Skip to main content

Home/ WPPS C-Suite News/ Group items tagged breach

Rss Feed Group items tagged

Filter: All | Bookmarks | Topics Simple Middle
sandy ingram

Data Security Breaches Cost Real Money - 0 views

www.mondaq.com/...article.asp

it data security breach cost privacy Information Assurance Poneman

shared by sandy ingram on 08 Apr 10 - Cached
  • PGP Corporation, an enterprise data protection company, and the Poneman Institute, a privacy and information management research firm, as part of their fifth annual U.S. Cost of a Data Breach Study, tracked a wide array of cost elements
  • These elements included outlays for detection, escalation, notification, and response along with legal, investigative and administrative expenses, customer defections, opportunity loss, reputation management, and costs related to customer support like information hotlines and credit monitoring subscriptions
  • data breaches caused by malicious attacks and botnets were on the high end of severity and cost responses. These types of breaches doubled from 2008 to 2009.
  • ...5 more annotations...
  • data breaches involving data outsourced to third-parties, especially those offshore, remain very costly.
  • The study shows that companies are spending more on legal defense costs in the area of data security breaches
  • Furthermore, companies that have a Chief Information Security Officer (CISO) or equivalent high-level security/privacy leader in place who manages data security breach incidents experienced a 50% less per cost of compromised record than companies that do not have such leadership.
  • Somewhat surprisingly, the study indicates that companies that notify victims of data breaches too quickly may incur about 12% higher response costs. The study suggests that moving too quickly through the data breach process could cause inefficiencies that raise total costs
  • companies that engage outside expertise to assist them during a data breach incident tended to have a lower $170 cost per victim than companies that do not seek outside help at $231 per victim.
  • sandy ingram on 08 Apr 10
     
    study shows that companies are spending more on legal defense costs in the area of data security breaches. This has been attributed to fears of potential class actions, and other lawsuits resulting from consumer and employee data loss. In fact, companies that engage outside expertise to assist them during a data breach incident tended to have a lower $170 cost per victim than companies that do not seek outside help at $231 per victim.
sandy ingram

Ponemon #BREACH SURVEY: 56% suffer from financial identity theft and cost Hospitals $6 ... - 0 views

www.prnewswire.com/...acy-in-jeopardy-106945528.html

Privacy security compliance HITECH survey ponemon

shared by sandy ingram on 02 Dec 10 - No Cached
  • "Our research shows that the healthcare industry is struggling to protect sensitive medical information, putting patients at risk of medical identity fraud and costing hospitals and other healthcare services companies millions in annual breach-related costs," said Dr. Larry Ponemon, chairman and founder, Ponemon Institute.  "At this point one would hope to see that healthcare organizations have improved information security practices and come into compliance with HITECH, now that it's been more than one year since it was enacted.  Instead we found enormous vulnerabilities.  The protection of patient data should be at the forefront of their efforts."
  • ey findings of the research: Data breaches are costing the healthcare system billions.  The total economic burden created by data breaches on the healthcare industry is nearly $6 billion annually.  The impact of a data breach over a two-year period is approximately $2 million per organization and the lifetime value of a lost patient is $107,580.  The average organization had 2.4 data breach incidents over the past two years.  Major factors causing data breaches are unintentional employee action, lost or stolen computing devices and third-party error.Healthcare organizations are not protecting patient data.  Organizations have little or no confidence in their ability to appropriately secure patient records (58 percent).  Healthcare organizations have inadequate resources (71 percent) and insufficient policies and procedures in place (69 percent) to prevent and quickly detect patient data loss.Protecting patient data is not a priority.  Seventy percent of hospitals stated that protecting patient data is not a top priority.  Patient billing (35 percent) and medical records (26 percent) are the most susceptible to data loss or theft.  A majority of organizations have less than two staff dedicated to data protection management (67 percent).HITECH has exposed the healthcare industry's lax data protection practices rather than improved the safety of patient records.  The majority (71 percent) of respondents do not believe the HITECH Act regulations have significantly changed the management practices of patient records.  The findings indicate that there is a significant number of data breaches that go undetected, and therefore unreported.
  • "We talk with healthcare compliance people dealing with data breach risks every day and they just can't get their arms around the problem of data exposure," said Rick Kam, president and co-founder of ID Experts.  "Unfortunately, in healthcare organizations, patient revenue trumps risk management."
  • sandy ingram on 02 Dec 10
     
