposal Hampers Green Efforts, PCWorld, Mar. 29, 2009
“IT managers are concerned about where their electronic equipment is going after disposal because they are worried about sensitive data loss, not the environment, according to a new survey.” more...
Half of Irish cos have no data destruction policy - study, telecompaper.com, Mar. 27, 2009
“The Irish Computer Society's Privacy Forum has revealed that 94.2 percent of Irish organisations store personal data, while 57.7 percent transfer data to external organisations or individuals. However, 50.7 percent of respondents said they do not have a formal data retention or destruction policy. Regarding data breaches, about 31.6 percent of respondents said they have a formal data breach policy while 33.8 percent have an informal policy. Around 14.3 percent were not sure if there was a data breach policy in place at their firm and 20.3 percent said they do not have any data breach policy.”
Expert cites "major problem" with security policy compliance, NetworkWorld, Mar. 25, 2009
“Attendees at this week's SecureWorld Boston conference got a stern talking-to Wednesday morning: Keynoter Charles Cresson Wood said organizations need to get their information security policies in order or risk going down the tubes. The independent security consultant said too many organizations have security policies on paper only and don't really have the systems in place to ensure compliance. He reached back to the demise of Arthur Andersen and financial troubles at Cooper Tire as being caused in large part to problematic data destruction policies.” more...
London health authority put on notice over data breach, The Register, Mar. 24, 2009
“A north London health authority has been given until the end of the month to improve its information security policies following an embarrassing information security blunder last year. The Information Commissioner's Office has given Camden Primary Care Trust until the end of the month to pull up its socks following a breach of the Data Protection Act. The ICO's enforcement order comes after PCs containing 2,500 patients' names, addresses and medical histories were dumped beside a skip inside the grounds of St Pancras Hospital last August.” more...
“Many companies have no well-defined process for decommissioning PCs, and those that do still aren't prepared to deal with so many at once. It's a security issue. A cost issue. An accounting issue. A mess.” more...
Disk with information on 200,000 visitors to Jackson hospital stolen, Miami Herald, Mar. 21, 2009
“The personal information of more than 200,000 visitors to Jackson Memorial Hospital over an 11-month period was on a hard drive that has been stolen, the hospital announced Friday."
“The HITECH Act also adds data breach notification requirements. Though several states have such requirements, few have applied them to health information so far. And this is the first data breach notification requirement to come from the federal government, the writers say. HIPAA covered entities will have to notify patients and/or customers when their protected health information has been compromised. Business associates that experience breaches will have to notify the covered entities with wihich they have contracts.” more...
EU Data Retention Directive provokes widespread condemnation, vnunet.com, Mar. 13, 2009
“UK internet service providers will have to all store communication information from customers for a full year starting on 15 March, as part of the controversial EU Data Retention Directive. Under the directive, details of every email, phone call and text message sent or received, including information such as IP address and time of use, will have to be recorded.” more...
Massachusetts Data Protection Law: What Your Business Needs to Know, BankInfoSecurity, Mar. 10, 2009
“For the second time in four months, the Commonwealth of Massachusetts has pushed back the implementation of its new data protection law - one of the toughest in the nation. Yet even with the new deadline of January 2010, many of the businesses impacted by these stringent data protection requirements won't be compliant, say industry experts familiar with the new regulation.” more...
“A co-author of the landmark data-breach notification law that took effect in California six years ago is now looking to add new requirements spelling out what companies have to tell affected individuals about breaches. The new bill, which was introduced by State Sen. Joe Simitian in December and is officially known as SB 20, also would require companies to report any data breaches affecting more than 500 California residents to the state's attorney general.” more...
Do Breach Notification Laws Work?,Wired,Mar. 9, 2009
“Consumers caught in a national epidemic of data spills are growing numb, discarding breach notification letters as junk mail rather than acting to protect their identity, experts say. And though most states now have laws requiring companies to warn breach victims, some serious breaches are still showing up on customer credit and bank statements before any official warning has been issued. It all begs the question: are the notification laws working? This was the question that a number of speakers at the Security Breach Notification seminar held in Berkeley on Friday tried to answer.” more...
Focus on data protection laws too narrow?, ZDNet Asia, Mar. 9, 2009
“Public sector security is not adequate just by relying on the government to legislate data protection--the private sector also needs to make the necessary investments to protect critical infrastructure. To look at public sector security holistically, Asian economies need to consider both infrastructure security and data security, Ilias Chantzos, Symantec's government relations director for EMEA (Europe, the Middle East and Africa) and Asia-Pacific and Japan, told ZDNet Asia in a recent interview.” more...
What's behind the rash of university data breaches?, Computerworld, Mar. 9, 2009
“Purdue University last month reported its seventh data breach in the past four years. But Purdue is hardly alone. According to my records, over 300 publicized privacy incidents have occurred at U.S. institutions of higher learning since 2001, with at least 53 colleges and universities experiencing multiple breaches (see table at end of article).” more...
Heartland Breach Bad As Tylenol Poisonings?, CIO, Mar. 7, 2009
“The data loss debacle at Heartland highlights the fact that information security will be the next major shareholder derivative and D&O liability issue, regulatory, consumer, and national security threat, and class-action litigation subject to impact our ailing economy.” more...
Lawmaker: Consumers need details in data breach warnings, CNET News, Mar. 6, 2009
“Six years after California enacted the country's first data breach notification law, many state residents have received letters warning them that their data was exposed by a breach but usually they don't know how or how long, experts said at a privacy conference on Friday.” more...
E-Commerce Fraud Leads To Lost Customers, InformationWeek, Mar. 4, 2009
“Stung by financial fraud, U.S. adults are reacting to losses by ending relationships with banks and curtailing the use of online e-commerce services. Roughly 7.5% of U.S. adults lost money as a result of financial fraud in 2008, largely because of data breaches, according to a Gartner study released Wednesday.” more...
Study: IT Chooses Security Over Green, InformationWeek, Mar. 3, 2009
“Where does all that "old" technology go? How prepared are U.S. companies to properly phase out millions of tons of laptops, desktops, cell phones, servers and other essential IT gear every year? Is being green the top motivator for IT managers in determining how e-waste is handled?” more...
More Visa and MasterCard accounts breached, USA Today, Mar. 3, 2009
“Visa and MasterCard are being circumspect about another breach of credit and debit card transaction data from yet another payment card processor.” more...
EU nations oppose extension of data breach notification law, Out-Law.com, Mar. 3, 2009
“Over the last three years, the Federal Trade Commission ("FTC") has settled with fourteen businesses over alleged inadequate data security practices concerning how such businesses protect consumers' personal information. The start of 2009 makes clear that the FTC intends to continue its aggressive enforcement in this area.” more...
