Client Information Security Helping Organizations Protect Private Client Data

22Aug/120

Protect Client Data – Properly Dispose of Old Computer Equipment

I recently received this question from an agency:

“Our agency does not have written guidelines for the preparation or disposal of used PC’s. I think we should have one, and it seems to me all agencies would have this same issue but I’ve not heard anything about this topic. Have you looked into this or written about it that I could reference? If not, do you know of suggested guidelines and software we could use?”

With today’s legal requirements it is prudent to make sure you destroy any private client data on all storage devices prior to disposing of the item. This will help prevent an unintended client data breach. Following are some suggestions on how best to prevent client data from getting into the wrong hands:

Computer hard drives: How you wipe data off of a hard drive so you can give the computer away will depend on what information you want to preserve. Your options are:

File-by-File

If you are giving the computer to someone else you may not want to eliminate all the valuable software along with your private information. However, just deleting your personal files does not make them unrecoverable. To completely destroy a file, you must use a data-shredding program. It takes a conventional “erase” a step further by actually writing over the file.

Whole-Drive

Completely reformatting your drive may seem like a good option, but this method doesn't eliminate data either -- the information can easily be restored using off-the-shelf data-recovery software. Many of the best data-erasing programs come from the same companies that produce data-recovery software. Set aside some time: This can take hours on large hard drives.

Power Tools

There is no better way to completely annihilate your data than to physically destroy the device that stores it. We still suggest a software shredder first, but if your personal data security justifies the extra effort, put on protective eyewear and gloves, then break out the power tools. Drilling four holes through the platters will ensure that they never spin properly again. Better yet, unscrew and remove the top lid of the drive, and go at the platters with a sander or angle grinder. Scuff the surface of the platters until all the shine is gone.

Flash Drives: Flash drives are different than hard drives. It has been found that various methods to “wipe” data off of a flash drive are unreliable. I recommend that you take a hammer to the drive. You want to make sure you smash the circuit board and chips.

Cell Phones: Modern cell phones are like computers, deleting data using menus may not truly delete it from the hardware. Always wipe your phone by deleting the data using menu settings and then performing a factory reset. Every phone has a different process, so check the phone's manual to restore the phone to its factory settings, or search YouTube for an instructional video. According to PCWorld no wipe solution is perfect. The only way to totally guarantee old cell phone data is gone for good is to take the phone apart and physically destroy the memory chip.

Physical Disposal:

Non-Profit: After you make sure you wipe all sensitive information from the device you may want to consider giving it to a local non-profit organization. Although be aware that many organizations have become more selective about what devices they will accept.

Recycling:

Check with your local city or county. Many have computer recycling programs. In my county all you need to do is take your equipment to a special recycling center.

Following are some additional resources:

Environmental Protection Agency

TechSoup - Ten Tips for Donating a Computer

Apple Product Recycling information

Dell Product Recycling information

HP Product Recycling information

Best Buy

13Aug/120

Data Security & Cyber Crime Growing Worldwide

Online security has taken on a higher level of importance as cyber crime, over the past few years, evolved into an serious threat to people around the world, escalating in severity and advancing into many forms, from phishing, to password cracking, to identity theft to even large-scale nation-against-nation cyber-attacks. In a Bloomberg report, it was revealed by the Pentagon that cyber crimes rose 37% from 2009 to 2010, an increase of 100 terabytes of data. A 2011 cybercrime report from Norton reveals the extent of cyber crime and its astounding cost of lost time and cash to consumers.

In 24 countries, over a million fall victim to various cyber crimes every single day. More specific statistics in the report revealed that 14 adults suffered from cybercrime every second. The amount of money linked with this activity is even more staggering. According to the Ponemon Institute, an Internet security research group, US companies have lost an estimated $96 billion from security breaches. Source.

Symantec estimated the cost of global cybercrimes to be at $114 billion, eclipsing the global market for marijuana, cocaine and heroin combined. Source. While these statistics may not seem mundane or even relatable to an ordinary person, the threat is very present and comes in forms that appeal to many on a personal level.