    Hospitals Are Not Protecting Patient Data; Healthcare Industry Lagging Behind HITECH Standards TRAVERSE CITY, Mich. and PORTLAND, Ore., Nov. 9, 2010 /PRNewswire/ -- The latest benchmark study by Ponemon Institute, sponsored by ID Experts®, finds that data breaches of patient information cost healthcare organizations nearly $6 billion annually, and that many breaches go undetected.  The research indicates that protecting patient data is a low priority for hospitals and that organizations have little confidence in their ability to secure patient records, putting individuals at great risk for medical identity theft, financial theft and embarrassment of exposure of private information.
sandy ingram

Are you ready for a data breach? | Healthcare IT News - 0 views

www.healthcareitnews.com/...are-you-ready-data-breach

data breach HITECH DHS Risk Assessment Compliance

shared by sandy ingram on 23 Jun 10 - Cached
  • sandy ingram on 23 Jun 10
     
    The handling of data breach incidents has become a way of life for healthcare providers and with other HIPAA covered entities. With the passage of the HITECH Act last year, there are now substantial penalties that can be levied, up to $1.5 million. This fact, combined with a requirement to notify the Department of Health and Human Services as well as the media for data breach incidents that affect over 500 individuals has, for the first time, resulted in public records being kept for such incidents. If you oversee privacy, compliance, or IT for a hospital system, a group practice, a health insurance company, other covered entities, or even one of their business associates, the HITECH Act and its privacy and data breach provisions require your close attention. While many people know that HITECH generally creates requirements for data breach notification, there are at least four things you may not know about HITECH that you really should: The requirement for a mandatory incident-specific risk assessment for every incident The fact that HITECH notification provisions do not pre-empt state notification laws Encryption of data does not necessarily alleviate the risk of data breach If your business associate exposes your protected health information (PHI), you are responsible
sandy ingram

Amended SB1386 - Health care data security breach explained - 0 views

www.scmagazineus.com/...120069

hipppa SB1386 health training breaches

shared by sandy ingram on 01 Nov 08 - Cached
  • Health care data security breaches in the U.S.
  • New laws and regulations regarding data security breaches and disclosure laws affect the way in which health care organizations do business
  • Notifications can be delayed if law enforcement determines it could hinder a criminal investigation
  • ...11 more annotations...
  • he disclosure shall be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement, as provided in subdivision (c), or any measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system.
  • Any agency that maintains computerized data that includes personal information that the agency does not own shall notify the owner or licensee of the information of any breach of the security of the data immediately following discovery, if the personal information was, or is reasonably believed to have been, acquired by an unauthorized person.
  • They need to implement proper security measures, like encryption,” Booz says. In addition, the law will require a new level of investment in training for customer service, sales, and other externally facing operations.
  • Individuals affected by data breaches that meet the personal information definition and notification requirements must be notified by using one of three methods: written notice, electronic notice with customer's consent, or substitute notice
  • The purpose of this rule is to secure personally identifiable information (PII) as it travels through the healthcare system. Healthcare organizations, including providers, payers, and clearinghouses, must comply with the Privacy Rule.
  • The new law requires all state agencies and companies that conduct business in California to notify residents when a breach of their medical information occurs.
  • A new California law requiring that customers be notified of a breach involving their medical information is likely to influence legislation in other states.
  • Between 2000 and 2007, nearly half of all health care security incidents that occurred in the U.S. were associated with hospitals.
  • Between 2000 and 2007, 40 percent of publicly known security incidents at health care organizations are classified as data breaches
  • Although data breaches (hackers, malicious employees, social engineering, etc.) only constitute 40 percent of incidents, they account for 57 percent of all records compromised, nearly two and a half times the next closest category.
  • This again speaks to the need for strong policies and procedures. If organizations did not allow sensitive data to leave their facility without being encrypted (for electronic data) or disposed of properly (for physical data), it could eliminate nearly a quarter of the incidents they would face.
  • sandy ingram on 01 Nov 08
     