“Over the last three years, the Federal Trade Commission ("FTC") has settled with fourteen businesses over alleged inadequate data security practices concerning how such businesses protect consumers' personal information. The start of 2009 makes clear that the FTC intends to continue its aggressive enforcement in this area.” more...
ID Theft Threat Grows With 1M Already Hit in '09, InternetNews, Mar. 2, 2009
“Identity thefts soared in 2008, and now 2009 is shaping up to be another banner year for phishers, hackers and other ID thieves. According to a new report from the Identity Theft Resource Center (ITRC), a nonprofit set up to support and educate consumers on identity theft, U.S. businesses and other organizations suffered 83 security breaches so far in 2009 -- potentially exposing the records of at least 1.1 million people.” more...
University admits to third data breach in three months, Computerworld, Mar. 2, 2009
“The University of Florida in Gainesville late last month disclosed that a breach discovered in January exposed personal data on 97,200 students, faculty and staffers who attended or worked at the school between 1996 and 2009.” more...
Heartland to vigorously defend breach claims, CEO says, SearchSecurity, Feb. 24, 2009
“Heartland Payment Systems, which announced a breach of potentially millions of credit and debit cards last month, said it plans to vigorously defend itself against lawsuits filed against it as a result of the data breach. In a filing with the Securities and Exchange Commission, Heartland Chairman and CEO Robert Carr acknowledged the claims that cardholders, card issuers, the credit card brands, regulators, and others have asserted, or may assert, against the payment processor as a result of the breach and the impact it could have on the business. Several class action lawsuits have been filed against Heartland, claiming that the payment processor issued belated and inaccurate statements when it announced a security breach of its systems. He said the company could not "reasonably estimate the potential impact of the breach on the day-to-day operations" of the business.” more...
Heartland Data Breach: 500+ Institutions Affected, Bank Info Security, Feb. 24, 2009
“The number of financial institutions that stepped forward to say their customers' credit or debit cards were compromised because of the Heartland Payment Systems (HPY) data breach has now reached more than 500.” more...
Why Information Must Be Destroyed, CSO Online, Feb. 24, 2009
“The inability to discard worthless items even though they appear to have no value is known as compulsive hoarding syndrome. Ben Rothke explains why it's a bad habit in the world of IT security.” more...
Policy needed for data breach response, FederalComputerWeek, Feb. 20, 2009
“The federal government should establish a basic policy that outlines how organizations respond to data breaches, some observers say. The lack of consistent national requirements for data breach notifications has prompted more than 40 states to enact their own laws, which vary widely, said Lisa Sotto, head of the privacy and information management practice at law firm Hunton and Williams and an expert on privacy and data security.” more...
Group Spots Giant Hacks by Combing Small Newspapers, Wired, Feb. 19, 2009
“Days before Heartland Payment Systems admitted to a computer intrusion that likely exposed hundreds of thousands of consumers to fraud, a group of volunteer security professionals sniffed out the truth on their own. For years, researchers with the nonprofit Open Security Foundation have been scouring press reports, bank websites and other sources for information on consumer data spills, tallying more than 394 million records lost or compromised in 1,700 incidents since 2000.” more...
Citi latest bank to replace cards following breach, BusinessWeek, Feb. 19, 2009
“Citigroup Inc. has started sending replacement credit cards to its customers, apparently in response to a massive security breach at a payment processing company. Heartland Payment Systems Inc. revealed on Jan. 20 that its system used to process Visa, MasterCard, American Express and Discover Card transactions was breached late last year.” more...
“The new economic stimulus package provides over $19 billion to support and promote the adoption of electronic health records (EHRs) for all Americans by 2014. With this added momentum comes concerns about the privacy and security of EHRs, particularly in the hands of health record exchanges, which are not directly regulated under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The new legislation is loaded with requirements, new enforcement provisions and penalties for covered entities, business associates, vendors and others.” more...
Best Buy’s recycling program does not accept storage media, TechRepublic.com, Feb. 19, 2009
“...Best Buy stores will not take possession of customers’ personal data- this includes, camera and computer discs/CDs/DVDs, hard drives from laptops or desktop PCs, or any other device that could contain customer information.” more...
CVS pays $2.25 million HIPAA settlement, SearchSecurity.com, Feb. 18, 2009
“CVS Caremark Corp. has agreed to pay $2.25 million to settle a federal investigation into allegations that it violated HIPAA privacy regulations when pharmacy employees threw items such as pill bottles with patient information into the trash.” more...
Why security breach notification laws are a good thing, Out-Law.com, Feb. 17, 2009
“OPINION: Most US states have data breach notification laws, but the UK Government said recently that it doesn't want one here. Here, security guru Bruce Schneier explains why he's a fan of breach notification laws.” more...
“For the second time in three months, Massachusetts officials have pushed back the deadline for companies to comply with a controversial set of data security regulations that the state announced last September.” more...
Should companies own up to losing your data?, silicon.com U.K., Feb. 13, 2009
“Since the government's loss of 25 million child-benefit recipients' details in 2007, the UK has held its hands up to millions more sets of personal data going astray.” more...
“A New York computer forensics firm has found that 40 per cent of the hard disk drives it recently purchased in bulk orders on eBay contained personal, private and sensitive information – everything from corporate financial data to the Web-surfing history and downloads of a man with a foot fetish.” more...
The Massachusetts Data Privacy Law Debacle, InformationWeek, Feb. 12, 2009
“I'm not sure that anyone would question the need for increased vigilance when it comes to protecting our private customer/employee data and intellectual property from data thieves. As information security professionals, it's not only in our best interests to protect our data at all reasonable costs, it's our job. But what happens when progressive governments like the state of Massachusetts and the state of California begin drafting legislation that essentially mandates PCI-like compliance for ALL businesses in Massachusetts? My prediction...Mass Hysteria, and court challenges out the wazoo (is that a real word?).” more...
“The Federal Aviation Administration has fallen prey to hackers looking to steal personal information, just as President Barack Obama on Monday ordered a 60-day review of the government's cyber-security policies.” more...
How to avoid 5 common storage mishaps, Webwereld, Netherlands, Feb. 9, 2009
“Think you can guess the No. 1 threat to the security of your stored data? If you said hackers, or even trouble-making insiders, you'd be wrong. While malicious threats are an ongoing concern, it's your well-meaning employees who are more likely to unknowingly expose your company's stored data through, say, a file-sharing network or a misplaced laptop.” more...
Six myths about movable media storage, Webwereld, Netherlands, Feb. 9, 2009
“Every few months, there's another horror story about lost tapes or stolen laptops, and we're left wondering if the information stored on the missing media will be put to some nefarious use, thereby adding personal injury to a public relations insult.” more...
How to recover from a data breach, silicon.com U.K., Feb. 9, 2009
“These days the headlines are full of stories about data being stolen from major organisations - in both the private and public sector. Though every exec hopes they'll never experience such an incident, it's best to be prepared, just in case. So what do you do after a data breach?” more...
