Client Information Security Helping Organizations Protect Private Client Data


Make Your On-line Holiday Shopping Safer

Cyber Crook

Shopping on-line is very convenient. There are lots of options, and you certainly will find some of the best prices available. Shopping on-line is secure, and you can receive your items quickly. And, if you do not like the item or it does not fit the return process is quick and easy.

Unfortunately, the holiday shopping season can be a jackpot for cyber crooks.

According to the IID's Third Quarter eCrime Report for 2011 reports that phishing attacks (in which thieves try to steal your sign-in credentials and even the information on the credit card by behaving like a real website) account for about 8% of sales. I

More people are shopping online than ever. Which makes this holiday season the ideal time for cyber crooks to target online shopping sites.

From fake gift cards, phishing scams and social engineering strategies, cyber-crime techniques are continuously evolving, and regrettably very successful.

Customers have to be very careful while shopping online. The good part is that everyone can reduce the threats of being a victim by just following basic security procedures.

Consumers should take the following precautions when taking their shopping online this holiday season:

1. Be cautious of a great on-line deal.

A usual approach by cyber convicts is the use of tremendously low price rates on standard items, like gadgets, electronics, to trap people into providing their private information.

2. Avoid using a debit card. Use a credit card instead.

If your credit card has been compromised and used to purchase items, it may be easier to resolve such issues by a credit card firm compared to your bank.

3. Take full advantage of the notification features of your credit card.

These notifications will automatically alert you of any unusual account activity. This can be very helpful throughout the year especially but during the holiday season.

4. Under no circumstances should you buy merchandise from websites that do not utilize secure HTTPS for their buying process.

Carefully look at the browser address line in the course of the purchase course; it should begin with HTTPS. This signals that there is a security certificate involved and will help better protect your information.

5. Make sure you have installed the most recent security software patches and fixes on your computer.

When a safety and/or security patch is available, you are better protected. Cyber crooks are excellent at exploiting security holes and vulnerability on older systems.

Make sure you scan through credit card and bank statements after the holiday buying season. Even minor charges you neglect can indicate a fraud. Inform your credit card and bank issuer directly about unexpected charges.

Additionally, online shoppers must be careful especially concerning emails they get. Phishing campaigns that attempt to convince customers to hand over their private and financial data tend to increase during the holiday season.

Overall remain calm. These stats seem to be very alarming but should not prevent you from online shopping. You should simply employ common sense and follow the suggestions above. When you follow these basic rules, you can buy online with confidence.


Kentucky Becomes 47th state with Data Breach Notification Law

Governor of Kentucky, Steve Beshear signed into Law – H.R. 232 in April 2014, making Kentucky the 47th state to legislate a Data Breach Notification Law. This law also restricts Cloud Service Providers from the utilization of student records/information.

The Kentucky Data Breach Notification Law obeys the same usual formation of many of the Data Breach Notification Laws in other states:

clip_image001 A breach of the security of the system happens when there is illegal gaining of uncontaminated and unpredicted computerized information that negotiates the security, confidentiality, and/or integrity of personally identifiable information maintained by the information holder as part of a database regarding multiple individuals that actually causes, or leads the information holder to reasonably trust has caused or will cause, identity theft or fraud against any resident of Kentucky.

The law does not refer to “entry” only gaining and appears to have a risk of harm spark.

clip_image001[1] “Personally Identifiable Information” means an individual’s first name or first initial and last name in combination with the individual’s (i) Social Security Number, (ii) Driver’s license number or (iii) Account number, (iv) credit/debit card number, in combination with any required security code, access code or password permit access to an individual’s financial account.

clip_image001[2] The good faith accomplishment of personally identifiable information by an employee or agent of the information holder for the purposes of the information holder is not a breach if the personally identifiable information is not used or subject to further unsanctioned revelation.

clip_image001[3] The notification required by the law must be made in the most convenient time possible and without unnecessary stay, consistent with the legitimate needs of law enforcement or any measures necessary to determine the scope of the breach and restore the reasonable veracity of the data system.

clip_image001[4] Notice may be provided in writing and can be provided electronically if the E-Sign Act necessities are encountered.

For larger breaches, the law also contains substitute notice provisions similar to those in other states.

clip_image001[5] If a notification is required to more than 1,000 Kentuckians at one time under this law, all nationwide consumer reporting agencies and credit bureaus also must be notified of the timing, distribution and content of the notices.

