$2.7 Million: The Costs of OHSU’s Security Shortcomings

$2.7 Million: The Costs of OHSU’s Security Shortcomings

The Oregon Health & Science University recently resolved an investigation into two breaches of electronic health data occurring in 2013, resulting in a payment of $2.7 million and three-year corrective action plan to prevent future security issues.

According to Tamara Hargens-Bradley, spokesperson for the U.S. Department for Health and Human Services Office for Civil Rights, these breaches occurred across multiple channels:

“The first incident involved a stolen laptop and the second resulted from the use of an internet-based information storage service, or ‘cloud storage’ service, without a business associate agreement,” she said. “No harm was reported by patients.”

OHSU

The breaches occurred within three months of each other, both the result of improper security protocols. The stolen laptop was not encrypted at the time of its theft. And Google, the company hosting the illegally-accessed spreadsheet, features no contractual relationship with OHSU to securely store sensitive information. These failings bring to light previous security incidents in OHSUs infrastructure, occurring in 2009 and 2012 and affecting nearly 15,000 patients.

Since the 2013 breaches, the OHSU has taken steps to improve its security protocols, including:

  • Stronger computer encryption across the campus
  • Free identity theft protection for at-risk patients
  • Toll-free phone outreach for patient concerns and support

Steps to Security

Though OHSU committed itself to a three-year security action plan to prevent future data loss, its strategy may be shortsighted. Though its commitment to supporting affected patients is necessary, it’s little more than a damage control measure. Pledges to strengthen computer encryption across the university will do nothing to support cloud-based security infrastructure or prevent theft of the hardware itself.

Better security is a product of planning—reacting after the fact isn’t enough to enact meaningful change. Structures must be in place before breaches happen; and for organizations like OSHU that have suffered myriad breaches over the past seven years, these structures can’t come soon enough:

  • Preparation: Security should be delegated to a specific task force that is trained in crisis management and has dedicated plans for how to solve emerging threats.
  • Detection: Organizations must know where breaches are before they can be addressed.
  • Removal: Workflows for how data breaches will be contained and addressed help teams act efficiently.
  • Post-Recovery Response: Data must be reviewed on how the breach occurred, why it occurred, and how to reinforce security to prevent it from happening again.

While prioritizing affected patient and communication are good first steps, OHSU has a long road to travel before it’s ready to build structures that support true organizational security.

Desh Urs iBridge LLC

Written by Desh Urs

Desh Urs brings more than 20 years of entrepreneurial, start-up and Global 500 corporate experience in sales, marketing, and general management to the customers of iBridge. He has led sales organizations as SVP at Qsent, Inc. and VP at Acxiom Corporation, and has focused on the usage of data in data distribution, direct marketing, fraud prevention, and law enforcement.

As a Vice President of Global Sales, Services, and Marketing at Silicon Graphics, Inc., Urs managed engineering and non-engineering functions, developing solutions in sciences, telecommunications, manufacturing, media, business, and defense intelligence, for companies with revenues of several billion dollars. During his tenure as Vice President at Think Tools AG and Brio Technology, Inc., he ran business development and alliances providing solutions in Business Intelligence and Decisions Cycle Management to Global 100 corporations worldwide. In the late 1980s, Urs founded Indus Systems, Inc., which he profitably sold to a systems integration company.

Urs serves on several Advisory Boards, as well as many company Boards, in the United States and India.

iBridge NewsletterUnderground eBook CTA

 

More Data Vendors Means More Data Risk, says EMC

More Data Vendors Means More Data Risk, says EMC

The future is hard to predict, and a new survey by EMC shows that the IT industry is ill-equipped to take on the challenge. According to the Global Data Protection Index, a survey of 2,200 IT professionals and decision makers across 18 countries, businesses are not prepared to tackle the emerging road blocks of data security.More Data Vendors Means More Data Risk, says EMC

Key statistics from the report include:

  • 18 percent of survey respondents predicted that their organization’s data security infrastructure could support future business challenges.
  • 10 percent said the opposite—their organizations were unprepared to handle emerging issues.
  • 34 percent admitted that their organizations could handle “some” future challenges.