“By the latest count, the number of institutions that have informed their card customers and members that they were hit as a result of the Heartland Payment Systems (HPY) data breach has swelled to 124.” more...
Data breaches by public and private companies rise as recession starts to bite, www.telegraph.co.uk, Feb. 9, 2009
“The rate is an increase on the previous year, prompting fears that fewer firms and public sector organisations are taking care of personal information because of the recession. In total, 99 data breaches - where organisations lose people's personal details - were reported to Richard Thomas, the information commissioner, in the three months to the end of December.” more...
Data-breach lawsuit follows $9 million heist, SecurityFocus.com, Feb. 6, 2009
“Three law firms filed a class-action lawsuit against payment processor RBS Worldpay this week, following reports that an intrusion into the company's network resulted in the brazen theft of $9 million from ATMs in 49 cities worldwide.” more...
Geeks.com operator settles data breach complaint, NetworkWorld, Feb. 6, 2009
“An online seller of computer supplies and consumer electronics has failed to adequately protect customer data and will have to submit to outside audits for 10 years in a settlement with the U.S. Federal Trade Commission.” more...
Legislation aims at data breach notification, Daily Times (Pennsylvania), Feb. 6, 2009
“State Sen. Dominic Pileggi, R-9, of Chester, recently re-introduced legislation that would require state agencies to notify the public about data breaches involving personal information within one week. Current state law only allows for notification “without unreasonable delay.” Pileggi, the Senate majority leader, introduced similar legislation last year. That bill passed the Senate unanimously, but the state House did not consider it.” more...
“The cost of data breaches for UK firms has risen from an average of £47 per record in 2007 to £60 ($86) in 2008, according to a new survey. But figures from a Ponemon Institute study, sponsored by PGP, are orders of magnitude higher than losses booked following the infamous TJX security breach, raising questions over how much weight can be placed on the figures.” more...
Data Loss Costing Companies $6.6 Million Per Breach, InformationWeek, Feb. 3, 2009
“The total average cost of a data breach last year reached $202 per record, a 2.5% increase since 2007, a study published Monday revealed.” more...
“A settlement has been reached regarding the 2008 identity breach that affected more than 600,000 Connecticut residents. The Connecticut Department of Consumer Protection, Connecticut Department of Banking and Bank of New York Mellon reached the agreement with an assurance of voluntary compliance signed last week by the bank and two agencies on behalf of the state. The move concludes the investigation of BNY Mellon for the loss of a backup tape containing personally identifiable information.” more...
“When the world's largest disk-makers joined last week to announce a single standard for encrypting disk drives, the move raised questions among users about how to deal with full-disk encryption once it's native on all laptop or desktop computers. For example, what happens if a user loses a password -- essentially leaving the drive filled with data that can no longer be unencrypted? Or what if a drive becomes corrupted or damaged, the data has to be recovered by a third party -- and your password is on the drive?” more...
Data breach costs, customer churn up a bit; Repeat offenders abound, ZDnet.com, Feb. 2, 2009
“The cost of a data breach runs companies $202 per compromised record, up 2.5 percent from $197 per record in 2007 and up 11 percent from 2006, according to research from Ponemon Institute.” more...
Encryption standards are here - but not for flash or tape, The Register, Jan. 30, 2009
“Multi-vendor standards for self-encrypting storage devices are emerging through the Trusted Computing Group. But flash and tape drives are not included in them.” more...
Is having a security policy in place nine-tenths of the law?, SC Magazine, Jan. 29, 2009
“Most large organizations maintain a detailed corporate security policy document that spells out the “dos and don'ts” of information security. Once the policy is in place, the feeling is of having achieved “nine-tenths of the law,” that is, that the organization is in effect “covered.” This is a dangerous misconception. Because much like in the world of law and order, while creation of law is fundamental, implementation and enforcement of law is what prevents chaos.” more...
VA agrees to pay $20M in laptop theft case, FederalComputerWeek, Jan. 28, 2009
“The Veterans Affairs Department has agreed to pay $20 million to settle a lawsuit filed by veterans over the risk of potential identity theft when a VA laptop PC that contained their sensitive information was stolen in 2006. The laptop contained files with personally identifiable information on millions of veterans, such as names, birth dates and Social Security numbers.” more...
First lawsuit filed in Heartland data security breach, SearchSecurity.com, Jan. 28, 2009
“A Pa.-based law firm has filed a class action lawsuit against Heartland Payment Systems, claiming the payment processor issued belated and inaccurate statements when it announced Jan 20 that its systems were compromised by a hacker in 2008.” more...
Heartland Payment Systems data breach claims a victim: me, CreditCards.com, Jan. 28, 2009
“When I learned last week about what may have been the world's largest payment card data breach, I knew there were going to be potentially millions of victims. What I didn't expect is that I may be one of them. This Monday afternoon, I opened my mailbox to find a letter from my issuer, Bank of America. Inside was a shiny, new replacement debit card.” more...
Monster Breach Shows Security Needs Rethinking, InternetNews.com, Jan. 28, 2009
“For some security experts, the recent data breach at job site Monster.com comes as no surprise, and they say enterprises need to reconsider their approach to security. ” more...
Records of 800 patients go missing, www.newsletter.co.uk, Jan. 28, 2009
“A COMPUTER containing the medical records of more than 8,000 Co Londonderry patients has disappeared, it was revealed yesterday.The tape was sent from the Garden Street medical practice in Magherafelt to an IT company in London which was updating the practice's system. A courier picked up the details on December 5, but they never arrived.” more...
MoD admits 440 computer data devices have been lost or stolen, The Herald (Scotland), Jan. 26, 2009
“The Ministry of Defence admitted yesterday that 217 of its laptops, 47 desk-top computers, 80 hard drives and 96 memory sticks were lost or stolen during 2008, despite a high-profile security crackdown launched last summer.” more...
Report: Law Enforcement Closing In On Heartland Breach Perpetrator, darkreading.com, Jan. 23, 2009
“The Secret Service has identified the prime suspect in the Heartland Payment Systems security breach, and the case has been turned over to the U.S. Department of Justice, according to a news report issued today.” more...
2009 Forecast: Compliance strategies for Obama’s 2009, Computer Technology Review, Jan. 23, 2009
“With the way the economy is going, businesses can't help but ask what technologies to invest in during 2009. Now more than ever, CIOs must maximize their existing investments in software and services as 2009 will be a year of "good enough" purchases rather than bells and whistle deals.” more...
TJX stores hold sale after settling over data breach, CNET News, Jan. 22, 2009
“TJX stores, including T.J. Maxx and Marshalls, are holding a one-day 15-percent-off sale on Thursday as a way to show appreciation for customers after a data breach at the company. TJX disclosed in 2007 that 45.7 million customer accounts were compromised.” more...
