Client Information Security Helping Organizations Protect Private Client Data


Make Your On-line Holiday Shopping Safer

Cyber Crook

Shopping on-line is very convenient. There are lots of options, and you certainly will find some of the best prices available. Shopping on-line is secure, and you can receive your items quickly. And, if you do not like the item or it does not fit the return process is quick and easy.

Unfortunately, the holiday shopping season can be a jackpot for cyber crooks.

According to the IID's Third Quarter eCrime Report for 2011 reports that phishing attacks (in which thieves try to steal your sign-in credentials and even the information on the credit card by behaving like a real website) account for about 8% of sales. I

More people are shopping online than ever. Which makes this holiday season the ideal time for cyber crooks to target online shopping sites.

From fake gift cards, phishing scams and social engineering strategies, cyber-crime techniques are continuously evolving, and regrettably very successful.

Customers have to be very careful while shopping online. The good part is that everyone can reduce the threats of being a victim by just following basic security procedures.

Consumers should take the following precautions when taking their shopping online this holiday season:

1. Be cautious of a great on-line deal.

A usual approach by cyber convicts is the use of tremendously low price rates on standard items, like gadgets, electronics, to trap people into providing their private information.

2. Avoid using a debit card. Use a credit card instead.

If your credit card has been compromised and used to purchase items, it may be easier to resolve such issues by a credit card firm compared to your bank.

3. Take full advantage of the notification features of your credit card.

These notifications will automatically alert you of any unusual account activity. This can be very helpful throughout the year especially but during the holiday season.

4. Under no circumstances should you buy merchandise from websites that do not utilize secure HTTPS for their buying process.

Carefully look at the browser address line in the course of the purchase course; it should begin with HTTPS. This signals that there is a security certificate involved and will help better protect your information.

5. Make sure you have installed the most recent security software patches and fixes on your computer.

When a safety and/or security patch is available, you are better protected. Cyber crooks are excellent at exploiting security holes and vulnerability on older systems.

Make sure you scan through credit card and bank statements after the holiday buying season. Even minor charges you neglect can indicate a fraud. Inform your credit card and bank issuer directly about unexpected charges.

Additionally, online shoppers must be careful especially concerning emails they get. Phishing campaigns that attempt to convince customers to hand over their private and financial data tend to increase during the holiday season.

Overall remain calm. These stats seem to be very alarming but should not prevent you from online shopping. You should simply employ common sense and follow the suggestions above. When you follow these basic rules, you can buy online with confidence.


Kentucky Becomes 47th state with Data Breach Notification Law

Governor of Kentucky, Steve Beshear signed into Law – H.R. 232 in April 2014, making Kentucky the 47th state to legislate a Data Breach Notification Law. This law also restricts Cloud Service Providers from the utilization of student records/information.

The Kentucky Data Breach Notification Law obeys the same usual formation of many of the Data Breach Notification Laws in other states:

clip_image001 A breach of the security of the system happens when there is illegal gaining of uncontaminated and unpredicted computerized information that negotiates the security, confidentiality, and/or integrity of personally identifiable information maintained by the information holder as part of a database regarding multiple individuals that actually causes, or leads the information holder to reasonably trust has caused or will cause, identity theft or fraud against any resident of Kentucky.

The law does not refer to “entry” only gaining and appears to have a risk of harm spark.

clip_image001[1] “Personally Identifiable Information” means an individual’s first name or first initial and last name in combination with the individual’s (i) Social Security Number, (ii) Driver’s license number or (iii) Account number, (iv) credit/debit card number, in combination with any required security code, access code or password permit access to an individual’s financial account.

clip_image001[2] The good faith accomplishment of personally identifiable information by an employee or agent of the information holder for the purposes of the information holder is not a breach if the personally identifiable information is not used or subject to further unsanctioned revelation.

clip_image001[3] The notification required by the law must be made in the most convenient time possible and without unnecessary stay, consistent with the legitimate needs of law enforcement or any measures necessary to determine the scope of the breach and restore the reasonable veracity of the data system.

clip_image001[4] Notice may be provided in writing and can be provided electronically if the E-Sign Act necessities are encountered.

