$2.7 Million: The Costs of OHSU’s Security Shortcomings

$2.7 Million: The Costs of OHSU’s Security Shortcomings

The Oregon Health & Science University recently resolved an investigation into two breaches of electronic health data occurring in 2013, resulting in a payment of $2.7 million and three-year corrective action plan to prevent future security issues.

According to Tamara Hargens-Bradley, spokesperson for the U.S. Department for Health and Human Services Office for Civil Rights, these breaches occurred across multiple channels:

“The first incident involved a stolen laptop and the second resulted from the use of an internet-based information storage service, or ‘cloud storage’ service, without a business associate agreement,” she said. “No harm was reported by patients.”

OHSU

The breaches occurred within three months of each other, both the result of improper security protocols. The stolen laptop was not encrypted at the time of its theft. And Google, the company hosting the illegally-accessed spreadsheet, features no contractual relationship with OHSU to securely store sensitive information. These failings bring to light previous security incidents in OHSUs infrastructure, occurring in 2009 and 2012 and affecting nearly 15,000 patients.

Since the 2013 breaches, the OHSU has taken steps to improve its security protocols, including:

  • Stronger computer encryption across the campus
  • Free identity theft protection for at-risk patients
  • Toll-free phone outreach for patient concerns and support

Steps to Security

Though OHSU committed itself to a three-year security action plan to prevent future data loss, its strategy may be shortsighted. Though its commitment to supporting affected patients is necessary, it’s little more than a damage control measure. Pledges to strengthen computer encryption across the university will do nothing to support cloud-based security infrastructure or prevent theft of the hardware itself.

Better security is a product of planning—reacting after the fact isn’t enough to enact meaningful change. Structures must be in place before breaches happen; and for organizations like OSHU that have suffered myriad breaches over the past seven years, these structures can’t come soon enough:

  • Preparation: Security should be delegated to a specific task force that is trained in crisis management and has dedicated plans for how to solve emerging threats.
  • Detection: Organizations must know where breaches are before they can be addressed.
  • Removal: Workflows for how data breaches will be contained and addressed help teams act efficiently.
  • Post-Recovery Response: Data must be reviewed on how the breach occurred, why it occurred, and how to reinforce security to prevent it from happening again.

While prioritizing affected patient and communication are good first steps, OHSU has a long road to travel before it’s ready to build structures that support true organizational security.

Desh Urs iBridge LLC

Written by Desh Urs

Desh Urs brings more than 20 years of entrepreneurial, start-up and Global 500 corporate experience in sales, marketing, and general management to the customers of iBridge. He has led sales organizations as SVP at Qsent, Inc. and VP at Acxiom Corporation, and has focused on the usage of data in data distribution, direct marketing, fraud prevention, and law enforcement.

As a Vice President of Global Sales, Services, and Marketing at Silicon Graphics, Inc., Urs managed engineering and non-engineering functions, developing solutions in sciences, telecommunications, manufacturing, media, business, and defense intelligence, for companies with revenues of several billion dollars. During his tenure as Vice President at Think Tools AG and Brio Technology, Inc., he ran business development and alliances providing solutions in Business Intelligence and Decisions Cycle Management to Global 100 corporations worldwide. In the late 1980s, Urs founded Indus Systems, Inc., which he profitably sold to a systems integration company.

Urs serves on several Advisory Boards, as well as many company Boards, in the United States and India.

iBridge NewsletterUnderground eBook CTA

 

Breach Management: The Value of Outsourcing Data Security

Breach Management: The Value of Outsourcing Data Security

According to most legal firms, managing cybersecurity is not a problem.

This mindset, unfortunately, is a much bigger problem.

A Law Department Operations (LDO) survey conducted by LegalTech news in 2015 found that only seven percent of respondents believed their law firms’ cybersecurity strategies could not protect their organization’s data. The consensus was that established cybersecurity policies were enough to handle possible breaches, despite reports from the FBI in 2011 that identified law firms as major targets of cybercrime.Breach Management: The Value of Outsourcing Data Security

One of the survey respondents even laughed at the lack of caution shown by his/her fellow LDOs: “Not only will big law firms be breached, but they have already been breached. They are just not talking about it.”

With cybercrime on the rise and many legal firms feeling overconfident about their cybersecurity policies, how can law firms be sure that they are keeping data safe?