Payments processor discloses massive data breach, SearchSecurity.com, Jan. 21, 2009
“...Gartner analyst, Avivah Litan questioned the timing of Heartland's disclosure and the amount of information that the payment processor released as part of its disclosure. The processor said it found evidence of a breach last week and made a public announcement Tuesday, when all eyes were on the Presidential Inauguration.” more...
Hackers breach Heartland Payment credit card system, USA Today, Jan. 20, 2009
“Heartland Payment Systems (HPY) on Tuesday disclosed that intruders hacked into the computers it uses to process 100 million payment card transactions per month for 175,000 merchants.” more...
New stimulus bill contains complete health IT act, Government Health IT, Jan. 19, 2009
“A second draft economic recovery bill, this one drafted by the House Ways and Means Committee, contains not only $20 billion in health information technology spending but also a comprehensive health IT act similar to those Congress has sought to enact for several years. Although it resembles some of its predecessors, the 187-page health IT portion of the committee’s bill goes further than most of the bipartisan bills of the past to reward doctors and hospitals for using e-health records and strengthen privacy protections for patients.” more...
State Data Breach Notification Laws: Have They Helped?, SearchSecurity.com, Jan. 19, 2009
“THERE'S AN OLD SAYING, "Sometimes things have to get a lot worse before they can get better." If that's true, then breach notification laws offer the chance of eventual improvements in security, years hence.” more...
Preventing Identity Theft Throughout the Data Life Cycle, toptechnews.com, Jan. 16, 2009
“Identity theft concerns are focused on the security and necessity of the collection process. Collecting personal information just because you can is unsafe. Organizations can reduce privacy risks by not collecting unnecessary personal info. Once the data gets into the data life cycle pipeline, the cost of managing and destroying it escalates.” more...
Business execs ask for more time for Mass. data security rules, Mass High Tech, Jan. 16, 2009
“A coalition of business leaders is asking the Patrick Administration to delay by two years its planned May 1 start date for new regulations designed to protect Massachusetts residents against identity theft, State House News Service reported late yesterday.” more...
Outsourcing: What does Data Protection Act 1998 require?, lawdit.com.uk, Jan. 16, 2009
“When you are outsourcing any data outside the EEA (European Economic Area) the Data Protection 1998 requires you to adhere to certain rules and fulfil certain requirements. It is, primarily, your responsibility to take appropriate technical and organisational measure to protect data from misuse while processing it.” more...
The Regulatory Burden Continues to Grow, Bank Systems & Technology, Jan. 15, 2009
“In the wake of the massive data thefts witnessed over the past two years, Massachusetts decided to take matters into its own hands in keeping its residents’ information safe. And some expect such incidents to only increase as the financial crisis lingers. But the depth to which the Massachusetts rules go to protect peoples’ personal information is stunning.” more...
NIST releases draft guidelines for data protection, SC Magazine, Jan. 15, 2009
“The National Institute of Standards and Technology (NIST) this month released preliminary recommendations that federal agencies -- and their contractors -- should follow to protect the confidentially of personally identifiable information (PII).” more...
Worries About Breaches of Privacy, Supply Chain Management Review, Jan. 15, 2009
“The risk of data breaches and compliance with the applicable laws and regulations make supply chain management transactions, and particularly outsourcing deals, of particular worry to companies which are transferring the data to third parties. In an outsourcing transaction, where a service provider is required to operate some aspect of a customer’s business, the service provider will need to comply with those laws applicable to that outsourced business. If the business is a financial business, the outsourcer will have to comply with the Gramm-Leach-Bliley Act. If the business is a health care business, it is likely that the outsource supplier will have to comply with HIPAA.” more...
“If designed properly, an electronic health records (EHR) system can produce many benefits for health care organizations. While government regulations like the Health Insurance Portability and Accountability Act (HIPAA) and other state laws require providers and payers to follow strict guidelines concerning the security of their health systems, security breaches continue to occur with minimal repercussions.” more...
“The European Data Protection Supervisor (EDPS) adopted on January, 9th 2009, an Opinion on the review of the Directive on Privacy and electronic communications, usually referred to as the ePrivacy Directive. The recommendations presented in this Opinion aim at streamlining some of the provisions of the Directive, while at the same time ensuring an adequate level of data protection and privacy.” more...
Security spending up for 30% of businesses, CBR Security (U.K.), Jan. 12, 2009
“More than a third of organisations are preparing to pump up their data security budgets in 2009, despite a prevailing climate for IT spending reduction.” more...
Which? report on hard drive destruction criticised, SC Magazine (U.K.), Jan. 8, 2009
“A claim that the only way to destroy data is to smash the hard drive has been criticised. Acronis has claimed that a report by Which? Computing magazine is not environmentally friendly and unnecessarily expensive.” more...
Feinstein introduces data security bills, nextgov.com, Jan. 7, 2009
“Sen. Dianne Feinstein, D-Calif., on Tuesday introduced a pair of data security bills -- one that would require businesses to notify consumers in the event of a security breach and another, co-sponsored by Sens. Judd Gregg, R-N.H., and Olympia Snowe, R-Maine, would ban the sale or display of an individual's Social Security number without his or her consent.” more...
Price of data theft response: Millions, Portland (Maine) Press Herald, Jan. 7, 2009
“Two major data breaches since early 2007 have cost Maine banks and credit unions more than $2.1 million, and those institutions might ask lawmakers to force retailers to share some of the costs of future breaches.” more...
“Businesses, governments and educational institutions reported nearly 50 percent more data breaches last year than in 2007, exposing the personal records of at least 35.7 million Americans, according to a nonprofit group that works to prevent identity fraud.” more...
Despite Economy, Security Spending To Increase In 2009, www.darkreading.com, Jan. 5, 2009
“Despite a troubled economy, both large and small enterprises are poised to spend a higher percentage of their IT budgets on security in 2009, a major research firm said today.” more...
Top ways to prevent a data breach in 2009, Cybermedia India Online, Jan. 5, 2009
“In the first 11 months of 2008 there have been a record number of corporate data breaches. 588 companies have been responsible for compromising the private information of more than 33 million people. Beyond the damaged or lost relationships with customers and the bad publicity, there are legal and economic consequences that can compound the issue. Fines can range from $1,000 to $2,500 per individual record compromised.” more...
Top 10 Security Stories Of 2008, InformationWeek, Jan. 2, 2009
“A spike in data breaches, the threat of malicious hardware, and alarming revelations about the Internet's vulnerabilities from security experts such as Dan Kaminsky all made headlines in 2008.” more...