The report also detailed the costs associated with unplanned system downtime. On average, a business can expect to lose $550,000 and 22 hours of employee labor during each down period. In addition, the losses compound as more data vendors are involved—businesses with four or more data vendors had to wait an average of 37 hours before all processes were restored.

Complex Data Environments

Why do multiple vendors make things so complicated? According to Michael Wilke, EMC senior director of marketing, Core Technologies, it all comes back to data. He explained that each vendor has its own strategies for deploying solutions and data protection, and as the number of vendors increases, the data environment becomes less transparent and harder to manage.

“Monitoring complex data protection environments becomes extremely difficult, making failed backups harder to detect and rectify,” he said.

Moreover, these backups are necessary for data security—EMC’s report found that hardware failure was the biggest cause of unplanned system downtime, followed by power loss, software failure, and external breaches. As EMC revealed, this downtime can significantly affect a businesses’ productivity and financial security, making it essential that organizations relying on multiple vendors have security solutions in place.

The Cloud Solution

Despite how unprepared many businesses seem, all hope isn’t lost. According to the research, cloud technology was a common and well-regarded solution for data protection. Of those surveyed, the majority utilized cloud recovery in some form:

  • 45 percent used cloud services for archiving and long-term data retention.
  • 33 percent used cloud services as a mobile device backup.
  • 21 percent relied on cloud technology for disaster recovery.

Though most businesses these days rely on the versatility of multiple data vendors, this flexibility comes at a cost. Each data vendor involved places the organization at greater liability. Moving forward, Businesses need to understand the risks inherent to sharing sensitive information, even with reputable data vendors, and try to prevent downtime, create backups, and utilize cloud storage should a problem occur.

Dean Van Dyke iBridge LLC

Written by Dean Van Dyke, Vice President, Business Process Optimization

Dean Van Dyke is the Vice President of Business Process Optimization for iBridge. He brings more than 18 years of customer relations, business process outsourcing, lean six sigma, program/project management, records management, manufacturing, and vendor management experience to iBridge. Mr. Van Dyke was the former head of Microsoft’s corporate records and information management team and served honorably for over fourteen years in the U.S. Navy and Army National Guard. He received his Bachelor of Science in Business Administration from the University of South Dakota and his Master’s in Business Administration from Colorado Technical University.

iBridge Newsletter10 Legal eBook CTA

Privacy Survey Highlights the Poor State of Data Security

Privacy Survey Highlights the Poor State of Data Security

Risk management remains a priority for legal firms across the world, but new research is showing just how unprepared many industries are to take on the challenge.

Privacy Survey Highlights the Poor State of Data Security

Guidance Software performed a data risk and privacy survey on a variety of industries, including government firms, IT industries, and financial services. The respondents, primarily security executives and security analysts, shed light on the current state of information security and how they felt security should be handled moving forward:

  • 48 percent reported feeling unprepared to identify and protect sensitive information from data breaches, mishandled devices, or human error.
  • Despite this lack of confidence, 46 percent believe that protecting sensitive data is a top priority.

How data security should be handled was addressed.

  • 69 percent feel that it’s important to systematically delete obsolete or outdated information.
  • 55 percent are most worried about private or sensitive data residing on servers or endpoints.
  • Over 37 percent feel that a risk management solution for regulatory and policy compliance is important for data security.

Security Solutions

With so many respondents reporting discontent with the current state of data security, it makes sense that legal firms are hungry for solutions.

Risk management software lets organizations understand the flow of sensitive data, from the time of creation to its eventual endpoint throughout the workflows of each industry. These workflows include file creation, email sharing, transmission to multiple devices, and storage in databases. Without dedicated data management software, each of these points of contact creates multiple vulnerabilities that can be exploited.

Enterprise software protects data throughout every step of its use and ensures that information practices comply with external regulatory bodies, such as HIPAA.

Building a Culture of Security

Software data security through risk management platforms is the first step of total information governance. To ensure true data security, the most significant security variable present in any enterprise must be addressed—employees.