For larger breaches, the law also contains substitute notice provisions similar to those in other states.

clip_image001[5] If a notification is required to more than 1,000 Kentuckians at one time under this law, all nationwide consumer reporting agencies and credit bureaus also must be notified of the timing, distribution and content of the notices.

However, the law does not require the Kentucky Attorney General to be notified of the incident, as is the case in a number of other states such as California, Maryland, Massachusetts, New Hampshire and New York.

clip_image001[6] The law excludes people and organizations that are subject to Title V of the Gramm-Leach-Bliley Act of 1999 and the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

Covered entities, business associates and certain vendors have their own breach notification requirements.

Safeguards for Student Records in the Cloud:

The law helps protect student records/information at educational societies, public/private which includes any managerial entities that operate students in kindergarten through twelfth grade when stored in the “Cloud”. We can see more of this variety of laws, particularly in light of the Fordham Law School Study on the topic.

For purposes of this law, “student data/record” means –

Any data/material, in any medium or setup that concerns a student and is created or provided by the student in the progression of the student’s use of Cloud Computing Services or by an agent or employee of the educational society in connection with the Cloud Computing Services.

Student information includes that student’s name, postal address, email address and messages, phone number, documents, photos or unique identifiers.

Cloud Providers serving these societies in Kentucky need to be conscious of this law not only so they can take necessary steps to comply, but because it requires the Providers to confirm in their services treaties with the educational societies that the Providers will comply with this law.

Specifically, the law forbids Cloud Computing Service Providers from –

“Processing student information for any purpose other than providing, improving, developing or maintaining the honesty of its cloud computing services, except the provider receives express permission from the student’s parent.”

The word ‘Processing’ is defined vastly and it means to “use, admittance, collect, manipulate, scan, modify, analyze, renovate, unveil, stockpile, transmit, aggregate or get rid of student data.”

While the provider may support an educational society with certain research permitted under the Family Educational Rights and Privacy Act of 1974 (FERPA), it may not use the information to “advertise or facilitate advertising or to create or correct an individual or domestic profile for any advertisement use.”

Providers may not sell, reveal or process student information.


Infographic – Human error causes alarming rise in data breaches

Human error causes alarming rise in data breaches

Infographic based on ICO
FOI request data
by Egress Software Technologies, providers of email security as well as large
file transfer and encryption software

Filed under: Uncategorized No Comments

Protect Client Data – Properly Dispose of Old Computer Equipment

I recently received this question from an agency:

“Our agency does not have written guidelines for the preparation or disposal of used PC’s. I think we should have one, and it seems to me all agencies would have this same issue but I’ve not heard anything about this topic. Have you looked into this or written about it that I could reference? If not, do you know of suggested guidelines and software we could use?”

With today’s legal requirements it is prudent to make sure you destroy any private client data on all storage devices prior to disposing of the item. This will help prevent an unintended client data breach. Following are some suggestions on how best to prevent client data from getting into the wrong hands:

Computer hard drives: How you wipe data off of a hard drive so you can give the computer away will depend on what information you want to preserve. Your options are:


If you are giving the computer to someone else you may not want to eliminate all the valuable software along with your private information. However, just deleting your personal files does not make them unrecoverable. To completely destroy a file, you must use a data-shredding program. It takes a conventional “erase” a step further by actually writing over the file.


Completely reformatting your drive may seem like a good option, but this method doesn't eliminate data either -- the information can easily be restored using off-the-shelf data-recovery software. Many of the best data-erasing programs come from the same companies that produce data-recovery software. Set aside some time: This can take hours on large hard drives.

Power Tools

There is no better way to completely annihilate your data than to physically destroy the device that stores it. We still suggest a software shredder first, but if your personal data security justifies the extra effort, put on protective eyewear and gloves, then break out the power tools. Drilling four holes through the platters will ensure that they never spin properly again. Better yet, unscrew and remove the top lid of the drive, and go at the platters with a sander or angle grinder. Scuff the surface of the platters until all the shine is gone.