    Notifications can be delayed if law enforcement determines it could hinder a criminal investigation
  • sandy ingram on 01 Nov 08
     
    A new California law requiring that customers be notified of a breach involving their medical information is likely to influence legislation in other states.
sandy ingram

Medical-data breach said to be major; involves nearly two-thirds of the insurers' subsc... - 0 views

www.philly.com/...a_breach_said_to_be_major.html

Security Privacy compliance cybersecurity breach

shared by sandy ingram on 21 Oct 10 - No Cached
  • The security failure, one of the several largest in nearly two years, involves nearly two-thirds of the insurers' subscribers. It became known only after The Inquirer requested information Tuesday evening. The insurers said the drive was missing from the corporate offices on Stevens Drive in Southwest Philadelphia. It noted that the same flash drive was used at community health fairs. "That seems grossly irresponsible," said Dr. Deborah Peel, a Texas psychiatrist who heads Patient Privacy Rights, an advocacy group.
  • The news of the breach comes at a time when there is more emphasis - and billions of dollars in federal funding - to develop protocols for electronic medical records, with information being shared among providers, insurers, and consumers.
  • Paul Stephens, director of policy for the Privacy Rights Clearinghouse, said that data breaches in the finance and retail sectors tended to involve more people, but that health data are very sensitive and may also contain payment information.
  • ...3 more annotations...
  • Until The Inquirer asked for information, the company had not disclosed the data breach to affected members, most of whom live in Philadelphia and nearby counties
  • The federal website explaining the law says that breaches must be reported "without unreasonable delay and in no case later than 60 days."
  • They would not say how they know the computer drive was lost, not stolen. They would not comment on the riskiness of taking the drive to health fairs, nor would they say whether the data on the drive was encrypted.
  • sandy ingram on 21 Oct 10
     
    A computer flash drive containing the names, addresses, and personal health information of 280,000 people is missing - one of the largest recent security breaches of personal health data in the nation. "We deeply regret this unfortunate incident," said Jay Feldstein, the president of the two affiliated Philadelphia companies, Keystone Mercy Health Plan and AmeriHealth Mercy Health Plan. The breach, which involves the records of Medicaid recipients, is the first such Medicaid data breach in Pennsylvania since at least 1997, according to the state's Department of Welfare, which has oversight. "We take compliance [with federal privacy laws] very seriously," department spokeswoman Elisabeth Myers said Wednesday.
sandy ingram

Databreach Calculator : Estimate Your Risk Exposure - 0 views

databreachcalculator.com.sapin.arvixe.com/Default.aspx

Privacy security compliance Best Practice databreach estimate

shared by sandy ingram on 30 Mar 11 - No Cached
  • sandy ingram on 30 Mar 11
     
    Since 2005, The Ponemon Institute has examined the cost incurred by organizations, across industry sectors, after experiencing a data breach. The results were not hypothetical responses. They represent cost estimates for activities resulting from actual data loss incidents. Based on five years of trend data, we have created a calculator that will estimate how much a data breach could cost your organization. We can calculate: The likelihood that your company will experience a data breach in the next 12 months. The cost per record in the event of a data breach at your Company. The cost of a data breach at your company. Answer a few short questions to find out how a data breach could impact your company as well as to see how you compare with other companies.
sandy ingram