Outsourcing Data Security

If the first step of correcting a problem admits that the problem exists, then legal firms must acknowledge their weaknesses in the areas of cybersecurity and data control. Legal firms are not experts in data security, despite the valuable information sent through legal servers each day. This makes most firms ill-equipped to handle cybersecurity on their own.

Big companies may have dedicated IT security teams, but not all firms enjoy this benefit. If a business lacks in-house expertise, working with third-party security professionals may be necessary. However, not just any security provider will do the trick—the data security team chosen should be able to handle a wide range of issues:

  • Compliance with federal guidelines for data security
  • Hardware security, including desktop computers, cloud storage, external hard drives, and server infrastructure
  • Software security, including updating versions, patching known vulnerabilities, and maintaining malware protection
  • Big data management by way of identifying redundancies, controlling user access to sensitive data, and creating incident response plans

All other considerations aside, there are three primary things to look for when selecting a cybersecurity service provider:

  1. A firm’s ability to monitor a system in real-time to recognize breaches before they happen,
  2. The ability to stop attempting breaches from occurring,
  3. Response strategies in place if a breach occurs.

Firms that have established protocols in these three areas will have a comprehensive system for detecting and responding to cybercrime. In addition, with hackers developing new strategies for data theft every day, legal firms, do not have a second to waste in getting their data security frameworks up and running.

Dean Van Dyke iBridge LLC

Written by Dean Van Dyke, Vice President, Business Process Optimization

Dean Van Dyke is the Vice President of Business Process Optimization for iBridge. He brings more than 18 years of customer relations, business process outsourcing, lean six sigma, program/project management, records management, manufacturing, and vendor management experience to iBridge. Mr. Van Dyke was the former head of Microsoft’s corporate records and information management team and served honorably for over fourteen years in the U.S. Navy and Army National Guard. He received his Bachelor of Science in Business Administration from the University of South Dakota and his Master’s in Business Administration from Colorado Technical University.

iBridge Newsletter10 Legal eBook CTA

Americans Still Unprepared to Share Health Information Online, Pew Reports

Americans Still Unprepared to Share Health Information Online, Pew Reports

Although healthcare technology and EHR management tools are improving in security, a new survey by Pew found that Americans are still unprepared to share their health information online.

Americans Still Unprepared to Share Health Information Online, Pew Reports

Pew’s research showed that American tolerance for healthcare data breaches is low—just over half of Americans surveyed felt that doctors should use health information websites to manage patient records, citing privacy concerns as the biggest drawback. Another 20 percent of respondents said their comfort with online sharing would depend on the scenario, and 26 percent felt that accessing online health information was unacceptable.

Respondents cited various reasons for their aversion to online record sharing, but each reason speaks to a larger trend in the healthcare world—patients strongly safeguard their own information, and must trust the clinicians with whom they share information.

Privacy is Case-by-Case

Throughout Pew’s survey, many respondents agreed on one point: their comfort with sharing data depended on the unique circumstances of each medical situation. Before sharing their information online, respondents wanted to know:

  • Do I trust this clinic?
  • How will they store the data?
  • How will the data be used?
  • Is my data secure?

Respondents also claimed that the record type stored made a difference in their comfort level. Patients were comfortable with sharing surface level information, such as appointment scheduling or providing basic personal details. However, they complained about having their health information and medical outcomes exposed, which they felt could negatively affect their ability to secure credit, purchase insurance, or find jobs.

“My health records are confidential,” one respondent claimed. “I don’t want them in the hands of someone unscrupulous or marketing companies possibly trying to recommend a drug or something based on a condition I may have.”

Building Trust

Despite the reluctance to share information online, respondents agreed that their personal relationship with that clinic factored into their decision to share data. If they trusted the organization, they were more open to online health records.

Clinicians must remember this as they move towards electronic health records. Although the surge in data breaches over the past few years has painted digital healthcare management in a bad light, clinics still have options to protect themselves. Choosing the right data security options for enterprise health platforms will help prevent data loss, build trust with patients, and ensure that digital records are just as secure as paper files.

Desh Urs iBridge LLC

Written by Desh Urs

Desh Urs brings more than 20 years of entrepreneurial, start-up and Global 500 corporate experience in sales, marketing, and general management to the customers of iBridge. He has led sales organizations as SVP at Qsent, Inc. and VP at Acxiom Corporation, and has focused on the usage of data in data distribution, direct marketing, fraud prevention, and law enforcement.