Flash Drives: Flash drives are different than hard drives. It has been found that various methods to “wipe” data off of a flash drive are unreliable. I recommend that you take a hammer to the drive. You want to make sure you smash the circuit board and chips.

Cell Phones: Modern cell phones are like computers, deleting data using menus may not truly delete it from the hardware. Always wipe your phone by deleting the data using menu settings and then performing a factory reset. Every phone has a different process, so check the phone's manual to restore the phone to its factory settings, or search YouTube for an instructional video. According to PCWorld no wipe solution is perfect. The only way to totally guarantee old cell phone data is gone for good is to take the phone apart and physically destroy the memory chip.

Physical Disposal:

Non-Profit: After you make sure you wipe all sensitive information from the device you may want to consider giving it to a local non-profit organization. Although be aware that many organizations have become more selective about what devices they will accept.


Check with your local city or county. Many have computer recycling programs. In my county all you need to do is take your equipment to a special recycling center.

Following are some additional resources:

Environmental Protection Agency

TechSoup - Ten Tips for Donating a Computer

Apple Product Recycling information

Dell Product Recycling information

HP Product Recycling information

Best Buy


Data Security & Cyber Crime Growing Worldwide

Online security has taken on a higher level of importance as cyber crime, over the past few years, evolved into an serious threat to people around the world, escalating in severity and advancing into many forms, from phishing, to password cracking, to identity theft to even large-scale nation-against-nation cyber-attacks. In a Bloomberg report, it was revealed by the Pentagon that cyber crimes rose 37% from 2009 to 2010, an increase of 100 terabytes of data. A 2011 cybercrime report from Norton reveals the extent of cyber crime and its astounding cost of lost time and cash to consumers.

In 24 countries, over a million fall victim to various cyber crimes every single day. More specific statistics in the report revealed that 14 adults suffered from cybercrime every second. The amount of money linked with this activity is even more staggering. According to the Ponemon Institute, an Internet security research group, US companies have lost an estimated $96 billion from security breaches. Source.

Symantec estimated the cost of global cybercrimes to be at $114 billion, eclipsing the global market for marijuana, cocaine and heroin combined. Source. While these statistics may not seem mundane or even relatable to an ordinary person, the threat is very present and comes in forms that appeal to many on a personal level.

Take the example of e-mail scams. The media has already picked up a wave of illegal activities ranging from phishing to something as personal as “inheritance notification” sent via e-mail by Nigerian scam rings. This inheritance bait, while too good to be true, appeals to many people and never fails to catch attention as it stirs our natural predisposition to procuring easy money. Sadly, many people have been caught by these scams, and this is just one among many forms of cybercrimes designed to steal information and money and compromise the victims’ safety and finances.

In light of the shocking rise of cybercrimes, many government agencies have set up countermeasures to protect citizens from various forms of it.  The U.S. Secret Service, FBI and Department of Homeland Security have been working closely together towards this purpose and are gaining ground. Source. While cybercrime is expected to get worse in terms of scale and diversity, there are countermeasures and we can protect ourselves from it, given proper knowledge and resources.


Performing Effective Security Audits

Many data breach cases in the news have highlighted the security lapses on the end of the companies subjected to such breaches and have clearly established that failure to set up a strong countermeasure places a business at risk of losing customers, money and time (imagine the hassle of dealing with litigation and class suits).

A recent study by Symantec and the Ponemon Institute revealed that in 2011, the average organizational cost of a data breach was $5.5 million, and the cost per lost or stolen record was $194. A data breach may occur through different means, like negligence on the part of employees or malicious attacks from hackers.

According to the same study by Symantec and the Ponemon Institute, negligent insiders were the top cause of data breach in 2011, at 39%. Malicious attacks by hackers caused 37% of all data breaches, and caused the most expensive type of breach, at an average of $222 per lost or stolen record.