SURVEY: Data-breach costs rising, 84% repeat offenders - 0 views

voices.washingtonpost.com/...breaches_more_costly_than.html

Survey breach

shared by sandy ingram on 03 Feb 09 - Cached
  • The study measured the direct costs of a data breach, such as hiring forensic experts; notifying consumers; setting up telephone hotlines to field queries from concerned or affected customers; offering free credit monitoring subscriptions; and discounts for future products and services.
    • sandy ingram
      sandy ingram on 03 Feb 09
       
      THE COST OF A DATA BREACH The study measured the direct costs of a data breach, such as hiring forensic experts; notifying consumers; setting up telephone hotlines to field queries from concerned or affected customers; offering free credit monitoring subscriptions; and discounts for future products and services. Company's stock price, which in some cases can be substantial. CASE STUDY when the nation's sixth largest credit and debit card processor -- Heartland Payment Systems -- disclosed a breach that could affect millions of customers, the company's stock price took a nosedive. Shares of Heartland's stock lost 42 percent of their value the day after that disclosure, closing at a 52-week low of $8.18. INTELLECTUAL PROPERTY A breach often exposes proprietary data that can jeopardize millions of dollars invested in research and development.
    • sandy ingram
      sandy ingram on 03 Feb 09
       
      COST TO YOUR BRAND "The first thing companies say when they have a breach is 'Well, we'll implement encryption and data leak prevention technologies, and maybe do more training'," Dunkelberger said. "That's great, but what amount of brand damage has to occur in these public disclosures before we see changes made to the way companies handle not just consumers' personal information, but also the intellectual property that drives their businesses?"
  • "The first thing companies say when they have a breach is 'Well, we'll implement encryption and data leak prevention technologies, and maybe do more training'," Dunkelberger said. "That's great, but what amount of brand damage has to occur in these public disclosures before we see changes made to the way companies handle not just consumers' personal information, but also the intellectual property that drives their businesses?"
  • Microsoft patched for the worm affecting Heartland 4 months ago.
  • sandy ingram on 03 Feb 09
     
    the Ponemon Institute, a Tucson, Ariz., based independent research company, found that companies spent roughly $202 per consumer record compromised. The same study put the total cost of a breach in 2007 at $6.3 million, and roughly $4.7 million in 2006.
sandy ingram

Data Breaches - Beyond the Impact of Fines - 0 views

www.infosecisland.com/...eyond-the-Impact-of-Fines.html

security compliance Breaches data impact

shared by sandy ingram on 30 Sep 11 - No Cached
  • A recent article in the Tech Journal (techjournalsouth.com) delves into the effects of data breaches, using survey information to demonstrate how they affect customer loyalty and confidence.
  • "The widespread impact of data breaches like Epsilon and Sony PlayStation, where millions of consumers were impacted around the world, is making customers more cautious about conducting business with certain financial institutions and retailers," said Jackie Gilbert, vice president of marketing and co-founder at SailPoint. "These companies obviously spent millions to recover from these data breaches, but the longer term and harder-to-measure costs will be the erosion of customer loyalty and decline in brand perception."
  • Case in point: 16% of Americans, 24% of Britons and 26% of Australians said they would no longer do business with a bank, credit card company or retailer if a security breach occurred that potentially exposed their personal and financial information to theft."
  • ...1 more annotation...
  • Although regulatory fines are painful, the loss of customers and business should really concern businesses.  Organizations and Infosec Professionals (CIO's, CISO's, etc.) would do well to take note of these results. 
  • sandy ingram on 30 Sep 11
     
    "The widespread impact of data breaches like Epsilon and Sony PlayStation, where millions of consumers were impacted around the world, is making customers more cautious about conducting business with certain financial institutions and retailers," said Jackie Gilbert, vice president of marketing and co-founder at SailPoint.
sandy ingram

80% of Australian companies suffered data breach. What protections are in your consult... - 0 views

www.smartcompany.com.au/...breach-in-past-five-years.html

Austrailia data breach agreements international

shared by sandy ingram on 11 Nov 08 - Cached
  • A whopping 34% of respondents report an average breach cost them $5000,
  • sandy ingram on 11 Nov 08
     