Putting the 'I' in Enterprise IT Compliance, www.toptechnews.com, Dec. 31, 2008
“With SOX as an indicator of the future direction of compliance-driven information assurance, a holistic, program-based approach can provide the necessary capability to address security and privacy compliance across most enterprises. Building such a program is not a simple process, and requires buy-in from across the organization.” more...
Are state and federal breach notification mandates unreasonable,? TechRepublic.com, Dec. 31, 2008
“Chris Wolf, an attorney and head of the Proskauer Rose (Washington, D.C.) law firm’s privacy and security group, stated in a recent interview that breach notifications should be delayed until all the facts are in about what was lost and who was affected." more...
Your records for sale to the highest bidder, Portland Press Herald, Dec. 26, 2008
“Records abandoned in storage can be sold like office furniture.”
“It’s been a whirlwind year in IT security—do spam, malware, regulatory compliance, and centralized monitoring and management ring a bell?” more...
To serve and protect, siliconrepublic.com, Dec. 25, 2008
“To my mind, the greatest threat to online transactions is in the area of data security. Scarcely a week goes by without hearing about some sort of security breach somewhere.” more...
RBS WorldPay Data Breach Hits 1.5 Million, InternetNews.com, Dec. 24, 2008
“A hacker got into the computer systems of electronic payment processing services provider RBS WorldPay, compromising more than a million customers' records.” more...
A year of lost data, lost jobs and a "dead' Jobs, Computing, Dec. 18, 2008
“Our month-by-month review of a year that witnessed a flood of redundancies, data blunders and economic turmoil - but at least Steve Jobs still has his health.” more...
Google No Longer Among Top 20 Most Trusted Companies For Privacy, InformationWeek, Dec. 15, 2008
“Google (NSDQ: GOOG) is no longer ranked among the top 20 most trusted companies for privacy, but Apple, Facebook, and Yahoo (NSDQ: YHOO) for the first time are.” more...
Berlin Bank Accused of Country's Largest Data Leak, Deutsche Welle, Dec. 13, 2008
“Consumers in Germany have been affected by what is being calling the country's largest data leak. A Berlin bank has reportedly lost data on thousands of credit card customers -- including their PIN numbers.” more...
IT Management Slideshow:Top 10 Security Breaches in 2008, Baseline Magazine, Dec. 12, 2008
“A look at the most disastrous security breaches of the past year.” more...
HP, Symantec warn employees after laptop thefts, IDG News Service, Dec. 11, 2008
“Technology vendors Hewlett-Packard and Symantec are warning employees that their names and Social Security numbers may have recently fallen into criminal hands following two separate laptop thefts.” more...
Federal Data Breach Law? No Time Soon, PCWorld, Dec. 11, 2008
“Since California's historic 2003 passage of a data breach law, most other states in the U.S. have followed suit. 44 states now have laws that lay out requirements for companies in the event that sensitive information is compromised. Despite the groundswell of interest in the issue on the state level, there is currently no similar federal law.” more...
How a CIO should deal with the aftermath of a data breach, www.cio.co.uk, Dec. 11, 2008
“When it comes to data breaches, experts agree that prevention is the best cure but what steps should CIOs take if the unthinkable happens?” more...
Most companies are far too optimistic regarding security, BetaNews, Dec. 8, 2008
“According to a study released this morning, troubled times and sloppy security may prove a mighty temptation for hackers or even disgruntled employees -- and companies' overly high opinions of their own security don't help.” more...
UK data breach notification laws?, InformationWorld Review, Dec. 8, 2008
“After all the recent news about the new powers to be granted to the Information Commissioner, Richard Thomas, another piece of information pushed out by the Ministry of Justice appears to have gone rather unnoticed. It was a definitive statement saying that the government would accept Thomas's request that there should be no US-style data breach notification laws for private sector organisations in this country. Of course, public sector organisations are already forced to report any significant "actual or potential" data losses to the ICO - so why not private sector firms?” more...
Critics: Data law tying up business, Boston Business Journal, Dec. 5, 2008
“Massachusetts businesses will likely be granted a brief reprieve from implementing the toughest data security standards in the country, but business leaders say it is not enough to blunt the financial blow of the laws in the midst of a recession.” more...
Where the US Went Wrong With Breaches, Bank Technology News, Dec. 2008
“Data commissioners in the United Kingdom, Canada, New Zealand and Australia are looking to update their rules around data breaches.” more...
Two Data Breaches To Tell Your Customers About, ChannelWeb, Dec. 3, 2008
“Lots of Canadians have gotta be scratching their heads wondering what will happen to them in the wake of two big data storage security leaks.” more...
TJX will cut all items 15% as part of data-breach deal, Boston Herald, Nov. 30, 2008
“Even if thrifty consumers cut back on trips to TJX-owned stores from now until Christmas, the Framingham retailer still holds a trump card it can play after the holiday shopping game is over.” more... Case history: Key dates in the TJX customer data breach case
Data security breaches: How to respond, ComputerWeekly U.K., Nov. 28, 2008
“When data controllers are faced with reporting a security breach - especially with regards to notifying the Information Commissioner's Office (ICO) - it will be in the best interests of the company to examine the conflicting elements of legal and regulatory disclosure requirements as the interests of the company may not wholly be served by following the directives of the Information Commissioner's Office (ICO), writes Bob Lewis, head of systems assurance at The Risk Advisory Group.” more...
Bank's lack of accountability leaves possible data breach a mystery, Newswire Canada , Nov. 27, 2008
“Close to half a million people will likely never know whether their personal information was compromised in a data breach at the Canadian Imperial Bank of Commerce (CIBC), according to the Office of the Privacy Commissioner of Canada.” more...
“After evaluating the success of data breach disclosure laws in the U.S., The British government has decided not to implement similar rules for private business.” more...
United States: Data Security Standards Delayed to May 1, 2009, www.mondaq.com, Nov. 27, 2008
“Massachusetts' businesses facing enhanced data security standards have been given an extension of time to comply with the new requirements issued by the Office of Consumer Affairs and Business Regulation ("OCABR"). The regulations require all businesses and individuals that maintain personal information about Massachusetts residents to take certain steps to assure the security of that information.” more...
Social Security's Security Problem, Forbes, Nov. 24, 2008
“It's not hard to imagine the security risk when a minimum-wage telephone salesperson you've never met has access to your Social Security number, your mother's maiden name and your data of birth. But even if that salesperson is honest, the level of security inside companies that control that data should make you just as edgy.” more...
Banking's Data Security Crisis, Forbes, Nov. 21, 2008
“During the past year, banks have lost more of their customers' personal data than ever before.
Countrywide Financial may have become a poster child for U.S. financial institutions ruined by poisonous subprime loans--but junk assets, it turns out, weren't the only element of Countrywide's inner workings that were rotten.” more... See also: In Pictures: The Year's Biggest Data Breaches
Boom time for shredders, Columbus (Ohio) Dispatch, Nov. 21, 2008
“Identity theft hurts consumers, and it can cost companies that have put private data at risk thousands of dollars in fines. But the problem has sprouted a growing industry -- information destruction -- that continues to move forward even though the economy has turned sour.” more...