According to IBM’s 2014 Cyber Security Intelligence Index, 95 percent of all security incidents involve human error. Legal firms must mitigate employee mishandling of information by creating protocols governing data use. Across email, mobile device communications, and file transfers on external storage systems, employees must follow defined rules that dictate how they handle sensitive data.

The effort required to implement these protocols will be substantial at first, but security practices can be refined over time to better align with the workflows of each organization. This will ensure that efficiency isn’t lost while trying to secure data. When legal firms have a strong culture of security backed by risk management software solutions, data breaches and information loss will become concerns of the past.

Dean Van Dyke iBridge LLC

Written by Dean Van Dyke, Vice President, Business Process Optimization

Dean Van Dyke is the Vice President of Business Process Optimization for iBridge. He brings more than 18 years of customer relations, business process outsourcing, lean six sigma, program/project management, records management, manufacturing, and vendor management experience to iBridge. Mr. Van Dyke was the former head of Microsoft’s corporate records and information management team and served honorably for over fourteen years in the U.S. Navy and Army National Guard. He received his Bachelor of Science in Business Administration from the University of South Dakota and his Master’s in Business Administration from Colorado Technical University.

iBridge NewsletterUnderground eBook CTA

Hacking Medical Records: A Growing Threat

Hacking Medical Records: A Growing Threat

A disturbing upswing in medical-record hacking requires all custodians of such data to take a hard look at their security apparatus. For the people whose medical records are compromised, the consequences can be even more devastating than having financial records stolen.

Medical Records

Source: freedigitalphotos.net

When a major retailer suffers a data breach that compromises customer credit- and debit-card information, there is a narrow set of potential consequences for the affected customers. A criminal can use the information to assume the victim’s identity, make fraudulent transactions, and ruin his or her credit. Although these are serious concerns, there are countermeasures available to limit or eliminate the risk; law enforcement, credit providers, and reporting agencies are proactive in resolving these issues when they happen.

However, when medical information is compromised, the impact is wide-ranging and long lasting. If one’s medical history is published on the Internet for all to see, personal information like substance abuse or mental health issues could affect an individual’s ability to get a new job or obtain quality health insurance at reasonable rates. Personal relationships can also be damaged or destroyed by a breach. Even sensitive data, once published online, is hard to erase.

This was thrust into national awareness recently with the cyberattack on Sony Pictures, which exposed employees’ personal medical records besides other sensitive information such as Social Security numbers and passport numbers. The breach, with other recent medical-record breaches, points out issues that have not previously received the attention they deserve:

  • The custodians of medical records are not limited to hospitals, clinics, insurance companies, and doctors’ offices.
  • Not everyone who possesses medical records and other personal data protects them well.
  • An individual has little or no control over who has access to their health records, how those records are stored, or what happens to them. Custodians are trusted to protect this information and not misuse it.

Some ask why Sony Pictures possessed that level of detail on their employees’ health histories. Everyone who is responsible for other people’s medical records should ask that same thing of themselves when the stored data serves no compelling business purpose and is not required by law or regulation.

The lax attitude toward medical record security results from there being little for hackers to gain from accessing these records, and therefore they do not require the level of protection that financial data does. However, given the level of risk to patients, and the potential loss of trust and damage to a company’s reputation, organizations should look closely at medical record security.

Dean Van Dyke

Written by Dean Van Dyke, Vice President, Business Process Optimization

Dean Van Dyke is the Vice President of Business Process Optimization for iBridge. He brings more than 18 years of customer relations, business process outsurcing, lean six sigma, program/project management, records management, manufacturing, and vendor management experience to iBridge. Mr. Van Dyke was the former head of Microsoft’s corporate records and information management team, and served honorably for over fourteen years in the U.S. Navy and Army National Guard. He received his Bachelor of Science in Business Administration from the University of South Dakota and his Master’s in Business Administration from Colorado Technical University.