    What protections are written in your international consultant agreements?
  • sandy ingram on 11 Nov 08
     
    A new survey reveals almost 80% of local companies have experienced data breaches in the past five years, with 40% recording between six and 20 breaches
sandy ingram

California Department of Public Health Breach Fines and Legally Defensible Security : I... - 0 views

www.infolawgroup.com/...nd-legally-defensible-security

california health breach

shared by sandy ingram on 28 Jun 10 - Cached
  • sandy ingram on 28 Jun 10
     
    The California Department of Public Health ("CDPH") recently announced its imposition of $675,000 in fines to six hospitals that had reported security breaches involving medical records (since January 1, 2009, the CDPH has issued fines totaling $1.1 million). The story has been extensively reported on in the media . You can listen to the CDPH's press conference here. The total number of records exposed was only 244, for an average fine of around $2,766 per record. To put that in perspective, if a California hospital suffered a breach involving 100,000 medical records, using the average stated here, their potential fines could be $276 million (assuming no cap for fines and penalties -- the relevant laws do have a cap of $250,000 per incident).
sandy ingram

HITECH now specifically requires the business associate to notify their partner so that... - 0 views

www.technewsworld.com/...alth-IT-Post-HITECH-70443.html

Breach Law healthcare compliance HHS notification hitech hipaa

shared by sandy ingram on 02 Aug 10 - Cached
  • The total impact to the institution is difficult to quantify. Obviously no organization wants the negative press. It's the kind of thing that loses patients and makes the institution less appealing when trying to attract physicians.
  • Under the breach notification requirements of the HITECH Act (Title XIII of the American Recovery and Reinvestment Act), lost or stolen unencrypted records such as these requires notification to Health and Human Services for the public posting of the institution to HHS' "wall of shame," or public list of breaches involving more than 500 individuals. If you go to the HHS website right now, you'll see this incident listed there -- along with an ever-increasing laundry list of other institutions in the same boat.
  • This very public example of HITECH in action underscores just one of the many ways that the law has altered the way that healthcare does business. While the full impact of the law won't be seen for quite some time to come, we're starting to see some radical changes in the way that hospitals approach security and compliance.
  • ...7 more annotations...
  • Security Breaches From a provider point of view, probably the biggest impact from a security and compliance standpoint stems from the relatively strict breach disclosure requirements within the law. Covered entities not only need to notify in writing the individuals whose data was lost, but they also are required to notify HHS of the data loss.
  • Vendor Impact In addition to expanded disclosure provisions for business associates, HITECH also changes the landscape for them in that they now have a higher bar to meet in terms of their own security requirements
  • Under the law, business associates now have to meet the same bar as covered entities when it comes to the security rule.
  • However, covered entities are not alone in shouldering the burden of these more stringent rules. Business associates also have a role to play under the new provisions. Business associates now need to make sure that they report possible breaches to partners/customers and that they provide enough data for the covered entities to tell who was impacted and what type of data it was -- in other words, enough data for covered entities to fulfill their disclosure obligations. Whereas in the past a breach might occur at a business associate with nobody at the covered entity the wiser
  • HITECH now specifically requires the business associate to notify their partner so that the individuals impacted can be apprised.
  • Clearly, as applications move outside of the provider (for example, due to cloud computing) and more and more vendors move in to participate, rising numbers of vendors, hosting providers, and other service providers find themselves becoming "business associates" and inheriting security requirements that they're unfamiliar with. Even vendors not specifically targeting the healthcare market may find themselves in the direct path of the regs and obligated to change how they do business in response.
  • Vendors seeking to court healthcare clients will now need to pitch not only functionality but a compliance message as well.
  • sandy ingram on 02 Aug 10
     