“The news came as Jack Straw was accused of only giving "slap on the wrist" to a private firm which lost a CD containing hundreds of pieces of "sensitive personal information" from the Ministry of Justice. Figures uncovered by Tory frontbencher Grant Shapps MP show that in the year until the end of last month, Government departments lost a total of 53 lap-tops - a quarter of which belonged to the Department for Health.” more...
Best Practices on Data Breaches, Bank Systems and Technology, Nov. 20, 2008
“ Although banks are unlikely to be the source of a breach, they often must break the bad news to exposed customers -- and how they do that affects the customer relationship for good or bad.” more...
Opinion: What's happened to storage security? Computerworld, Nov. 17, 2008
“It would be an overstatement to suggest that the state of storage security has declined in the past year, but it's fair to say that it's lost some momentum. While everyone on the planet is now aware of privacy concerns and specifically the widely publicized risk of off-site tape loss, only a relatively small number of companies have acted to mitigate the situation.” more...
College of Dentistry at UF breached, Computerworld, Nov. 13, 2008
“University of Florida college IT staff were upgrading a server on October 3, 2008, when they discovered some unauthorized installed software that was apparently some sort of malware. The server contained "patient names, addresses, birth dates, Social Security numbers and, in some cases, dental procedure information.” more...
Most data security risks internal, Cisco study finds, NetworkWorld, Nov. 12, 2008
“Most enterprise IT officials believe their company's employees pose a greater threat to data security than any outside source. Those are the findings of the third and final set of results from a data-leakage study commissioned and released by Cisco. The first part dealt with common employee data-leakage risks and the potential impact on the collaborative workforce, and the second part focused on employees' tendencies to break company IT security rules.” more...
Major data breaches predicted as firms cut IT spending, SiliconRepublic.com (Dublin), Nov. 12, 2008
“As the recession continues to bite and firms look at ways of cutting corners on spending, it is vital companies don’t scrimp on protecting their data assets.” more...
Express Scripts customers threatened on data breach, Reuters, Nov. 11, 2008
“Express Scripts Inc (ESRX.O) said on Tuesday a "small number" of its clients have received letters threatening to expose customers' personal information, an apparent connection to an earlier extortion threat made against the company.” more...
Security Expert Robert Siciliano on Express Scripts Data Breach, World Congress, Nov. 7, 2008
“Based on what’s just happened at Express Scripts, consumers should indeed be wary of having their health information online. The company just announced it is being blackmailed with the threat of a massive data exposure. A letter demanding payment included personal data on 75 Express Scripts members.” more...
Massachusetts Data Privacy and Security Laws Impact Companies Across U.S., CIO, Nov. 6, 2008
“Massachusetts has enacted data privacy and data security regulations that will make it eke out California for the most wide ranging state privacy and security laws—laws that are likely to impact the policies, practices, procedures, contracts and training used by companies nationwide.” more...
Express Scripts reports extortion over data breach, Reuters, Nov. 6, 2008
“Express Scripts Inc said on Thursday it received an extortion letter threatening to expose millions of patient records and warned of a "potential large data breach.” more...
Clients' data missing, Harvard Law warns, The Boston Globe, Nov. 6, 2008
“Harvard Law School is alerting thousands of clients from a legal services clinic after a computer tape containing their Social Security numbers, addresses, and financial information was lost in September.” more...
“A federal judge in Boston has approved $6.5 million in attorneys fees to the lawyers who brought a class action over a massive data breach at TJX Cos. that is estimated to have involved as many as 100 million accounts compromised by computer hackers.” more...
Baylor Health Care says laptop with patient data stolen, Dallas Morning News, Nov. 4, 2008
“A laptop computer containing limited health information on 100,000 patients was stolen from an employee's car in September, Baylor Health Care System Inc. said Monday. A letter is being sent to the patients, including 7,400 patients whose Social Security numbers were stored on the computer.” more...
“Gordon Brown today admitted the Government cannot promise to keep safe the millions of pieces of sensitive personal information it has gathered on the British public. The Prime Minister's remarks came amid an urgent inquiry into how a memory stick with user names and passwords for a key Whitehall computer system was found in a pub car park.” more...
Data security blunders are unacceptable, The Daily Mirror, Nov. 3, 2008
“When people hand over personal information they expect it to be treated in confidence.But this government seems incapable of looking after the data entrusted in its care. Almost every month throws up a fresh scandal.
In the latest breach a memory stick containing the password to a Government computer system turned up in a pub car park.” more...
Privacy watchdog slams databases, year of data loss, Computerworld UK, Oct. 30, 2008
“The number of data breaches reported to the Information Commissioner's Office (ICO) has soared to 277 in almost a year, new figures released Wednesday revealed. In almost 12 months, 80 of those breaches concerned the private sector, 75 within the NHS and other health bodies, 28 reported by central government, 26 by local authorities, and 47 by the rest of the public sector.” more...
Data breach hits 80% of local companies: survey, Australian IT, Oct. 22, 2008
“ALMOST 80 per cent of local organisations have experienced a data breach in the past five years, with a further 40 per cent reporting between six and 20 known breaches during the period, according to Symantec's first Australian data loss survey.” more...
Security Remains a Least-Understood Management Function: The Three A’s of Change, CIO, Oct. 20, 2008
“Security remains a major public and private sector concern, affecting consumer trust and spending habits across the board. The growing number of audits evaluating security measures, the frequency of security breaches, and the expansive press coverage of such breaches has illuminated a spotlight on information security concerns. Although security concerns have seemingly moved to the forefront, information mismanagement, data loss, and poor malware protection remain a consistent problem for both technology and financial officers.” more...
Health Insurance Reckless With Personal Information, The Korea Times, Oct. 19, 2008
“The National Health Insurance Corp. (NHIC) was found to have provided personal information of about 1.5 million subscribers to a private research institute without any proper steps to stem a possible leak.
The state-run insurance agency handed residence ID numbers and other basic personal information to an unspecified research institute from 2006 to 2007, said Rep. Yoo Il-ho of the governing Grand National Party, citing agency data.” more...
“Two new state medical privacy laws, AB211 and SB541, make it possible for institutions and individuals to be fined up to $250,000 for being lax when it comes to the medical privacy of California residents.” more...
New Data Privacy Laws Set For Firms, The Wall Street Journal, Oct. 16, 2008
“Alicia Granstedt, a Las Vegas-based hair stylist who works for private clients and on movie sets, never worried about conducting most of her business through email. Ms. Granstedt regularly receives emails from customers containing payment details, such as credit-card numbers and bank-account transfers.