Take the example of e-mail scams. The media has already picked up a wave of illegal activities ranging from phishing to something as personal as “inheritance notification” sent via e-mail by Nigerian scam rings. This inheritance bait, while too good to be true, appeals to many people and never fails to catch attention as it stirs our natural predisposition to procuring easy money. Sadly, many people have been caught by these scams, and this is just one among many forms of cybercrimes designed to steal information and money and compromise the victims’ safety and finances.

In light of the shocking rise of cybercrimes, many government agencies have set up countermeasures to protect citizens from various forms of it.  The U.S. Secret Service, FBI and Department of Homeland Security have been working closely together towards this purpose and are gaining ground. Source. While cybercrime is expected to get worse in terms of scale and diversity, there are countermeasures and we can protect ourselves from it, given proper knowledge and resources.

1Aug/120

Performing Effective Security Audits

Many data breach cases in the news have highlighted the security lapses on the end of the companies subjected to such breaches and have clearly established that failure to set up a strong countermeasure places a business at risk of losing customers, money and time (imagine the hassle of dealing with litigation and class suits).

A recent study by Symantec and the Ponemon Institute revealed that in 2011, the average organizational cost of a data breach was $5.5 million, and the cost per lost or stolen record was $194. A data breach may occur through different means, like negligence on the part of employees or malicious attacks from hackers.

According to the same study by Symantec and the Ponemon Institute, negligent insiders were the top cause of data breach in 2011, at 39%. Malicious attacks by hackers caused 37% of all data breaches, and caused the most expensive type of breach, at an average of $222 per lost or stolen record.

Consequently, more and more businesses are setting up their cyber security plan and getting data breach insurance coverage is getting more and more popular with business owners. One integral part of this systematic cyber security plan and one that many business owners should update themselves on is doing regular security audits. You may have a whole suite of defensive anti-data breach measures in place, but how effective are they? Does your system defense have a weak point? How sure are you that all hardware/software are configured correctly and that they’re programmed to work as they’re supposed to? These questions can be answered by doing regular security audits.

Here are some guidelines on how to effectively run a security audit.

  • Evaluate your IT infrastructure. Evaluate the flow of data within your business and identify the vulnerable points.
  • Know the scope of the audit. Identify which data needs to be collected. Have an inventory of all hardware and software being used by the business. Prepare documents and other materials that the auditors may need in planning out the auditing process.
  • Be involved and discuss the plan with the auditor. Be sure that you understand the specifics of the auditing process to be carried out by the auditor. Plan ahead with the auditor and delegate tasks as needed.
  • Get real-time updates on critical information being pulled up during the auditing process.
  • Review the audit and get recommendations on how to address problem areas.
  • Follow up as needed. Determine frequency of security audits to be done.
  • With these steps, you’re sure to determine the strength of your cyber security plan and periodically assess and update it to boost your overall protection from the threat of a data breach.
1Aug/120

Dealing with Data Breaches

With the proliferation of data breaches and the growing stringency of federal and state laws to protect consumers, business owners are more careful than ever before and are taking steps to prevent breaches from happening. Consequently, many business owners are setting up measures to protect their businesses, should a data breach occur. After all, dealing with a data breach is no walk in the park. It involves tremendous cost and subjects business owners to the compromising situation of having to lose (and work to regain) customers’ trust and, oftentimes, having to deal with lawsuits. A Ponemon Institute study sponsored by Symantec revealed the average cost of a data breach to be at $7.2 million in 2010.

In light of the legal trouble and the big price tag involved in a data breach, more and more businesses are setting up a breach policy. In addition, with high-profile data breach cases being picked up by the media, more and more business owners are considering getting data breach insurance. All businesses, big or small, need this kind of insurance coverage. A data breach is a serious threat to one’s business. It does not discriminate as it can happen to any type of business.

Here are some tips to setting up your breach policy and getting data breach insurance.

Setting up a Breach Policy

Carefully examine the flow and storage of electronic and paper-based data in your business. Evaluate your company’s level of exposure to data breach.

Study all stipulations of federal and state laws on data breach.

Read and study existing breach policies of other businesses, particularly those operating in the same location and/or field as yours.

Set up your own breach policy, aligned with federal and state law stipulations, the size as well as the culture of your business.

Review all items of your breach policy, iron out conflicting items and loopholes.

Be sure that all of your customers are made aware of your business’ data breach policy.

Be proactive and anticipate the many possible data breach scenarios that your business may deal with. Lay out a contingency plan for each scenario.