As a Vice President of Global Sales, Services, and Marketing at Silicon Graphics, Inc., Urs managed engineering and non-engineering functions, developing solutions in sciences, telecommunications, manufacturing, media, business, and defense intelligence, for companies with revenues of several billion dollars. During his tenure as Vice President at Think Tools AG and Brio Technology, Inc., he ran business development and alliances providing solutions in Business Intelligence and Decisions Cycle Management to Global 100 corporations worldwide. In the late 1980s, Urs founded Indus Systems, Inc., which he profitably sold to a systems integration company.

Urs serves on several Advisory Boards, as well as many company Boards, in the United States and India.

iBridge Newsletter7 Things About Medical Identity Theft Healthcare Executives Need to Know

It’s (Not) Academic: Cybersecurity Is a Must for Universities and Academic Medical Centers

It’s (Not) Academic: Cybersecurity Is a Must for Universities and Academic Medical Centers

Although cybersecurity has taken a central role for healthcare facilities and legal firms, cybercrime doesn’t discriminate based on industry.

Universities and academic facilities contain sensitive data just as vulnerable to outside intrusion as industries that heavily prioritize security. Student healthcare data, financial information, and other personal details are all at risk in unsecured academic networks. Over the past several years, multiple universities have reported data breaches that had significant impacts to their student body and reputation.

It’s (Not) Academic: Cybersecurity Is a Must for Universities and Academic Medical Centers

The University of Maryland suffered a breach in 2014 that resulted in over 300,000 compromised records, including university IDs and social security numbers. That same year, a breach at Butler University revealed the social security numbers, driver’s license information, and bank account data of over 200,000 individuals.

The financial cost of these breaches is high, but the damage isn’t limited to leaked information. Much as other victims of high-profile breaches (including Sony and Target) have recently learned, the bad PR from a data breach can be catastrophic to an institution.

Threat Prevention

As positive PR is an absolute necessity for academic organizations, a cybersecurity prevention and damage control strategy is essential.

Initial measures for beginning this plan should include:

1. Internal Threat Assessment

With over 50 percent of cyber attacks in 2014 from insiders, institutions must know of internal threats and have measures for threat assessments. This involves creating dedicated teams with representatives from each department who can oversee internal data security in their own divisions.

2. Enhance Security Infrastructure

Academic institutions must upgrade their IT security to discourage hackers. Sensitive information should be protected with authentication credentials, firewalls, and by limiting access to only essential personnel. Better system-wide controls help prevent the unregulated flow of information that cyber breaches rely on.

3. Breach Testing

Many institutions these days test the strength of their security with the help of white hat hackers. These vendors can review the strength of your cybersecurity protocols and offer guidance on where you may be vulnerable.

4. Damage Control Planning

Should a breach occur, institutions must have a plan in place to mitigate the damage. Steps will need to be taken to lock down your system and prevent small data losses from turning into out of control information breaches. This includes disclosure protocols for parties who may be affected by the data loss.

5. Getting Insured

Cyber insurance can help reduce the financial burden of leaks should a breach take place. This can be beneficial for large-scale organizations who handle millions of patient or customer records.

While these steps are a good start for academic organizations without cybersecurity protocols in place, they are only the first steps of a larger, system-wide push towards data security. The threats are here—academic institutions can’t afford to wait.

Desh Urs iBridge LLCWritten by Desh Urs

Desh Urs brings more than 20 years of entrepreneurial, start-up and Global 500 corporate experience in sales, marketing, and general management to the customers of iBridge. He has led sales organizations as SVP at Qsent, Inc. and VP at Acxiom Corporation, and has focused on the usage of data in data distribution, direct marketing, fraud prevention, and law enforcement.

As a Vice President of Global Sales, Services, and Marketing at Silicon Graphics, Inc., Urs managed engineering and non-engineering functions, developing solutions in sciences, telecommunications, manufacturing, media, business, and defense intelligence, for companies with revenues of several billion dollars. During his tenure as Vice President at Think Tools AG and Brio Technology, Inc., he ran business development and alliances providing solutions in Business Intelligence and Decisions Cycle Management to Global 100 corporations worldwide. In the late 1980s, Urs founded Indus Systems, Inc., which he profitably sold to a systems integration company.

Urs serves on several Advisory Boards, as well as many company Boards, in the United States and India.

iBridge NewsletterUnderground eBook CTA

Protecting the Enterprise with Cybersecure IT Architecture

Protecting the Enterprise with Cybersecure IT Architecture

Digitization of data, products, and processes is the direction in which the world is moving.