Newsletter Sign UpUnderground Economy of Data Breaches

How Your Legal Department Can Prepare for a Data Breach

How Your Legal Department Can Prepare for a Data Breach

Contract

Source: freedigitalphotos.net

Data breaches, their prevention and responses to them are an IT problem, but there are other areas of a business that must prepare. A company’s legal department must be more invested with data breaches—by reviewing contracts, amending them if needed and participating in a breach response team.

Contract Review

These days, almost all contracts need language that defines each party’s responsibilities in preventing data breaches and responding to them. Failing to have such language invites finger-pointing and lawsuits when breaches occur. The contract language around data security must be in alignment with the company’s internal data security policies and with any relevant regulatory requirements (such as HIPAA for healthcare data) and third-party standards (such as PCS-DSS for credit card data).

Not all of a firm’s contracts contain such language, and those that do may be out of date. Forward-thinking legal departments have their contracts organized using a contract management software system that enables them to search through and quickly identify which contracts contain no data security provisions and which need to be amended when policy or regulatory requirements change. Companies without such systems face a more laborious task of reviewing each contract manually—and doing so repeatedly, given the fast-changing regulatory landscape.

Breach Response Planning

A disaster recovery plan, which is executed when a disaster such as a fire, earthquake or flood disrupts the operations of the business, identifies a disaster response team. This team comprises representatives from each part of the business and defines each member’s roles and responsibilities during a disaster.

Similarly, businesses should have data breach response plans and response teams. Team membership will vary from one firm to another, but typically involve the IT, accounting, public relations and legal departments, and the company’s senior leadership. These response plans outline the steps each team member must take to assess the scope of the incident, prevent further damage, investigate the cause and communicate with the media, customers, suppliers, law enforcement and (if applicable) shareholders.

The legal department’s role is to assess the firm’s contractual obligations regarding data breaches and ensure the company responds accordingly. Among the actions the legal department takes will be to determine, for each contract, whether the current data breach meets the definition in the contract and warrants action.

Disaster recovery planning experts recommend that disaster recovery plans be reviewed and tested regularly; testing includes having all the team members respond to a simulated disaster. The same approach should be taken for data breach response plans to keep strategies up to date and eliminate gaps or duplication of effort.

Data breaches—both those that involve hacking in from outside, and deliberate or accidental breaches from within—are on the increase, and it is highly likely that all companies, large and small, will experience sort of breach. Those that are not prepared may not survive to do it right the next time.

Desh

Written by Desh Urs

Desh Urs brings more than 20 years of entrepreneurial, start-up and Global 500 corporate experience in sales, marketing and general management to the customers of iBridge. He has led sales organizations as SVP at Qsent, Inc. and VP at Acxiom Corporation, and has focused on the usage of data in data distribution, direct marketing, fraud prevention, and law enforcement.

As a Vice President of Global Sales, Services, and Marketing at Silicon Graphics, Inc., Urs managed engineering and non-engineering functions, developing solutions in sciences, telecommunications, manufacturing, media, business, and defense intelligence, for companies with revenues of several billion dollars. During his tenure as Vice President at Think Tools AG and Brio Technology, Inc., he ran business development and alliances providing solutions in Business Intelligence and Decisions Cycle Management to Global 100 corporations worldwide. In the late 1980s, Urs founded Indus Systems, Inc., which he profitably sold to a systems integration company.

Urs serves on several Advisory Boards, as well as many company Boards, in the United States and India.

Newsletter Sign Up

CTA Underground eBook

What Small Businesses Can Do to Prevent Data Breaches

What Small Businesses Can Do to Prevent Data Breaches

Although large-scale data breaches of major corporations make the headlines, smaller businesses may be more vulnerable to an attack and less able to recover from one. Here are actions smaller businesses can take to keep their data safe from hackers.

Audit Calendar

Source: freedigitalphotos.net

We’ve all heard about the high-profile data breaches at major retailers, such as the ones at Target and Home Depot that compromised millions of customers’ credit and debit card records. Such information is a natural target for hackers, who can profit by selling the stolen records. Some attacks, however, such as the recent breach at Sony Pictures, are less about financial gain than embarrassing the targeted company.