Consequently, more and more businesses are setting up their cyber security plan and getting data breach insurance coverage is getting more and more popular with business owners. One integral part of this systematic cyber security plan and one that many business owners should update themselves on is doing regular security audits. You may have a whole suite of defensive anti-data breach measures in place, but how effective are they? Does your system defense have a weak point? How sure are you that all hardware/software are configured correctly and that they’re programmed to work as they’re supposed to? These questions can be answered by doing regular security audits.

Here are some guidelines on how to effectively run a security audit.

  • Evaluate your IT infrastructure. Evaluate the flow of data within your business and identify the vulnerable points.
  • Know the scope of the audit. Identify which data needs to be collected. Have an inventory of all hardware and software being used by the business. Prepare documents and other materials that the auditors may need in planning out the auditing process.
  • Be involved and discuss the plan with the auditor. Be sure that you understand the specifics of the auditing process to be carried out by the auditor. Plan ahead with the auditor and delegate tasks as needed.
  • Get real-time updates on critical information being pulled up during the auditing process.
  • Review the audit and get recommendations on how to address problem areas.
  • Follow up as needed. Determine frequency of security audits to be done.
  • With these steps, you’re sure to determine the strength of your cyber security plan and periodically assess and update it to boost your overall protection from the threat of a data breach.

Dealing with Data Breaches

With the proliferation of data breaches and the growing stringency of federal and state laws to protect consumers, business owners are more careful than ever before and are taking steps to prevent breaches from happening. Consequently, many business owners are setting up measures to protect their businesses, should a data breach occur. After all, dealing with a data breach is no walk in the park. It involves tremendous cost and subjects business owners to the compromising situation of having to lose (and work to regain) customers’ trust and, oftentimes, having to deal with lawsuits. A Ponemon Institute study sponsored by Symantec revealed the average cost of a data breach to be at $7.2 million in 2010.

In light of the legal trouble and the big price tag involved in a data breach, more and more businesses are setting up a breach policy. In addition, with high-profile data breach cases being picked up by the media, more and more business owners are considering getting data breach insurance. All businesses, big or small, need this kind of insurance coverage. A data breach is a serious threat to one’s business. It does not discriminate as it can happen to any type of business.

Here are some tips to setting up your breach policy and getting data breach insurance.

Setting up a Breach Policy

Carefully examine the flow and storage of electronic and paper-based data in your business. Evaluate your company’s level of exposure to data breach.

Study all stipulations of federal and state laws on data breach.

Read and study existing breach policies of other businesses, particularly those operating in the same location and/or field as yours.

Set up your own breach policy, aligned with federal and state law stipulations, the size as well as the culture of your business.

Review all items of your breach policy, iron out conflicting items and loopholes.

Be sure that all of your customers are made aware of your business’ data breach policy.

Be proactive and anticipate the many possible data breach scenarios that your business may deal with. Lay out a contingency plan for each scenario.

Getting Data Breach Insurance

Evaluate your business’ level of exposure to data breach. Identify the types of data at risk and the amount of impact a breach may have with each type of data identified.

Evaluate your business’ security plan. Identify the types of measures being employed, hardware/software in use and internal policies on handling data. Your insurer will need this information.

Conduct due diligence and explore the many options you have with different insurers. Choose a policy that best suits your business: its size, operating environment, existing cyber security plan, existing state and federal law, etc.

Negotiate and explore the possibility of getting add-on services.

Understand the entire policy, including the tiniest details of it.

Once all set up, you’re in a better position to protect your business and customers from the threat of data breach.


Free WiFi – Not so Free Afterall

As our dependence on the Internet for our daily undertakings grew exponentially in scale and form, so did our exposure to online security threat. While more data get stored or transferred online as we go through our daily activities, online thieves have found and improved their ways of stealing sensitive information from their victims, compromising their safety and finances, frequently leading to huge losses.

Identity theft is probably among the most prevalent and among the most serious of cybercrimes to have ever surfaced the online world. While identity theft and data breach incidence have been on a downward trend, we can’t be complacent as online thieves are becoming more creative in their ways of stealing personal information from consumers. A report by CBS revealed that online thieves have found a new and convenient way to steal your information and hack your computer: free Wi-Fi.