Protecting the Enterprise with Cybersecure IT Architecture

Unfortunately, the digital revolution of our IT security is occurring more slowly. Digitizing information creates new challenges for legal firms that may not know of the system vulnerabilities that digital data creates.

Security Challenges

Complicated IT architecture creates system vulnerabilities for hackers to exploit, and makes malware harder to detect. With digital data becoming the new standard for information governance, security protocols must be in place to prevent unauthorized access.

A joint study by Mckinsey and the World Economic Forum in 2014 showed that 71 percent of global banking IT executives believe that attackers are quicker than banks when adapting to changes in security protocols, including modifying skill sets and identifying vulnerabilities. The report also revealed that 80 percent of respondents believed that the risk of cyber-attacks and data loss will play a large role in their businesses’ security strategy over the next several years.

Given the traditionally slow response of organizations to data breaches, companies must invest more heavily in their security programs. This includes designing processes, security platforms, and overall IT infrastructure with security as a priority.

Creating Secure Architecture

A secure IT framework doesn’t rely on individual security protocols. The best security approaches incorporate multiple layers of defense throughout its implementation:

  • Threat analysis: Potential threats must be segregated based on the value at risk, letting businesses give the most valuable data the highest levels of security.
  • Multi-level restriction: Access and security must be increasingly restricted with each security layer to ensure that the inner layers are tightly regulated and controlled by employees.
  • Service integration: Security must be integrated with service architecture. This allows communication and data flow to be better monitored across the enterprise, as various service capabilities can also function as security checkpoints that provide additional levels of data protection.
  • Communication hub: Routing communication through a single application service hub provides a clear view of information flow. Aggregating data into a single point of contact allows broad assessments of suspicious data patterns and provides a secure approach to communication between applications.
  • Prioritize simplicity: With the growing complexity of data security infrastructure, companies must build their security network to function optimally with transparent and simplified processes. Reducing the number of applications that handle messaging and communication improves efficiency and makes it less likely that suspicious activities will go unnoticed.

Desh Urs iBridge LLC

Written by Desh Urs

Desh Urs brings more than 20 years of entrepreneurial, start-up and Global 500 corporate experience in sales, marketing, and general management to the customers of iBridge. He has led sales organizations as SVP at Qsent, Inc. and VP at Acxiom Corporation, and has focused on the usage of data in data distribution, direct marketing, fraud prevention, and law enforcement.

As a Vice President of Global Sales, Services, and Marketing at Silicon Graphics, Inc., Urs managed engineering and non-engineering functions, developing solutions in sciences, telecommunications, manufacturing, media, business, and defense intelligence, for companies with revenues of several billion dollars. During his tenure as Vice President at Think Tools AG and Brio Technology, Inc., he ran business development and alliances providing solutions in Business Intelligence and Decisions Cycle Management to Global 100 corporations worldwide. In the late 1980s, Urs founded Indus Systems, Inc., which he profitably sold to a systems integration company.

Urs serves on several Advisory Boards, as well as many company Boards, in the United States and India.

iBridge NewsletterUnderground eBook CTA

5 Key Takeaways from the 2015 Cybersecurity Information Sharing Act

5 Key Takeaways from the 2015 Cybersecurity Information Sharing Act

President Obama recently signed into law the 2015 Cybersecurity Information Sharing Act, aimed at increasing cybersecurity regulation and nation-wide healthcare security.

Though online security awareness is on the rise, the cybersecurity industry is still lacking in the basic infrastructure, resource planning, and information governance that effective security protocols require. The legislation, slated to take effect in 2018, addresses these concerns and create a more prepared environment of cybersecurity awareness. Here are five key takeaways from the recent legislature:

1. The Cadillac Tax

The Cadillac Tax, or the excise tax of 40 percent on health plans whose value is more than $10,200 for individual coverage, was delayed two more years—now beginning in 2020. Though starting as non-tax deductible, the Cybersecurity Act includes a clause allowing employers to pay to make it so.

2. Increased HHS Preparedness

The Department of Health and Human Services must now submit reports assessing their cybersecurity threat preparedness to congressional committees. The Act also describes that HHS must choose a representative to lead cybersecurity initiatives and describe how the HHS plans to address threats.