However, the law does not require the Kentucky Attorney General to be notified of the incident, as is the case in a number of other states such as California, Maryland, Massachusetts, New Hampshire and New York.

clip_image001[6] The law excludes people and organizations that are subject to Title V of the Gramm-Leach-Bliley Act of 1999 and the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

Covered entities, business associates and certain vendors have their own breach notification requirements.

Safeguards for Student Records in the Cloud:

The law helps protect student records/information at educational societies, public/private which includes any managerial entities that operate students in kindergarten through twelfth grade when stored in the “Cloud”. We can see more of this variety of laws, particularly in light of the Fordham Law School Study on the topic.

For purposes of this law, “student data/record” means –

Any data/material, in any medium or setup that concerns a student and is created or provided by the student in the progression of the student’s use of Cloud Computing Services or by an agent or employee of the educational society in connection with the Cloud Computing Services.

Student information includes that student’s name, postal address, email address and messages, phone number, documents, photos or unique identifiers.

Cloud Providers serving these societies in Kentucky need to be conscious of this law not only so they can take necessary steps to comply, but because it requires the Providers to confirm in their services treaties with the educational societies that the Providers will comply with this law.

Specifically, the law forbids Cloud Computing Service Providers from –

“Processing student information for any purpose other than providing, improving, developing or maintaining the honesty of its cloud computing services, except the provider receives express permission from the student’s parent.”

The word ‘Processing’ is defined vastly and it means to “use, admittance, collect, manipulate, scan, modify, analyze, renovate, unveil, stockpile, transmit, aggregate or get rid of student data.”

While the provider may support an educational society with certain research permitted under the Family Educational Rights and Privacy Act of 1974 (FERPA), it may not use the information to “advertise or facilitate advertising or to create or correct an individual or domestic profile for any advertisement use.”

Providers may not sell, reveal or process student information.


Protect Client Data – Properly Dispose of Old Computer Equipment

I recently received this question from an agency:

“Our agency does not have written guidelines for the preparation or disposal of used PC’s. I think we should have one, and it seems to me all agencies would have this same issue but I’ve not heard anything about this topic. Have you looked into this or written about it that I could reference? If not, do you know of suggested guidelines and software we could use?”

With today’s legal requirements it is prudent to make sure you destroy any private client data on all storage devices prior to disposing of the item. This will help prevent an unintended client data breach. Following are some suggestions on how best to prevent client data from getting into the wrong hands:

Computer hard drives: How you wipe data off of a hard drive so you can give the computer away will depend on what information you want to preserve. Your options are:


If you are giving the computer to someone else you may not want to eliminate all the valuable software along with your private information. However, just deleting your personal files does not make them unrecoverable. To completely destroy a file, you must use a data-shredding program. It takes a conventional “erase” a step further by actually writing over the file.


Completely reformatting your drive may seem like a good option, but this method doesn't eliminate data either -- the information can easily be restored using off-the-shelf data-recovery software. Many of the best data-erasing programs come from the same companies that produce data-recovery software. Set aside some time: This can take hours on large hard drives.

Power Tools

There is no better way to completely annihilate your data than to physically destroy the device that stores it. We still suggest a software shredder first, but if your personal data security justifies the extra effort, put on protective eyewear and gloves, then break out the power tools. Drilling four holes through the platters will ensure that they never spin properly again. Better yet, unscrew and remove the top lid of the drive, and go at the platters with a sander or angle grinder. Scuff the surface of the platters until all the shine is gone.

Flash Drives: Flash drives are different than hard drives. It has been found that various methods to “wipe” data off of a flash drive are unreliable. I recommend that you take a hammer to the drive. You want to make sure you smash the circuit board and chips.

Cell Phones: Modern cell phones are like computers, deleting data using menus may not truly delete it from the hardware. Always wipe your phone by deleting the data using menu settings and then performing a factory reset. Every phone has a different process, so check the phone's manual to restore the phone to its factory settings, or search YouTube for an instructional video. According to PCWorld no wipe solution is perfect. The only way to totally guarantee old cell phone data is gone for good is to take the phone apart and physically destroy the memory chip.

Physical Disposal:

Non-Profit: After you make sure you wipe all sensitive information from the device you may want to consider giving it to a local non-profit organization. Although be aware that many organizations have become more selective about what devices they will accept.


Check with your local city or county. Many have computer recycling programs. In my county all you need to do is take your equipment to a special recycling center.