Large companies become targets because of the data they have; even a small breach can be profitable for a hacker. These companies also have the resources both to defend against such attacks and to respond when there is a breach.

Smaller companies do not possess the same treasure trove of data, which contributes to a false sense of security for these firms. This is a dangerous attitude to have, considering how much small- and mid-sized businesses must lose—they may not have the resources to pay for credit-monitoring services for all their customers, and might not withstand the hit on their reputations.

A few commonsense practices can make smaller companies less vulnerable to hackers:

  • Invest in a security audit. Have a professional analyze your systems for vulnerabilities and recommend actions to take to make them more secure.
  • Limit the customer data you store. You can’t lose what you don’t have. Look at your businesses processes and consider whether you can eliminate the storage of credit card numbers or other sensitive data. Most payment processors have ways to process credit card transactions without requiring local storage of credit card numbers.
  • Keep your systems up to date. Keeping your operating systems and software up to date can eliminate many vulnerabilities that hackers rely on. Often, these updates can be automated.
  • Instead of trying to keep all your sensitive-data business processes (such as payment processing) in-house, consider farming them out to third parties that assume the risk and have dedicated security teams. Do your homework, though: find a provider with a good reputation, positive references, and up-to-date security certifications, and examine their service agreement to aren’t liable in case of a breach.

While smaller businesses may not present as enticing a potential payoff to hackers, taking these few simple steps can make your small business an even less attractive target, and encourage hackers to set their sights elsewhere.

Desh

Written by Desh Urs

Desh Urs brings more than 20 years of entrepreneurial, start-up and Global 500 corporate experience in sales, marketing and general management to the customers of iBridge. He has led sales organizations as SVP at Qsent, Inc. and VP at Acxiom Corporation, and has focused on the usage of data in data distribution, direct marketing, fraud prevention, and law enforcement.

As a Vice President of Global Sales, Services, and Marketing at Silicon Graphics, Inc., Urs managed engineering and non-engineering functions, developing solutions in sciences, telecommunications, manufacturing, media, business, and defense intelligence, for companies with revenues of several billion dollars. During his tenure as Vice President at Think Tools AG and Brio Technology, Inc., he ran business development and alliances providing solutions in Business Intelligence and Decisions Cycle Management to Global 100 corporations worldwide. In the late 1980s, Urs founded Indus Systems, Inc., which he profitably sold to a systems integration company.

Urs serves on several Advisory Boards, as well as many company Boards, in the United States and India.

CTA Newsletter

CTA Underground eBook

Accidental Data Breaches and How to Prevent Them

Accidental Data Breaches and How to Prevent Them

There are two basic ways that data breaches occur: Deliberately (where someone, within or outside an organization, intentionally and maliciously accesses the organization’s sensitive data), or accidentally. Within the “accidental” category, data breaches occur either by failing to follow procedures or by failing to implement and use technical safeguards. An effective data security plan incorporates both procedural and technical elements to prevent accidental data breaches.

Employee Made A Blunder While Working

Source: freedigitalphotos.net

A recent report by California revealed that accidental data breaches account for 47% of all data breaches reported to the state government. Although the accidental breaches accounted for only 7% of the compromised records, it’s still a significant number. It’s safe to assume that most or all could have been prevented by having comprehensive data security procedures in place and followed, and by implementing technical safeguards, such as encryption.

Often, sensitive data is released because employees fail to recognize that the information is sensitive and needs to be protected. Paper documents with Social Security numbers or credit card data are put in the trash or recycling bin instead of being shredded, or healthcare records are “temporarily” placed on USB flash drives or laptops then misplaced. Everyone in the organization must be able to identify sensitive data, and the criteria for classifying data must be spelled out. A simple rule to follow is that all data should be sensitive until proven otherwise.

In other cases, policies regarding how to protect sensitive data are nonexistent, poorly understood or poorly enforced. Procedures that don’t exist, are excessively complicated or haphazardly enforced will not be followed. These policies should be clear and easy to follow, and everyone should be trained on them—not just once, but on an ongoing basis.