It’s effective and convenient as many people would jump at the chance to get free Internet access. It’s everywhere. Hackers can set up a false Wi-Fi access point, name it “Free Public Wi-Fi” and wait for an unsuspecting user to access it. Once connected, the hacker can get a crack at the user’s computer without him/her knowing it. This is potentially dangerous as the hackers will now be able to trace social security numbers, passwords, account numbers and PINs typed in various online registration pages, even Google searches.

Hackers can do a lot with stolen information. They can transfer money to prepaid debit cards, even request for a tax refund on someone’s behalf. They will only need a social security number and birth date for them to accomplish this.

Given the simplicity of the process, it’s no surprise that this act of theft ballooned to an unimaginably massive scale in terms of money collected fraudulently. The New York Times revealed that the IRS had detected 940,000 fake returns for 2010, through which the thieves would have collected a whopping $6.5 billion. The agency further disclosed that an additional 1.5 million returns were missed, possibly amounting to $5.2 billion of fraudulent refunds.

The gravity of the offense and the serious danger it poses on potential victims call for a resolute and systematic way of countermeasure. After all, it is your integrity and personal freedom that’s at stake when your sensitive information falls on the hands (or laptops) of these thieves who may just be sitting right next to you and may also be sipping the same latte you’re enjoying.

Filed under: Uncategorized No Comments

Free Public WiFi Security Tips

A few days ago I was sitting at a local coffee shop and watched a young lady come in with her laptop. She sat down at the table and connected her laptop to the free wireless network and proceeded to log into her online bank account. I remember thinking at the time that is a dangerous practice.

I then received an e-mail from Steve Aronson, an agent in Massachusetts, highlighting the same issue. He suggested I write about how to protect your information when using free public Wi-Fi.

Wireless access to the Internet has become a necessity for many people so they can stay connected. Whether you’re on a vacation at a resort, waiting in an airport or sitting in a coffee shop, it’s likely you will be able to connect to the Internet through a wireless network provided by the property owner. Sometimes these will be offered for a small fee and sometimes they will be free.

But be careful: sometimes free “WiFi” can be a scam perpetrated by criminals hoping to steal your personal information. You could end up being the target of a “man in the middle” attack, in which a hacker is able to steal the information you send over the Internet, including usernames and passwords. And you could also have your files and identity stolen and end up with a spyware-infested computer. The attack could even leave your laptop open to hackers every time you turn it on, by allowing anyone to connect to it without your knowledge.

How the attack works

You go to an airport or other hot spot and fire up your PC, hoping to find a free hot spot. You see one that calls itself “Free Wi-Fi” or a similar name. You connect. Bingo -- you've been had!

The problem is that it's not really a hot spot. Instead, it's an ad hoc, peer-to-peer network, possibly set up as a trap by someone with a laptop nearby. You can use the Internet, because the attacker has set up his PC to let you browse the Internet via his connection. But because you're using his connection, all your traffic goes through his PC, so he can see everything you do online, including all the usernames and passwords you enter for financial and other Web sites.

In addition, because you've directly connected to the attack PC on a peer-to-peer basis, if you've set up your PC to allow file sharing, the attacker can have complete run of your PC, stealing files and data and planting malware on it.

You can't actually see any of this happening, so you'd be none the wiser. The hacker steals what he wants to or plants malware, such as zombie software, then leaves, and you have no way of tracking him down.

All that is bad enough, but it might not be the end of the attack. Depending on how you've connected to that ad hoc network, the next time you turn on your PC, it may automatically broadcast the new “Free Wi-Fi” network ID to the world, and anyone nearby can connect to it in ad hoc peer-to-peer mode without your knowledge -- and can do damage if you've allowed file sharing.

Security company Authentium Inc. has found dozens of ad hoc networks in Atlanta's airport, New York's LaGuardia, the West Palm Beach, Fla., airport and Chicago's O'Hare. Internet users have reported finding them at LAX airport in Los Angeles.