Cybersecurity Information Sharing Act

3. Cybersecurity Task Force

The Cybersecurity Act describes a task force coalition between HHS, Homeland Security, National Institute of Standards and Technology leaders, industry experts, agencies, and stakeholders. This coalition will be charged with analyzing actions and assessing cybersecurity safeguards across industries, and reviewing challenges faced by private healthcare organizations. This also includes assessing the functioning and operability issues of electronic record keeping systems.

4. Stakeholder Education

Improving stakeholder education and preparedness is an integral part of the 2015 Cybersecurity Act. Agencies must inform key decision makers on best practices for cybersecurity, and create channels for communication of defensive measures and emerging threats. This focus on communication is predicted to help improve industry-wide knowledge of cybersecurity protocols and contribute to each agencies’ ability to regulate their own security.

5. Protecting the Private Sector

The Cybersecurity Act includes language that protects the liability of private sector entities during sharing or receiving cyber threat information. This includes establishing what personal data must be scrubbed before transmission and standardized timetables for notifying individuals that their information was shared.

Dean Van Dyke iBridge LLC

Written by Dean Van Dyke, Vice President, Business Process Optimization

Dean Van Dyke is the Vice President of Business Process Optimization for iBridge. He brings more than 18 years of customer relations, business process outsourcing, lean six sigma, program/project management, records management, manufacturing, and vendor management experience to iBridge. Mr. Van Dyke was the former head of Microsoft’s corporate records and information management team, and served honorably for over fourteen years in the U.S. Navy and Army National Guard. He received his Bachelor of Science in Business Administration from the University of South Dakota and his Master’s in Business Administration from Colorado Technical University.

iBridge Newsletter7 Things About Medical Identity Theft Healthcare Executives Need to Know

Communication as a Barrier to Cybersecurity Compliance

Communication as a Barrier to Cybersecurity Compliance

Though cybersecurity threats become increasingly dangerous for legal firms guarding privileged data, information governance and data protection plans are still falling short.

A 2015 survey by BDO USA found that only one-third of corporate directors have documented policies in place to protect their business’s digital assets. Yet, despite this supposed lack of cybersecurity strategy, 69 percent of public company board members reported that their board was more involved in cybersecurity than it had been 12 months ago. Seventy percent of companies also reported increased spending on cybersecurity over the past year, averaging an increase of 22 percent.

What’s to blame for this disconnect between management and board members?

Failing to Communicate

According to Shahryar Shaghaghi, leader of technology services for BDO Consulting, the problem has its roots in communication.

“It is the responsibility of the IT manager to communicate with the board in a manner, which the board is able to understand. Often the communication is performed in a manner, which is too technical, too much in the weeds, for the board to understand,” said Shaghaghi. He added that while the disconnect appears to stem from a lack of knowledge on the surface, the underlying issue is the gap in communication between the two parties.

Risk Management Strategies

To solve the miscommunication issues facing businesses, Shaghaghi recommends instituting a “standardized, repeatable” process of information delivery from the IT department to board members. Creating a structured cyber-risk profile informs board members of the level of risk of various cyber decisions and how risk management strategies may affect their bottom line.

Communication as a Barrier to Cybersecurity Compliance

Image courtesy of Sixninepixels at FreeDigitalPhotos.net

Cybersecurity decisions are facing increased scrutiny in the legal world, with many public companies requiring third-party vendors (like law firms) to provide developed cybersecurity policies, and even become ISO 27001 certified. Despite this push toward digital asset protection, BDOs survey reported that only 35 percent of directors say their company has established cyber risk requirements for their third-party vendors.

The cyber risk profiles proposed by Shaghaghi give board members better insight into the risk/reward aspect of each cybersecurity decision and the feasibility of bringing in outside firms for third-party assessments. Though the communication disconnect between IT and board of directors may be slow to change, the increased public focus on digital security suggests that cybersecurity governance will only improve moving forward.

Dean Van Dyke iBridge LLC

Written by Dean Van Dyke, Vice President, Business Process Optimization

Dean Van Dyke is the Vice President of Business Process Optimization for iBridge. He brings more than 18 years of customer relations, business process outsourcing, lean six sigma, program/project management, records management, manufacturing, and vendor management experience to iBridge. Mr. Van Dyke was the former head of Microsoft’s corporate records and information management team, and served honorably for over fourteen years in the U.S. Navy and Army National Guard. He received his Bachelor of Science in Business Administration from the University of South Dakota and his Master’s in Business Administration from Colorado Technical University.

iBridge NewsletterUnderground eBook CTA

Personal Device Security and Online Connectivity

Personal Device Security and Online Connectivity

Cybersecurity is typically associated with data privacy in large organizations—computer networks, encryption, and secured data transfer. However, our personal information is spread across more devices than many of us realize. Even seemingly, innocuous devices that have online connectivity can be vulnerable to outside access.