    Just a few weeks ago, Lincoln Medical and Mental Health Center learned a hard lesson. If you didn't see the news reports, the N.Y.-based healthcare provider notified over 130,000 individuals that their records -- including diagnostic information, Social Security numbers, dates of birth, and other information of use to identity thieves -- was potentially lost."
sandy ingram

Security Fix - Malicious Attacks Most Blamed in '09 Data Breaches - 0 views

voices.washingtonpost.com/...ious_attacks_blamed_for_m.html

privacy security breaches employees theft

shared by sandy ingram on 25 Jun 09 - Cached
  • The ITRC found only a single breach in the first half of 2009 in which the victim reported that the lost or stolen data was protected by encryption technology
  • sandy ingram on 25 Jun 09
     
    The ID Theft Center found that of the roughly 250 data breaches publicly reported in the United States between Jan. 1 and Jun. 12, victims blamed the largest share of incidents on theft by employees (18.4 percent) and hacking (18 percent). Taken together, breaches attributed to these two types of malicious attacks have increased about 10 percent over the same period in 2008.
sandy ingram

SURVEY BY KROLL ONTRACK: One out of Two businesses do not erase sensitive data. - 0 views

www.krollontrack.com/news-releases

shared by sandy ingram on 29 Nov 10 - No Cached
  • "Three-fourths of businesses are deleting files, reformatting or destroying drives, or 'do not know' how they are erasing sensitive data. Deleting files from a hard drive only marks the files to be rewritten, which may never occur. Furthermore, reformatting the drive only removes the entries in the index or table of contents that point to the data. And, physically destroying a drive is not a guaranteed method of protection, as Kroll Ontrack has been recovering data from severely damaged drives, such as the Columbia space shuttle, for more than 25 years.
  • "Surveying more than 1,500 participants from 12 countries across North America, Europe and Asia Pacific regarding their data wiping practices also revealed that four in 10 businesses gave away their used hard drive to another individual and 22 percent do not know what happened to their old computer.
  • Only 19 percent of businesses deploy data eraser software and fewer, 6 percent, use a degausser to erase media. When asked if and how businesses verify their data has been deleted, very few (16 percent) reported relying on a product or service report to confirm all of their data had been wiped.
  • ...1 more annotation...
  • "Reports that verify or confirm what the tool and/or service did are critical," concluded Reinert. "Not only do they inform you of what has been wiped, but they should identify the serial number as well as the make and model information of the wiped hard drive, the date and time of when the information was wiped, and a listing of how much information was wiped."
  • sandy ingram on 29 Nov 10
     
    "According to a recent global survey on data wiping practices, Kroll Ontrack, the leading provider of information management, data recovery, and legal technology products and services, found less than half of businesses regularly deploy a method of erasing sensitive data from old computers and hard drives. Of the 49 percent of businesses that are systematically deploying a data eraser method, 75 percent do not delete data securely, leaving most organizations highly susceptible to data breaches, which plague businesses at least once a year according to the 2010 Kroll Ontrack Annual ESI Trends Survey and cost an organization an average of $6.75 million per breach according to the 2009 Ponemon Cost of Data Breach Study."
sandy ingram

Identity Theft Resource Center ITRC 2008 Breach List - 0 views

www.idtheftcenter.org/...ITRC_2008_Breach_List.shtml

itrc breaches 2008 report

shared by sandy ingram on 10 Mar 09 - Cached
  • sandy ingram on 10 Mar 09
     
    The ITRC breach list is a compilation of breaches confirmed by various media sources, notification lists from state governmental agencies.
sandy ingram

Data breach laws, e-discovery increase compliance duties - - 0 views

www.fiercecio.com/...2010-04-17

data breach laws Compliance privacy security ediscovery identity theft

shared by sandy ingram on 20 Apr 10 - Cached
  • The Massachusetts law applies not only to businesses in the state but to any company that keeps personal data on the state's residents. George examines two parts of the law that are particularly notable because they require action to avoid breaches--not just notify victims after the fact.
  • Businesses are required to have a working information security program for protecting personally identifiable information, and they must submit a written information security program to the state. They also must encrypt data in motion and at rest, including information on portable devices such as USB drives, laptop computers and smartphones.
  • A second complicated--and evolving--area of compliance is e-discovery, which is the process of handing over electronically stored information requested during a lawsuit.
  • sandy ingram on 20 Apr 10
     