Getting Data Breach Insurance

Evaluate your business’ level of exposure to data breach. Identify the types of data at risk and the amount of impact a breach may have with each type of data identified.

Evaluate your business’ security plan. Identify the types of measures being employed, hardware/software in use and internal policies on handling data. Your insurer will need this information.

Conduct due diligence and explore the many options you have with different insurers. Choose a policy that best suits your business: its size, operating environment, existing cyber security plan, existing state and federal law, etc.

Negotiate and explore the possibility of getting add-on services.

Understand the entire policy, including the tiniest details of it.

Once all set up, you’re in a better position to protect your business and customers from the threat of data breach.

20Apr/110

Spammers will be Phishing for your Money

“On April 4, we were informed by Epsilon, a company we use to send emails to our customers, that files containing the names and/or email addresses of some [Insert company name] customers were accessed by unauthorized entry into their computer system.”

During the last couple of weeks it’s likely that you have received a similar e-mail notifying you that your e-mail address was stolen. Epsilon, one of the largest e-mail marketing companies, had its database breached and “a subset of Epsilon clients’ customer data were exposed.” According to Epsilon the breach was limited to e-mail addresses and/or customer names only. No other personal identifiable information was stolen.

The scope of the breach and the list of large customers involved, make this one of the largest security breaches of its kind. While only about 50 clients were involved they include some of the largest companies such as Citigroup, Capital One, Walgreen, Best Buy, Target, Hilton, Kroger, Tivo, US Bank, Disney, The College Board, and Marriott.

Spear-Phishing

Even though the breach only included e-mail addresses and names, many security experts are concerned about the implications. Simply knowing someone's email address and their spending habits - or at least the brands with which they have some sort of relationship - may make it easy to craft a targeted and sophisticated phishing attack.

If scammers know that you have a credit card with Capital One, for example, they may send emails asking you to log into a website and provide personal information that will give them access to more data, including financial information. People do fall for these targeted “spear-phishing” attacks, because they appear to come from a company they have a relationship with.

Phishing Prevention

Phishing attacks are not uncommon, but, if you keep your guard up about where you click and what information you enter into a Website, you'll probably be safe. But phishing attacks do work, even if it's just for a small percentage of recipients. And as the breach at Epsilon has exposed tens of millions of email addresses, even that small percentage could prove to be a sizable number.

When you receive an email from any company you have a relationship with, make sure you scrutinize it fully. Look at the email address and verify the sender. Look for typos and strange URLs. But don't click on those links.

If you do get a suspicious email - particularly one with an urgent tone asking you to update your personal information - pick up the phone and call the company in question. Remember: very few (if any) companies will ask you for sensitive information via email. If in doubt, log into the company website directly and verify the request.

Explore Insurance

Any organization that maintains a database of customer information is at risk. Make sure you understand the liability you face and explore purchasing Network Security and Privacy Insurance.

21Jun/100

Insurance for Data Breach Expenses

The vast majority of insurance agencies do not have any insurance coverage for reimbursement of the costs incurred due to a client data breach. Here are just a few of the reasons why a Network Security and Privacy (NSAP) policy makes sense for insurance agencies:

  • Coverage for data and other non-physical perils is routinely excluded under Property policies.
  • The “intentional acts” exclusion found in a standard E&O policy might eliminate coverage if the breach was caused intentionally by an employee.
  • E&O coverage may not respond at all for acts that are outside the provision of professional services.
  • Liability arising out of the destruction of electronic data is not typically covered under the standard General Liability or Property policies.
  • Crime policies generally only cover theft of money, securities or other tangible property – not information theft or the destruction of electronic data.

Don't be the cobbler with holes in his shoes! You need to take the appropriate risk management steps to protect the private client information contained within your electronic and physical files.

If that does not work, you will be glad you have separate coverage.

14Jun/100

Riskiest US Cities for Cybercrime

Seattle is the most dangerous city in the U.S. when it comes to cybercrime, at least according to Symantec in a report issues in March 2010.

The Northwest sported two of the top 10, with Portland, Ore., ranked No. 10 in the list of the nation's 50 largest metro areas. Rounding out the first five were Boston, Washington D.C., San Francisco and Raleigh, N.C. Atlanta, Minneapolis, Denver, and Austin, Texas completed the top 10.