Authentium did an in-depth survey of the ad hoc networks found at O'Hare, visiting on three different occasions. It found more than 20 ad hoc networks each time, with 80% of them advertising free Wi-Fi access. The company also found that many of the networks were displaying fake or misleading MAC addresses, a clear sign that they were bent on mischief.

How to Protect Yourself

  • The easiest way to protect yourself from WiFi fraud is to not connect to any free wireless networks. If you’re in a coffee shop, airport or hotel that has a legitimate WiFi connection for a small fee, it’s worth the price for peace of mind. Ask the business’ staff if there is a hot spot available and get the name from them.
  • Mobile device users should make sure they have downloaded all the security updates for their operating systems.
  • If you function in a wireless environment on a regular basis, you are better off spending the money on a wireless card that you get through AT&T, Verizon or Sprint. This way, you have your own relatively secured wireless connection. This is what I do for access.

If you choose to take advantage of free WiFi availability, here are some things to keep in mind.

  • Never connect to a “computer-to-computer” network. When choosing a wireless network, check out the description of each one. A normal wireless network is simply called “wireless network” not a “computer-to-computer” network.
  • Use HTTPS to access webmail and avoid protocols that don’t include encryption.
  • Turn off your computer’s file sharing capabilities. The instructions will vary slightly depending on what computer system you’re using (Windows XP, Vista, Windows 7, etc.).
  • Use a software firewall to further control who can connect to your computer and how.
  • Avoid conducting financial transactions or accessing any sensitive websites if you aren’t using an Internet connection that you know and trust.

It pays to be vigilant whenever you are connecting to a wireless network. If you have any doubt about the WiFi connections then don’t connect. It's just not worth the potential problems.


Spammers will be Phishing for your Money

“On April 4, we were informed by Epsilon, a company we use to send emails to our customers, that files containing the names and/or email addresses of some [Insert company name] customers were accessed by unauthorized entry into their computer system.”

During the last couple of weeks it’s likely that you have received a similar e-mail notifying you that your e-mail address was stolen. Epsilon, one of the largest e-mail marketing companies, had its database breached and “a subset of Epsilon clients’ customer data were exposed.” According to Epsilon the breach was limited to e-mail addresses and/or customer names only. No other personal identifiable information was stolen.

The scope of the breach and the list of large customers involved, make this one of the largest security breaches of its kind. While only about 50 clients were involved they include some of the largest companies such as Citigroup, Capital One, Walgreen, Best Buy, Target, Hilton, Kroger, Tivo, US Bank, Disney, The College Board, and Marriott.


Even though the breach only included e-mail addresses and names, many security experts are concerned about the implications. Simply knowing someone's email address and their spending habits - or at least the brands with which they have some sort of relationship - may make it easy to craft a targeted and sophisticated phishing attack.

If scammers know that you have a credit card with Capital One, for example, they may send emails asking you to log into a website and provide personal information that will give them access to more data, including financial information. People do fall for these targeted “spear-phishing” attacks, because they appear to come from a company they have a relationship with.

Phishing Prevention

Phishing attacks are not uncommon, but, if you keep your guard up about where you click and what information you enter into a Website, you'll probably be safe. But phishing attacks do work, even if it's just for a small percentage of recipients. And as the breach at Epsilon has exposed tens of millions of email addresses, even that small percentage could prove to be a sizable number.

When you receive an email from any company you have a relationship with, make sure you scrutinize it fully. Look at the email address and verify the sender. Look for typos and strange URLs. But don't click on those links.

If you do get a suspicious email - particularly one with an urgent tone asking you to update your personal information - pick up the phone and call the company in question. Remember: very few (if any) companies will ask you for sensitive information via email. If in doubt, log into the company website directly and verify the request.

Explore Insurance

Any organization that maintains a database of customer information is at risk. Make sure you understand the liability you face and explore purchasing Network Security and Privacy Insurance.