Following are some additional resources:

Environmental Protection Agency

TechSoup - Ten Tips for Donating a Computer

Apple Product Recycling information

Dell Product Recycling information

HP Product Recycling information

Best Buy


Data Security & Cyber Crime Growing Worldwide

Online security has taken on a higher level of importance as cyber crime, over the past few years, evolved into an serious threat to people around the world, escalating in severity and advancing into many forms, from phishing, to password cracking, to identity theft to even large-scale nation-against-nation cyber-attacks. In a Bloomberg report, it was revealed by the Pentagon that cyber crimes rose 37% from 2009 to 2010, an increase of 100 terabytes of data. A 2011 cybercrime report from Norton reveals the extent of cyber crime and its astounding cost of lost time and cash to consumers.

In 24 countries, over a million fall victim to various cyber crimes every single day. More specific statistics in the report revealed that 14 adults suffered from cybercrime every second. The amount of money linked with this activity is even more staggering. According to the Ponemon Institute, an Internet security research group, US companies have lost an estimated $96 billion from security breaches. Source.

Symantec estimated the cost of global cybercrimes to be at $114 billion, eclipsing the global market for marijuana, cocaine and heroin combined. Source. While these statistics may not seem mundane or even relatable to an ordinary person, the threat is very present and comes in forms that appeal to many on a personal level.

Take the example of e-mail scams. The media has already picked up a wave of illegal activities ranging from phishing to something as personal as “inheritance notification” sent via e-mail by Nigerian scam rings. This inheritance bait, while too good to be true, appeals to many people and never fails to catch attention as it stirs our natural predisposition to procuring easy money. Sadly, many people have been caught by these scams, and this is just one among many forms of cybercrimes designed to steal information and money and compromise the victims’ safety and finances.

In light of the shocking rise of cybercrimes, many government agencies have set up countermeasures to protect citizens from various forms of it.  The U.S. Secret Service, FBI and Department of Homeland Security have been working closely together towards this purpose and are gaining ground. Source. While cybercrime is expected to get worse in terms of scale and diversity, there are countermeasures and we can protect ourselves from it, given proper knowledge and resources.


Performing Effective Security Audits

Many data breach cases in the news have highlighted the security lapses on the end of the companies subjected to such breaches and have clearly established that failure to set up a strong countermeasure places a business at risk of losing customers, money and time (imagine the hassle of dealing with litigation and class suits).

A recent study by Symantec and the Ponemon Institute revealed that in 2011, the average organizational cost of a data breach was $5.5 million, and the cost per lost or stolen record was $194. A data breach may occur through different means, like negligence on the part of employees or malicious attacks from hackers.

According to the same study by Symantec and the Ponemon Institute, negligent insiders were the top cause of data breach in 2011, at 39%. Malicious attacks by hackers caused 37% of all data breaches, and caused the most expensive type of breach, at an average of $222 per lost or stolen record.

Consequently, more and more businesses are setting up their cyber security plan and getting data breach insurance coverage is getting more and more popular with business owners. One integral part of this systematic cyber security plan and one that many business owners should update themselves on is doing regular security audits. You may have a whole suite of defensive anti-data breach measures in place, but how effective are they? Does your system defense have a weak point? How sure are you that all hardware/software are configured correctly and that they’re programmed to work as they’re supposed to? These questions can be answered by doing regular security audits.

Here are some guidelines on how to effectively run a security audit.

  • Evaluate your IT infrastructure. Evaluate the flow of data within your business and identify the vulnerable points.
  • Know the scope of the audit. Identify which data needs to be collected. Have an inventory of all hardware and software being used by the business. Prepare documents and other materials that the auditors may need in planning out the auditing process.
  • Be involved and discuss the plan with the auditor. Be sure that you understand the specifics of the auditing process to be carried out by the auditor. Plan ahead with the auditor and delegate tasks as needed.
  • Get real-time updates on critical information being pulled up during the auditing process.
  • Review the audit and get recommendations on how to address problem areas.
  • Follow up as needed. Determine frequency of security audits to be done.
  • With these steps, you’re sure to determine the strength of your cyber security plan and periodically assess and update it to boost your overall protection from the threat of a data breach.

Dealing with Data Breaches

With the proliferation of data breaches and the growing stringency of federal and state laws to protect consumers, business owners are more careful than ever before and are taking steps to prevent breaches from happening. Consequently, many business owners are setting up measures to protect their businesses, should a data breach occur. After all, dealing with a data breach is no walk in the park. It involves tremendous cost and subjects business owners to the compromising situation of having to lose (and work to regain) customers’ trust and, oftentimes, having to deal with lawsuits. A Ponemon Institute study sponsored by Symantec revealed the average cost of a data breach to be at $7.2 million in 2010.