At the bottom, as in least dangerous, were Detroit (No. 50); El Paso, Texas (No. 49); and Memphis, Tenn. (No. 48).

The complete 50-city ranking can be downloaded from Symantec's Web site ( download PDF ). A more detailed description of the rating methodology and the scores for each city are available in 16-page report ( download PDF ).

Symantec also released a similar ranking for Canadian cities ( download PDF ), which puts Burlington, Ontario, at the top of the list and Longueuil, Quebec, at the bottom. Vancouver, British Columbia, the host of the 2010 Winter Olympics, was rated the fourth-most-dangerous city in Canada.

9Jun/100

Digital Copiers are a Security Risk

Digital copiers built since 2002 contain hard drives that store images of every document copied or scanned. Many of the stored documents include confidential data, leaving individuals vulnerable to identify theft if no safeguards are in place.

During a CBS News investigation in April 2010 an expert downloaded tens of thousands of documents from old copiers available for sale using a free forensic software program. One copier contained files from a police department sex crimes unit; one contained addresses and social security numbers along with $40,000 in copied checks; and yet another contained 300 pages of individual medical records from a health insurance company.

You can view the video report by Armen Keteyian, “Digital Photocopiers Loaded With Secrets,” (Apr. 19, 2010) by clicking here:

http://www.cbsnews.com/video/watch/?id=6412572n&tag=related;photovideo

Any company that maintains any type of health records have a particularly risky situation if that information is breached. Federal privacy laws including the Americans with Disabilities (ADA) require that employers keep employee health records private.

You might be able to obtain a security or encryption add-on to your copier that will automatically erase images and other data from the copier hard drive. Any organization should make sure that before they allow an old copier to be removed from their premises the hard drive is either removed or completely wiped of all data.

4Jun/100

Colorado Casualty: “There is no coverage”

Colorado Casualty Insurance company is seeking a judicial ruling that it is not obligated to pay for costs incurred by the University of Utah in 2008 as a result of a client information breach.

On or about June 1, 2008 car burglars stole back-up tapes from the personal car of a Perpetual Storage employee containing medical billings records with sensitive personal information (including social security numbers) on 1.7 million university patients covering a time period of approximately 16 years.

University of Utah officials want Perpetual Storage, their backup storage vendor, to reimburse the cost the university incurred because of the client data breach. Not including 6,232 in personnel hours responding to the breach, the University allegedly spent over $3.2 million on:  (1) $646,149 in printing and mailing costs; (2) $81,389 for a call center that fielded over 11,000 calls within two weeks; and (3) $2.5 million for credit-monitoring services.

Colorado Casualty Insurance Company wrote a commercial package policy and a commercial liability umbrella policy for Perpetual Storage that was in effect at the time of the client data breach. Ron Sutherland of United Insurance Services was Perpetual’s insurance agent at the time and placed the coverage with Colorado Casualty.

The University has brought Sutherland and United Insurance Services into the suit as a third party claimant alleging they were “careless, negligent and made various negligent misrepresentations about Perpetual’s insurance coverage from Colorado Casualty.”

The Colorado Casualty suit does not provide any specific details on why the company feels it is not obligated to pay for this claim. Notwithstanding what the Colorado Casualty policy may actually state, the above claim would probably have been covered under most network security and data breach privacy policies currently available.

Lesson learned: It is critical for every agency to inform their client’s about the coverage limitations for any claim arising from a client data and information breach. And, they should offer to provide them with a quote for a Network Security and Data Breach Privacy policy.

Here is an article from the Salt Lake Tribune.

Do you have the proper insurance coverage for the costs of a client information breach?

1Jun/100

FTC Extends Deadline for Red Flags Rule

The FTC announced in a press release on Friday May 28 that they would postpone enforcement of the Identity Theft Red Flags Rule.

“At the request of several Members of Congress, the Federal Trade Commission is further delaying enforcement of the “Red Flags” Rule through December 31, 2010, while Congress considers legislation that would affect the scope of entities covered by the Rule. Today’s announcement and the release of an Enforcement Policy Statement do not affect other federal agencies’ enforcement of the original November 1, 2008 deadline for institutions subject to their oversight to be in compliance.”

The full release is available here.