    States are getting tougher when it comes to trying to protect their residents' personal data from breaches, and a new law in Massachusetts raises the bar by setting a fine of $5000 per record lost. As Randy George at InformationWeek reports, a company could be fined $1 million for losing one laptop with personal data on just 200 residents of the Bay State
sandy ingram

Heartland CEO says data breach was 'devastating' - 0 views

www.computerworld.com/...article.do

shared by sandy ingram on 18 Jun 09 - No Cached
  • Heartland handed out a USB drive containing the malicious code that it had discovered on its networks as a sign of its willingness to share details of the attack with others in the industry
  • The efforts have been noticed. Though Heartland still faces a flurry of lawsuits, and potentially big fines from card companies, customer attrition has been minimal, and so too has the damage to the company's reputation within the industry.
  • sandy ingram on 18 Jun 09
     
    Heartland Payment Systems chief executive Robert Carr remembers what it felt like when he first heard about the massive data breach at his company earlier this year. "I wanted to throw up. It was devastating," says Carr, recalling how he felt upon realizing that one of his worst fears had come true. "People had asked me for years 'what keeps you awake at night' and I would keep telling them it was the fear of a data breach,"
sandy ingram

Nation's toughest personal info law about to take effect -- Government Computer News - 0 views

gcn.com/...-law-personal-information.aspx

Breach Law WISP pii security MA Laws

shared by sandy ingram on 30 Jan 10 - Cached
  • Businesses that hold personally identifiable information on Massachusetts residents have one month to comply with what security experts are calling the toughest data security requirements in the nation. The Massachusetts Data Breach Law, passed in 2007, goes into effect March 1 and requires personal information in networked systems to be protected with strong encryption, firewalls, antivirus and access controls.
  • The law was written in response to the theft of information on more than 45 million credit card accounts from TJX Companies in 2007
  • The law is designed to ensure “the security and confidentiality of customer information,” based on current industry standards, focusing on threats that can or should be anticipated. The regulations take into account the size of a business, the amount of resources available to it, the amount of personal data held and the sensitivity of the data. It covers paper and electronic records and requires physical and IT security.
  • ...1 more annotation...
  • written information security plan (WISP). “Ninety percent of the clients I deal with on this law do not have a WISP.”
  • sandy ingram on 30 Jan 10
     
    "Businesses that hold personally identifiable information on Massachusetts residents have one month to comply with what security experts are calling the toughest data security requirements in the nation. The Massachusetts Data Breach Law , passed in 2007, goes into effect March 1 and requires personal information in networked systems to be protected with strong encryption, firewalls, antivirus and access controls."
sandy ingram

Few businesses are likely to be insured against the result of cyber attacks - Security ... - 0 views

www.securitypark.co.uk/security_article263278.html

Best Practice Privacy Security Insurance Employee Fraud unemployment resession

shared by sandy ingram on 21 Jul 09 - Cached
  • Businesses are advised to thoroughly review risk management procedures and insurance programmes to ensure they have adequate and relevant cover in place: “The responsibility to get the house in order should lie with an organisation’s Managing Director or Finance Director, and not the IT department alone,” says Simon. “IT defences whilst vital only react to known problems and are not guaranteed to be 100 percent secure. Protection for the whole business and its sustainability is without doubt the safest option.”
  • “The economic downturn has resulted in people of all levels and responsibilities losing their jobs, and those with a detailed knowledge of their former employers’ IT and operating systems may well present a real potential threat, and turn to extortion as a way of taking revenge on their former employer, and of making some money at the same time.
  • According to The Wilson Organisation, insurers and underwriters are predicting a rise in white collar extortion as the recession continues to bite and unemployment figures increase. Worryingly many businesses do not have insurance cover for data or business loss.
  • sandy ingram on 21 Jul 09
     