In light of the legal trouble and the big price tag involved in a data breach, more and more businesses are setting up a breach policy. In addition, with high-profile data breach cases being picked up by the media, more and more business owners are considering getting data breach insurance. All businesses, big or small, need this kind of insurance coverage. A data breach is a serious threat to one’s business. It does not discriminate as it can happen to any type of business.

Here are some tips to setting up your breach policy and getting data breach insurance.

Setting up a Breach Policy

Carefully examine the flow and storage of electronic and paper-based data in your business. Evaluate your company’s level of exposure to data breach.

Study all stipulations of federal and state laws on data breach.

Read and study existing breach policies of other businesses, particularly those operating in the same location and/or field as yours.

Set up your own breach policy, aligned with federal and state law stipulations, the size as well as the culture of your business.

Review all items of your breach policy, iron out conflicting items and loopholes.

Be sure that all of your customers are made aware of your business’ data breach policy.

Be proactive and anticipate the many possible data breach scenarios that your business may deal with. Lay out a contingency plan for each scenario.

Getting Data Breach Insurance

Evaluate your business’ level of exposure to data breach. Identify the types of data at risk and the amount of impact a breach may have with each type of data identified.

Evaluate your business’ security plan. Identify the types of measures being employed, hardware/software in use and internal policies on handling data. Your insurer will need this information.

Conduct due diligence and explore the many options you have with different insurers. Choose a policy that best suits your business: its size, operating environment, existing cyber security plan, existing state and federal law, etc.

Negotiate and explore the possibility of getting add-on services.

Understand the entire policy, including the tiniest details of it.

Once all set up, you’re in a better position to protect your business and customers from the threat of data breach.


Free Public WiFi Security Tips

A few days ago I was sitting at a local coffee shop and watched a young lady come in with her laptop. She sat down at the table and connected her laptop to the free wireless network and proceeded to log into her online bank account. I remember thinking at the time that is a dangerous practice.

I then received an e-mail from Steve Aronson, an agent in Massachusetts, highlighting the same issue. He suggested I write about how to protect your information when using free public Wi-Fi.

Wireless access to the Internet has become a necessity for many people so they can stay connected. Whether you’re on a vacation at a resort, waiting in an airport or sitting in a coffee shop, it’s likely you will be able to connect to the Internet through a wireless network provided by the property owner. Sometimes these will be offered for a small fee and sometimes they will be free.

But be careful: sometimes free “WiFi” can be a scam perpetrated by criminals hoping to steal your personal information. You could end up being the target of a “man in the middle” attack, in which a hacker is able to steal the information you send over the Internet, including usernames and passwords. And you could also have your files and identity stolen and end up with a spyware-infested computer. The attack could even leave your laptop open to hackers every time you turn it on, by allowing anyone to connect to it without your knowledge.

How the attack works

You go to an airport or other hot spot and fire up your PC, hoping to find a free hot spot. You see one that calls itself “Free Wi-Fi” or a similar name. You connect. Bingo -- you've been had!

The problem is that it's not really a hot spot. Instead, it's an ad hoc, peer-to-peer network, possibly set up as a trap by someone with a laptop nearby. You can use the Internet, because the attacker has set up his PC to let you browse the Internet via his connection. But because you're using his connection, all your traffic goes through his PC, so he can see everything you do online, including all the usernames and passwords you enter for financial and other Web sites.

In addition, because you've directly connected to the attack PC on a peer-to-peer basis, if you've set up your PC to allow file sharing, the attacker can have complete run of your PC, stealing files and data and planting malware on it.

You can't actually see any of this happening, so you'd be none the wiser. The hacker steals what he wants to or plants malware, such as zombie software, then leaves, and you have no way of tracking him down.

All that is bad enough, but it might not be the end of the attack. Depending on how you've connected to that ad hoc network, the next time you turn on your PC, it may automatically broadcast the new “Free Wi-Fi” network ID to the world, and anyone nearby can connect to it in ad hoc peer-to-peer mode without your knowledge -- and can do damage if you've allowed file sharing.

Security company Authentium Inc. has found dozens of ad hoc networks in Atlanta's airport, New York's LaGuardia, the West Palm Beach, Fla., airport and Chicago's O'Hare. Internet users have reported finding them at LAX airport in Los Angeles.

Authentium did an in-depth survey of the ad hoc networks found at O'Hare, visiting on three different occasions. It found more than 20 ad hoc networks each time, with 80% of them advertising free Wi-Fi access. The company also found that many of the networks were displaying fake or misleading MAC addresses, a clear sign that they were bent on mischief.