Fitness Breach

Security service AV-Test reviewed the security of nine fitness monitors across several brands—Acer, Fitbit, Garmin, Sony and Withings—to find that the lowest security devices suffered from nine of eleven possible security weaknesses, including inability to disconnect from Bluetooth and exposing user log information. While vulnerabilities like these seem insignificant compared to the large-scale data and privacy breaches that make headline news, the implications are troublesome for data security of personal electronics. These security weaknesses seem mild, yet they expose user devices to hacking, eavesdropping, and unauthorized data aggregation. Though fitness monitors and wristbands don’t contain copious amounts of sensitive information in how businesses do, they’re still exposed to unauthorized access that may cause data modification or losses.Personal Device Security

Implications and Connectivity

These mild weaknesses don’t offer serious threats to user privacy yet, but this will change as devices become more advanced and store more sensitive user data. The lack of security present in personal electronic devices sets a troubling precedent. Cybersecurity is difficult to implement, even for high-priority devices that contain privileged information. In the current state of our cybersecurity infrastructure, basic electronic devices aren’t likely to face the same security scrutiny as more advanced technology.

Security, particularly for personal devices, is an afterthought for many businesses. Implementing better security is costly—and often deemed unnecessary for equipment that records seemingly innocuous user data. However, several devices tested by AV-Test could not disconnect from Bluetooth—a concept designed to increase the operability of the device, yet it leaves users exposed to constant online access. Hackers are developing new ways to utilize exploits that will have increasingly detrimental effects on the state of our device security.

Connectivity and constant online connections are still relatively new in the technological world. While the full implications of this constant connectivity are not yet understood, it’s clear that device manufacturers must prioritize data security. Establishing acceptable security practices now will ensure that businesses have the means to upgrade their future security alongside their consumer technology.

Desh Urs iBridge LLC

Written by Desh Urs

As a Vice President of Global Sales, Services, and Marketing at Silicon Graphics, Inc., Urs managed engineering and non-engineering functions, developing solutions in sciences, telecommunications, manufacturing, media, business, and defense intelligence, for companies with revenues of several billion dollars. During his tenure as Vice President at Think Tools AG and Brio Technology, Inc., he ran business development and alliances providing solutions in Business Intelligence and Decision Cycle Management to Global 100 corporations worldwide. In the late 1980s, Urs founded Indus Systems, Inc., which he profitably sold to a systems integration company.

Urs serves on several Advisory Boards, as well as many company Boards, in the United States and India.

iBridge NewsletterUnderground eBook CTA

Cybercrime: Redefining Security in an Unsecured World

Cybercrime: Redefining Security in an Unsecured World

Online security in the digital age may be a myth.

A survey by the Aspen Institute and Intel Security found that 50 percent of security professionals once believed that their organizations were “very or extremely” vulnerable in early days of cybersecurity, yet only 27 percent believe that their organizations face the same level of risk in more recent years. Despite this increased confidence, 70 percent of respondents admitted that cybersecurity breaches are a growing threat to their industry. And security firms aren’t the only ones who need to worry—cyber-attacks have become commonplace across nearly every digital enterprise.

talk-talk-logo-_1361791a

The highly-publicized Ashley Madison leak in July brought online privacy and cybersecurity into the public domain, though cyber-attacks can strike anywhere. The web hosting service 000Webhost suffered a data breach in March that potentially exposed 13.5 million customer records, a significant loss of information and authority for a high-ranking web hosting service. Most recently, the UK-based phone and broadband provider TalkTalk was the victim of an unauthorized breach, with 4 million private customer profiles possibly exposed.

Areas of Vulnerability

The proliferation of cybercrime is made easier by inefficiencies in website system architecture. Regardless of what security policies or privacy measures are in place at the enterprise level, shoddy and inefficient website development code creates openings that savvy hackers can exploit. This problem is compounded by many web developers not rewriting website code (a costly and time-consuming process) and instead “paper over” any problems that are noticed. This habit creates multilevel vulnerabilities in the coding infrastructure hard to notice by security personnel, yet remain vulnerable to those seeking them out. The 000Webhost breach is one example of this trend, with unauthorized access gained from an exploit found in an old PHP version of the site.