Humans forget; they take shortcuts and they lose things. Technical safeguards can help where humans fail. Most computer operating systems can be configured to not only require user account passwords, but to require that the passwords meet certain complexity criteria and that users change their passwords periodically. Similarly, computers can automatically lock themselves when unattended.

Going further, many devices, such as laptops, tablets, smartphones, and flash memory, can be configured so data files are encrypted. The California report found that 26 percent of data breaches were due to lost or stolen physical devices, yet the data could not have been accessed had passwords been required.

Even more sophisticated (and expensive) technical solutions are available, such as monitoring software that automatically identifies sensitive files and prevents them from being copied onto flash drives, emails or web pages.

No data security plan should rely solely on policies and procedures or on technical solutions. The best plans incorporate both.

Dean

Written by Dean Van Dyke, Vice President, Business Process Optimization

Dean Van Dyke is the Vice President of Business Process Optimization for iBridge. He brings more than 18 years of customer relations, business process outsurcing, lean six sigma, program/project management, records management, manufacturing, and vendor management experience to iBridge. Mr. Van Dyke was the former head of Microsoft’s corporate records and information management team, and served honorably for over fourteen years in the U.S. Navy and Army National Guard. He received his Bachelor of Science in Business Administration from the University of South Dakota and his Master’s in Business Administration from Colorado Technical University.

CTA NewsletterCTA Underground eBook

Your Data and the Law: Unanswered Questions

Your Data and the Law: Unanswered Questions

In the U.S., the pace of technological advance outstrips the ability of the justice system to keep up. Courts are at a loss to fit new technologies into existing legal frameworks and theories. Judges are slow to extend traditional statutory and Constitutional protections to new industries and practices. Until the judiciary catches up, individuals should be careful with how they manage their personal electronic information.

Source: freedigitalphotos.net

Source: freedigitalphotos.net

One technological issue that the courts only recently have addressed is that of electronically stored information (ESI)—the documents, photos, emails, posts, tweets and computer files of all kinds that now pervade most of modern American life. Numerous legal questions have seen conflicting legal rulings (or no legal rulings) and therefore remain unresolved. For example:

  • Who owns your data? If you store data in the cloud, does it still belong to you, or to the cloud-storage custodian you have entrusted it to? If it is lost, or corrupted, or stolen, who is responsible, and what are the fair and equitable remedies?
  • Who owns data about you, and what are their responsibilities regarding that data? As the Edward Snowden leaks revealed, federal government agencies have met no resistance from phone companies when asking for data regarding peoples’ calling histories. Even if you do not technically own that data, should you have a right to be informed when the data they are requesting is about you?
  • What—and how much—data can reasonably be seized and searched by law enforcement with a search warrant?

Cases that address these questions (and others) are making their way through the court system and will become settled law. It will take time for law enforcement, prosecutors, defenders and judges to understand the intricacies of these questions and the underlying technologies, and how the existing laws and regulations address them. In the meantime, there are things you should think about regarding your own data:

  • Convenience vs. risk: Although it might make life easier to have documents, photos and other files stored in the cloud, ask yourself: What if the cloud storage company goes out of business, or has a catastrophic technical failure that renders your files temporarily or permanently inaccessible?
  • Protection from snooping: What is the cloud storage company’s policy regarding government requests to access your data? What are the limits to that access? Unless the courts decide otherwise, law enforcement has the right, with a warrant, to access all of your data, including items that are unrelated to the investigation. Even if you have nothing to hide, could the files you store be manipulated, put together and interpreted in a way that makes you (or someone else) look like a criminal?
  • What about your devices? The U.S. Supreme Court ruled unanimously that law enforcement cannot seize or search your cell phone without a warrant. If they obtain a warrant, however, there is nothing to stop them from examining details that have nothing to do with the investigation. It is also unclear how the ruling applies to other types of devices, such as your increasingly computerized and connected automobile.

None of this should discourage anyone from taking advantage of the technological advances making lives easier, more efficient, more informed and more connected. But until the law catches up with the technology, it would be wise to put thought into where you put your data.