    According to The Wilson Organisation, insurers and underwriters are predicting a rise in white collar extortion as the recession continues to bite and unemployment figures increase. Worryingly many businesses do not have insurance cover for data or business loss. "According to a DTI Information Security Breaches Survey, a third of UK businesses think general business insurance provides full cover for damage to the business arising from data loss," comments Wilsons' Simon Hoare, "but the reality is quite different, with very few businesses likely to be insured against the result of cyber attacks on its most crucial management and business tool - corporate and customer information, most of which is today held on corporate IT systems. "For public company directors, this is in fact in breach of their duties under the Turnbull Report, which requires them to identify, manage and take an informed opinion on the transfer of risks for the business."
sandy ingram

Ponemon Study: 73% Believe Cloud Providers Do Not Protect User's Confidential Informati... - 0 views

www.infolawgroup.com/...users-confidential-information

ponemon study Privacy security cloud cybersecurity

shared by sandy ingram on 14 May 11 - No Cached
  • Growing scrutiny of cloud computing security in the first half of this year is not surprising in light of the numerous data breaches, privacy issues and headline grabbing cloud outages that have occurred recently
  • The 26-page survey report returned a stunning conclusion – though one not surprising to those familiar with legal contracting for cloud computing; namely that a majority of cloud providers do not believe data security is their responsibility - but the customer’s. 
  • In addition, the survey revealed that a “majority of cloud computing providers surveyed do not believe their organization views the security of their cloud services as a competitive advantage.
  • ...7 more annotations...
  • Further, they do not consider cloud computing security as one of their most important responsibilities and do not believe their products or services substantially protect and secure the confidential or sensitive information of their customers.”
  • The study further reports that the majority of cloud providers surveyed “admit they do not have dedicated security personnel to oversee the security of cloud applications, infrastructure or platforms.”
  • One bit of somewhat good news the survey revealed is that “about one-third of the cloud providers in our study are considering such solutions [providing additional security] as a new source of revenue sometime in the next two years.”
  • Another of the report’s conclusion is that “the focus on cost and speed and not on security or data protection [in cloud offerings] creates a security hole.” This potential “security hole” is a prime reason we advise clients, in certain circumstances, to be prepared to walk away from cloud providers under consideration if adequate and legally defensible security measures cannot be adequately negotiated and contractually provided for.
  • The report also states that “cloud providers are least confident about the following security requirements: Identify and authenticate users before granting access Secure vendor relationships before sharing information assets Prevent or curtail external attacks Encrypt sensitive or confidential information assets whenever feasible Determine the root cause of cyber attacks
  • These are serious security concerns any way you slice it
  • The fundamental takeaway from the Ponemon study is that cloud security is very much a work in progress, and that any cloud initiative or plan for corporate cloud usage needs serious due diligence by representatives from business, IT and legal working in conjunction
  • sandy ingram on 14 May 11
     
    Growing scrutiny of cloud computing security in the first half of this year is not surprising in light of the numerous data breaches, privacy issues and headline grabbing cloud outages that have occurred recently.
sandy ingram

Five Steps to HITECH Preparedness - CIO.com - 0 views

www.cio.com/...e_Steps_to_HITECH_Preparedness

HITECH privacy security Compliance CIO

shared by sandy ingram on 23 Jun 09 - Cached
  • In 2008, 44% of breach incidents were due to third-party handling of data. With HITECH, organizations will now be held responsible for a third party's handling of your data
  • sandy ingram on 23 Jun 09
     
    In 2008, 44% of breach incidents were due to third-party handling of data. With HITECH, organizations will now be held responsible for a third party's handling of your data
1 - 20 of 48 Next › Last »
Showing 20 items per page