These inefficiencies combined with the growing ingenuity of cyber criminals create a system where “privacy” may no longer exist. If criminals cannot exploit system vulnerabilities in the site’s structure, they employ social engineering and manipulation to gain access to the information they want. At its core, security problems revolve around people—from the coders who develop site structure to the employees who manage the phones, the only chance businesses have at gaining comprehensive security is with efficiency and rigorous training for all employees across every part of their infrastructure.

Desh Urs iBridge LLC

Written by Desh Urs

As a Vice President of Global Sales, Services, and Marketing at Silicon Graphics, Inc., Urs managed engineering and non-engineering functions, developing solutions in sciences, telecommunications, manufacturing, media, business, and defense intelligence, for companies with revenues of several billion dollars. During his tenure as Vice President at Think Tools AG and Brio Technology, Inc., he ran business development and alliances providing solutions in Business Intelligence and Decision Cycle Management to Global 100 corporations worldwide. In the late 1980s, Urs founded Indus Systems, Inc., which he profitably sold to a systems integration company.

Urs serves on several Advisory Boards, as well as many company Boards, in the United States and India.

iBridge NewsletterUnderground eBook CTA

FTC Ruling: Ignorance of Cybersecurity Is Not Defensible

FTC Ruling: Ignorance of Cybersecurity Is Not Defensible

Section 5 of the Federal Trade Commission Act allows the FTC to pursue legal action against individuals who engage in “unfair or deceptive acts or practices affecting commerce.” A recent ruling in the case of Federal Trade Commission v. Wyndham Worldwide Corporation found that the FTC’s authority extends to companies that fail to uphold reasonable cybersecurity standards when protecting private data.

Security Compliance

Often, companies facing legal action from the FTC will settle and agree to outside monitoring as they employ stronger security practices. In Wyndham’s case, the lawsuit came about from three separate data breaches in 2008 and 2009. Wyndham’s network was cracked by hackers, resulting in the loss of personal and financial data of hundreds of thousands of customers. The suit was initiated in 2012 after the FTC claimed that Wyndham had failed to upgrade its cybersecurity to appropriate levels.

Image courtesy of Stuart Miles at FreeDigitalPhotos.net

Image courtesy of Stuart Miles at FreeDigitalPhotos.net

While Wyndham argued that the FTC failed to provide specifics on what security measures needed to be upgraded, the courts decided that preexisting industry guidelines provided sufficient information about how security standards must be upheld.

Potential Liability

The court ruling established two important principles for the future of cybersecurity:

  • Inadequate cybersecurity is actionable under Section 5 of the FTC Act
  • Ignorance of proper security measures is no defense

Companies under the scrutiny of the FTC for questionable security standards face significant liability. The FTC has the authority to pursue three legal remedies for what they consider to be unfair or deceptive legal practices:

  • Civil penalties of no more than $16,000
  • Recovery of losses suffered by consumers who have had their information compromised
  • Legal action to freeze assets, rescind contracts, or appointment of temporary receivers

These legal ramifications are on top of the damages incurred by the initial data breach. With consequences compounding the financial and reputation losses that come alongside data breaches, companies can’t afford to take cybersecurity lightly.

Businesses concerned about the state of their security must assess their current privacy policies and security infrastructure. The FTC might take action against businesses with easily guessed passwords, which failure to monitor for malware, and who fail to follow proper response procedures after an incident occurs. To prevent an audit by the FTC, businesses must be aware of the regulations and make cybersecurity a top priority.

At iBridge, security is a serious topic and we continue to learn and provide information to the industry at-large. If you have a question about cybersecurity liability, legal ramifications regarding security, or other security topics, feel free to contact us or call us at 888.490.3282.

Desh Urs iBridge LLC

Written by Desh Urs

As a Vice President of Global Sales, Services, and Marketing at Silicon Graphics, Inc., Urs managed engineering and non-engineering functions, developing solutions in sciences, telecommunications, manufacturing, media, business, and defense intelligence, for companies with revenues of several billion dollars. During his tenure as Vice President at Think Tools AG and Brio Technology, Inc., he ran business development and alliances providing solutions in Business Intelligence and Decision Cycle Management to Global 100 corporations worldwide. In the late 1980s, Urs founded Indus Systems, Inc., which he profitably sold to a systems integration company.

Urs serves on several Advisory Boards, as well as many company Boards, in the United States and India.

Underground eBook CTA