Desh

Written by Desh Urs

Desh Urs brings more than 20 years of entrepreneurial, start-up and Global 500 corporate experience in sales, marketing and general management to the customers of iBridge. He has led sales organizations as SVP at Qsent, Inc. and VP at Acxiom Corporation, and has focused on the usage of data in data distribution, direct marketing, fraud prevention, and law enforcement.

As a Vice President of Global Sales, Services, and Marketing at Silicon Graphics, Inc., Urs managed engineering and non-engineering functions, developing solutions in sciences, telecommunications, manufacturing, media, business, and defense intelligence, for companies with revenues of several billion dollars. During his tenure as Vice President at Think Tools AG and Brio Technology, Inc., he ran business development and alliances providing solutions in Business Intelligence and Decisions Cycle Management to Global 100 corporations worldwide. In the late 1980s, Urs founded Indus Systems, Inc., which he profitably sold to a systems integration company.

Urs serves on several Advisory Boards, as well as many company Boards, in the United States and India.

Social Security Numbers: A Convenient Way to Get In Trouble

Social Security Numbers: A Convenient Way to Get In Trouble

Social Security numbers (SSNs) are a great way to identify people; almost every U.S. citizen, even babies, has one, and each is unique. However, collecting, storing and using them outside of approved contexts not only can put you on the wrong side of state and federal laws, it can also make you a target for hackers.

In the beginning of the U.S. Social Security program, the now-familiar XXX-XX-XXXX number was used to track workers’ contributions and benefits, and nothing else. Over the years, governments at all levels, schools, hospitals, lenders and myriad other organizations found it was convenient to use these numbers to uniquely identify people, for many purposes. There was a time when SSNs were used for tax IDs, student IDs, employee IDs, insurance IDs, and much more. Many even had them printed on bank checks without thinking twice.

Then the Internet happened.

Source: freedigitalphotos.net

Source: freedigitalphotos.net

Almost overnight, the convenience that made SSNs so broadly used became a liability. Someone with your SSN and not much else could open credit accounts in your name, assume your identity and ruin you financially. Because they were everywhere, SSNs were easy for fraudsters to get. And the Internet, coupled with lax data security practices, made it easy to obtain, distribute, and misuse them.

Governments and businesses got wise and started putting restrictions on the collection and use of SSNs and rules on how they were to be protected. The federal government and over 40 states now have laws that prescribe how, and for what purposes, SSNs may be collected, stored and used by businesses and governments. The laws vary from state to state, but boil down to prohibiting businesses from asking for SSNs except for employment, taxation, background checks and medical treatment. Some states further require businesses that can collect SSNs to meet certain security standards for storing them. Many states also restrict the use of SSNs on printed or electronic documents.

If your business—or a business you deal with—collects SSNs, you should be asking why. If to identify people, the liability you are opening yourself up to outweighs the convenience. Find another way to identify people; most computer systems are good at this.

If you have a legitimate need to collect and store SSNs (and check the laws on what constitutes “legitimate,” not only for your state, but for other states you do business in, plus the federal laws), you had better make sure they are protected. The rules published by the Payment Card Industry (PCI) group for protecting credit card numbers provide good guidance for protecting SSNs and other forms of personally identifiable information as well. Some states also require SSN-collecting businesses to have written policies in place to inform customers how and why their SSNs are being collected and used; you may need an attorney to help draft these policies.

The consequences of falling afoul of these laws can be severe, plus the civil and reputational liabilities incurred if a data breach occurs. Reduce your risk by examining your SSN collection and use practices and get rid of any that are not legitimately needed.

Desh

Written by Desh Urs

Desh Urs brings more than 20 years of entrepreneurial, start-up and Global 500 corporate experience in sales, marketing and general management to the customers of iBridge. He has led sales organizations as SVP at Qsent, Inc. and VP at Acxiom Corporation, and has focused on the usage of data in data distribution, direct marketing, fraud prevention, and law enforcement.