Since she travels frequently, she often stores the emails on her iPhone.But a Nevada law that took effect this month requires all businesses there to encrypt personally-identifiable customer data, including names and credit-card numbers, that are transmitted electronically.” more...
Major Data Loss Exposes Personal Information of 1.7 Million People, LittleFish UK, Oct. 14, 2008
“According to a government minister, an unencrypted hard drive containing personal data of 1.7 million people went missing last week from the the EDS site in Hampshire. The drive is embedded with information such as names, addresses, passport numbers, dates of birth, next-of-kin and driving licence details of up to 100,000 military personnel and up to 600,000 potential recruits.” more...
Commentary: You know about HIPAA, but what about Maryland’s PIPA?, The Daily Record, Oct. 10, 2008
“The Maryland Personal Information Protection Act (PIPA) became effective on Jan. 1, 2008. PIPA imposes information security and data-breach requirements on all businesses, including hospitals, doctors and insurers, regardless of size, that have personal information about Maryland residents. Violation of PIPA is an unfair or deceptive trade practice, and may be enforced by private lawsuits. Penalties are also authorized.” more...
Over half of U.K. firms have lost data, Computerworld UK, Oct. 10, 2008
“An astonishing 55% of British companies have lost data, according to a new report of 785 IT professionals in the U.K.Conducted by the Ponemon Institute LLC, the survey found that 49% of them have had over two breaches in the last two years.
Around two-thirds of respondents said negligence, including that of outsourcers, was responsible for data breaches, compared with only 10% who said hackers were a major cause. A third said insiders were a threat.” more...
Security pros call for data breach regulations, ITPro, Oct. 9, 2008
“A recent report calling for stringent data security and breach notification laws has been welcomed by information security professionals. Delegates of the independent Information Security Solutions Europe (ISSE) conference being held this week in Madrid broadly welcomed the recommendation to introduce a breach notification law presented in the report compiled by respected IT security academics.” more...
“Health care organizations that operate in California have two more good reasons to be sure that they comply with the data security and privacy requirements of the federal HIPAA law.” more...
Data Breaches Reach Record High, eWeek.com, Oct. 7, 2008-
“The hits keep coming when it comes to U.S. data breaches. The Identity Theft Resource Center reports data breaches in 2008 have already exceeded the record breaches of 2007. Enterprise breaches continue to lead the pack with breaches tied to mobile data topping the incident reports.” more...
Bank Data Breach Threatens 248,000 in North Carolina, consumeraffairs.com, Oct. 7, 2008-
Nearly a quarter of a million North Carolina consumers have been affected by a recent data breach by the Bank of New York Mellon. The breach could subject 248,000 North Carolinians to potential identity theft. more...
T-Mobile Lost 17 Million Subscribers' Personal Data, InformationWeek, Oct. 6, 2008-
“Deutsche Telekom (NYSE: DT) said it lost personal data for about 17 million T-Mobile Germany customers in the spring of 2006. Thieves got their hands on a storage device with the data, which included the names, addresses, cell phone numbers, and some birth dates and e-mail addresses for high-profile German citizens. The company said the records did not contain bank details, credit card numbers, or call data.” more...
European standoff over search engine data, International Herald Tribune, Oct. 5, 2008-
“BERLIN: For more than a year, European data privacy officials have been battling with U.S. Internet search engines, trying to get them to conform to European restrictions on the storage of personal information gleaned from the Web.” more...
New Federal Law Targets ID Theft, Cybercrime, The Washington Post, October, 2008-
“President Bush last week signed into law a bill that seeks to make it easier for prosecutors to go after cybercrooks, while ensuring that identity theft victims are compensated for their time and trouble when convicted identity thieves are forced to cough up ill-gotten gains.” more...
“Identity thieves, if a new federal ID theft law is enforced, will now face stiffer federal penalties for their crimes. Federal prosecutors also will have increased leeway to pursue more ID theft cases. Also, for the second time in 12 months, California Gov. Arnold Schwarzenegger vetoed a new California Data Breach Bill. Was that a good idea?” more...
How to Minimize the Impact of a Data Breach, www.csoonline.com, Sept. 30, 2008-
“Thirty-one percent of customers—nearly one-third of a company's client base and revenue source—are terminating their relationship with organizations following a data breach, according to a recent study by the Ponemon Institute.” more...
House eyes stronger data protection, Government Computer News, Sept. 29, 2008-
“A Sense of the Congress resolution introduced in the House last week sets a goal of passing meaningful legislation to protect sensitive data held by both government and the private sector by the end of the current Congress.” more...
Poll: Data loss not taken seriously, www.publicservice.co.uk, Sept. 26, 2008-
“A new survey has shown that the culture of data management and security is not taken seriously enough in the public sector.These issues are simply not at the top of the pubic and political agenda according to a new survey by ClearSwift and Information Assurance, even though the public has high expectations.Approximately 40 per cent of senior management have little or no understanding of information assurance (IA) , and 32 per cent of board members have discussed IA issues fewer than four times in the last 12 months.” more...
Class action suit filed over data breach of student info, www.wwsb.com, Sept. 23, 2008-
“SARASOTA COUNTY, Fla. - There's now a push for a class action lawsuit for Sarasota County students involved in a security breach. A Sarasota attorney, Bill Partridge, has filed the lawsuit against the Princeton Review. The Sarasota County School District hired the Princeton Review to make tests and do analysis of student's performance.” more...
Tougher consumer data rule adopted, The Boston Globe, Sept. 23, 2008-
“In the wake of a series of alarming data breaches, placing hundreds of thousands of Massachusetts consumers at risk of identity theft, state regulators released new rules yesterday ordering businesses to better safeguard consumers' personal information.” more...
European Parliament to Postpone IP Privacy Issue, www.PCWorld.com, Sept. 22, 2008-
“European parliamentarians, set to vote on changes to the European telecommunications legal landscape this week, will put off at least one crucial question: Should IP addresses be considered private data?.” more...
GAO says HHS isn't protecting medical data privacy adequately, FierceHealthIT.com, Sept. 21, 2008-
“HHS has not done enough to protect electronic medical data, a failure that has undermined consumer confidence in EMRs and possibly undercut vendors as well, according to the Government Accountability Office.” more...
PCI is about eliminating data, not securing it, former QSA says, SearchSecurity.com, Sept. 15, 2008-
“BOSTON -- Forrester analyst John Kindervag says he's sick of hearing people whine about the payment card industry data security standard (PCI-DSS). A former qualified security assessor (QSA), Kindervag said companies often drag out compliance issues instead of dealing with them head-on.” more...
Data breaches spur hard-drive shredding boom, Computerworld, Sept. 10, 2008 --
“Thanks to all the fear over data security breaches, a computer recycling operation has morphed into something much bigger -- and potentially more lucrative -- for the Saraiva brothers.” more...
Mortgage firm Countrywide, in response to alleged data breach, offers free credit monitoring, Los Angeles Times, Sept. 10, 2008 --
“Countrywide Financial Corp. is offering two years of free credit monitoring to customers whose sensitive personal information, including Social Security numbers, allegedly was stolen from the home lender's computer files. In one of the largest data theft cases in years, a former Countrywide employee was arrested Aug. 1 and charged with illegally accessing the firm's computers for more than two years.”
530M records exposed, and counting, Computerworld, Sept. 9, 2008 -- Perspective of a Fortune 500 Chief Privacy Officer.
“By my count, over half a billion records of personal information have been exposed or mishandled in the past eight years. And these are only from breaches where a record count has been publicly revealed.” more...
Another day, another data breach, ZDNet.co.uk, Sept. 8, 2008 -- A data breach could lead to a strike by affected workers.
“Over the weekend, news broke of a data breach affecting up to 5,000 prison staff, whose details were on a hard disk lost by contractor EDS two months ago. The data compromise was only disclosed over the weekend. Prison staff are so unhappy about the loss of their sensitive data that they are now threatening strike action, and they seem particularly peeved that no-one let them know earlier that their details might have fallen into the wrong hands.” more...
A fairly thorough listing of the myriad organizational costs that a company is likely to incur as a result of a data breach.
Data loss hits SAIC shareholders, San Diego Union-Tribune, Sept. 6, 2008 --
“WASHINGTON – The unexplained loss of magnetic backup tapes earlier this year has potentially compromised the identity of 38,000 SAIC shareholders, far more than initially believed, officials said."
Calif. bill forces retailers to protect data, AP, San Jose Mercury News, Aug. 31, 2008 -- A good example of increasing state involvement and the near-unanimous, bi-partisan support for citizens' privacy rights:
“SACRAMENTO—Retailers in California would not be allowed to store customers' personal information unless they took stringent steps to prevent identity theft under a bill state lawmakers approved Sunday. Assemblyman Dave Jones, D-Sacramento, said many businesses fail to take even the most basic measures to protect that information, creating an opening for identity thieves."
Bank of NY Mellon data breach now affects 12.5 mln, Reuters, Aug. 28, 2008 --
“NEW YORK (Reuters) - Bank of New York Mellon Corp said on Thursday that a security breach involving the loss of personal information is much larger than previously reported, affecting about 12.5 million people, up from 4.5 million.The case is the largest new reported U.S. data breach in 2008, as measured by the number of exposed records, according to the Identity Theft Resource Center."
Government probe launched after details of one million bank customers found on computer sold on eBay, Daily Mail, Aug. 27, 2008 --
“The eBay computer scandal which saw the loss of personal data on a million bank customers is to be investigated by the Information Commissioner. The firms involved - the Royal Bank of Scotland, NatWest and American Express - have also promised to launch probes."
Data Breaches Exceed 2007 Record, consumeraffairs.com, Aug. 25, 2008 --
“The number of data breaches hit a record high in 2007, but it appears this year will be significantly more dangerous, when it comes to potential identity theft. More than four months before the end of 2008, the total number of breaches on the Identity Theft Resource Center's (ITRC) breach list has surpassed the final total of 446 reported in 2007."
Failure to guard customers' data is costly for business, Dallas Morning News, Aug. 25, 2008 --
“Federal prosecutors recently busted a sophisticated hacking operation that allegedly stole more than 40 million credit- and debit-card numbers from a host of big-name retailers."
Thousands of personal records lost each month, Telegragh.co.uk, Aug. 23, 2008 --
“More than 160 "significant" incidents of confidential data being misplaced by councils, central government and businesses have been reported to the Information Commissioner's Office (ICO) since last November."
Managing Data Security Breaches, i.t.wales, Aug. 21, 2008 -- An overview of recently published guidelines in the United Kingdom (developed by the Information Commisioner's Office) for how to evaluate and deal with data breaches.
The Security and Privacy of Healthcare Data, InformationWeek, Aug. 20, 2008 -- According to InformationWeek:
“Despite the aim of the Health Insurance Portability and Accountability Act to bolster the security and privacy of patient information, a majority of health-care providers believe more should -- and can -- be done. And a newly formed consortium of industry leaders plans to do something about it.
Encryption Compliance Still the Wild West, Computerworld, Aug. 18, 2008 -- According to ComputerWorld:
“Encrypting data is becoming a requirement. How well you need to manage the keys that are used to encrypt the data is still open to debate. ...some states do not consider encryption alone sufficient to ensure that the data is unrecoverable."
Data Security and Compliance, Aug. 18, 2008 -- A good overview detailing the main drivers of compliance and trends in how organizations are re-aligning to address them.
What to do in the event of a data breach, InfoWorld, Aug. 18, 2008 -- According to InfoWorld:
“If your organization suffers a data breach, you are required -- in many instances -- to notify individuals that their personal information may have been compromised. Security breach notification laws enacted in almost all states are designed to help protect affected individuals by giving them due warning and the opportunity to take action to protect themselves against the consequences of identity theft and unauthorized account access."
Government Security of Information Still Needs Work, Hawaii Reporter, Aug. 12, 2008 --
“Many federal operations are supported by automated systems that may contain sensitive information such as national security information that, if lost or stolen, could be disclosed for improper purposes."
Massachusetts requires EHRs in hospitals by 2015, Aug. 11, 2008 -- With all the privacy provisions in the Health Insurance Privacy and Portability Act (HIPAA) it may be that we sometimes lose sight of the legislation's original intent -- to pave the way to a more automated, more cost-effective health care system. These days a great many healthcare organizations are installing EHR (Electronic Health Records) systems to that very end. Estimates peg penetration at 40 percent or more today. Massachusetts seems to understand that the holy grail of efficiency can only be reached if everyone is on board, however. From our perspective more and more data in EHR systems heightens the need for protective measures. Make sure you are caring for every health record as if it is your own, at every point in its lifecycle.
Government probe uncovers massive data breach, The Wall Street Journal, Aug. 11, 2008 – This is a good news, bad news story. It is good news that our law enforcement authorities have apparently broken up a massive credit card fraud ring. It is bad news for the companies whose customer data has been compromised. Some of them, despite knowing that an investigation was in progress, chose not to inform their customers of a potential breach. According to one expert quoted in the story:
“If I were the companies, I would be issuing public disclosures five nanoseconds after the indictments were announced," says Evan Stewart, an adjunct professor at Fordham University School of Law and an electronic-data breach expert. "If not, there could be big checks the companies will have to be writing" to cover consumer litigation, he said.
BBC apologises after children's personal data stolen, The Times, Aug. 8, 2008 –
“The BBC has apologised to parents and started an investigation after a memory stick containing the personal data of hundreds of children was stolen."