As a Vice President of Global Sales, Services, and Marketing at Silicon Graphics, Inc., Urs managed engineering and non-engineering functions, developing solutions in sciences, telecommunications, manufacturing, media, business, and defense intelligence, for companies with revenues of several billion dollars. During his tenure as Vice President at Think Tools AG and Brio Technology, Inc., he ran business development and alliances providing solutions in Business Intelligence and Decisions Cycle Management to Global 100 corporations worldwide. In the late 1980s, Urs founded Indus Systems, Inc., which he profitably sold to a systems integration company.

Urs serves on several Advisory Boards, as well as many company Boards, in the United States and India.

New Report: Data Breach Threat Prep Improves but Falls Short

New Report: Data Breach Threat Prep Improves but Falls Short

It is no secret, sensitive consumer data, is a popular target for hackers and cybercriminals. While there is room for improvement, a new study from Experian and the Ponemon Institute shows significant increases in awareness and preparedness for data breaches amongst executives and the companies they lead.

Just as important, as being prepared for data breaches is having breach action plans in place so companies can take appropriate steps to respond and minimize damages. Rather than waiting for the other shoe to drop, being prepared is a crucial first step to lessening the effects of consumer-compromising data breaches and their corresponding blows to companies’ reputations.

Source: freedigitalphotos.net

Positive Changes

The Ponemon study shows a 10 percent increase in companies who report they have privacy protection training programs in place. These initiatives train employees and contractors who may deal with sensitive consumer data on how it must be managed. In addition, nearly three-quarters of all companies have some type of breach action plan ready to go, and one-quarter of the companies surveyed say they currently hold some type of “cyber insurance” policy to help minimize the financial costs of devastating data breaches.

Tough Pills to Swallow

However, nearly one-half of survey respondents reported that their companies experienced a significant data breach (one involving more than 1000 records) last year. This number is up nearly 10 percent from the previous year’s data. More sobering is the 30 percent of respondents who reported that they believe their companies’ current response plans to be inadequate.

Merely having a plan is not enough. It must be airtight and regularly updated due to the rapidly changing nature of breach threats in a wired economy. From the report:

“Regular reviewing, updating and practicing a data breach plan based on changes in the threat landscape and a company’s structure are essential for properly managing a breach.”

That statement is a clear indictment of most companies’ data breach preparedness plans: they are not adequate to begin with, and they are not regularly updated to remain relevant. There is a long way to go still for proper data breach preparedness.

The Road Ahead

The Ponemon report makes a few key recommendations for companies hoping to make genuine good-faith efforts to secure consumer data and minimize their own financial risk should breaches occur:

  • Regular assessments and updates to existing breach response protocols
  • Involving the top brass – CEOs, boards of directors and others – in breach prep and risk assessment
  • Improved training for employees on how to properly guard sensitive consumer data

If companies hope to protect their most valued assets – their customers and their own reputations – from the devastating losses that may result from serious data breaches, it is time to get down to brass tacks. Having a plan is not enough; that plan must be regularly updated, tested and improved. Without a sincere effort at staying ahead of the threat, consumer data will remain ripe for the wrong parties’ picking.

Written by Ashok Kumar, Manager, Information Security

Mr. Ashok Kumar brings over 14 years of Information Technology and Information Security experience to iBridge. He has worked in Healthcare, BPO, Telemedicine, Remote IT Infrastructure Monitoring and Management, Software development and Information Security Management. He has an understanding and knowledge network routers, L2 & L3 switches, virtual Cloud infrastructure, Firewalls, UTMs, Server architectures and Server OS platforms including Novell NetWare, UNIX, Windows, Linux, and Solaris.

Ashok has played key roles in system designing and capacity planning for enterprise class data intensive applications for distance learning and diagnostics in healthcare. Recently, he was the lead architect for design and deployment of a failover solution in healthcare for Patient Health Information (PHI) and demographics. He brings a well-balanced approach between budgets, requirements, and maintanance.

He leads the company in ISO 27001 process implementations, threat and risk assessment. He is responsible for all aspects of security at iBridge and maintaining a best-in-class environment for internal users and clients.