How to Protect Yourself

  • The easiest way to protect yourself from WiFi fraud is to not connect to any free wireless networks. If you’re in a coffee shop, airport or hotel that has a legitimate WiFi connection for a small fee, it’s worth the price for peace of mind. Ask the business’ staff if there is a hot spot available and get the name from them.
  • Mobile device users should make sure they have downloaded all the security updates for their operating systems.
  • If you function in a wireless environment on a regular basis, you are better off spending the money on a wireless card that you get through AT&T, Verizon or Sprint. This way, you have your own relatively secured wireless connection. This is what I do for access.

If you choose to take advantage of free WiFi availability, here are some things to keep in mind.

  • Never connect to a “computer-to-computer” network. When choosing a wireless network, check out the description of each one. A normal wireless network is simply called “wireless network” not a “computer-to-computer” network.
  • Use HTTPS to access webmail and avoid protocols that don’t include encryption.
  • Turn off your computer’s file sharing capabilities. The instructions will vary slightly depending on what computer system you’re using (Windows XP, Vista, Windows 7, etc.).
  • Use a software firewall to further control who can connect to your computer and how.
  • Avoid conducting financial transactions or accessing any sensitive websites if you aren’t using an Internet connection that you know and trust.

It pays to be vigilant whenever you are connecting to a wireless network. If you have any doubt about the WiFi connections then don’t connect. It's just not worth the potential problems.


Riskiest US Cities for Cybercrime

Seattle is the most dangerous city in the U.S. when it comes to cybercrime, at least according to Symantec in a report issues in March 2010.

The Northwest sported two of the top 10, with Portland, Ore., ranked No. 10 in the list of the nation's 50 largest metro areas. Rounding out the first five were Boston, Washington D.C., San Francisco and Raleigh, N.C. Atlanta, Minneapolis, Denver, and Austin, Texas completed the top 10.

At the bottom, as in least dangerous, were Detroit (No. 50); El Paso, Texas (No. 49); and Memphis, Tenn. (No. 48).

The complete 50-city ranking can be downloaded from Symantec's Web site ( download PDF ). A more detailed description of the rating methodology and the scores for each city are available in 16-page report ( download PDF ).

Symantec also released a similar ranking for Canadian cities ( download PDF ), which puts Burlington, Ontario, at the top of the list and Longueuil, Quebec, at the bottom. Vancouver, British Columbia, the host of the 2010 Winter Olympics, was rated the fourth-most-dangerous city in Canada.


Digital Copiers are a Security Risk

Digital copiers built since 2002 contain hard drives that store images of every document copied or scanned. Many of the stored documents include confidential data, leaving individuals vulnerable to identify theft if no safeguards are in place.

During a CBS News investigation in April 2010 an expert downloaded tens of thousands of documents from old copiers available for sale using a free forensic software program. One copier contained files from a police department sex crimes unit; one contained addresses and social security numbers along with $40,000 in copied checks; and yet another contained 300 pages of individual medical records from a health insurance company.

You can view the video report by Armen Keteyian, “Digital Photocopiers Loaded With Secrets,” (Apr. 19, 2010) by clicking here:;photovideo

Any company that maintains any type of health records have a particularly risky situation if that information is breached. Federal privacy laws including the Americans with Disabilities (ADA) require that employers keep employee health records private.

You might be able to obtain a security or encryption add-on to your copier that will automatically erase images and other data from the copier hard drive. Any organization should make sure that before they allow an old copier to be removed from their premises the hard drive is either removed or completely wiped of all data.


Colorado Casualty: “There is no coverage”

Colorado Casualty Insurance company is seeking a judicial ruling that it is not obligated to pay for costs incurred by the University of Utah in 2008 as a result of a client information breach.

On or about June 1, 2008 car burglars stole back-up tapes from the personal car of a Perpetual Storage employee containing medical billings records with sensitive personal information (including social security numbers) on 1.7 million university patients covering a time period of approximately 16 years.

University of Utah officials want Perpetual Storage, their backup storage vendor, to reimburse the cost the university incurred because of the client data breach. Not including 6,232 in personnel hours responding to the breach, the University allegedly spent over $3.2 million on:  (1) $646,149 in printing and mailing costs; (2) $81,389 for a call center that fielded over 11,000 calls within two weeks; and (3) $2.5 million for credit-monitoring services.

Colorado Casualty Insurance Company wrote a commercial package policy and a commercial liability umbrella policy for Perpetual Storage that was in effect at the time of the client data breach. Ron Sutherland of United Insurance Services was Perpetual’s insurance agent at the time and placed the coverage with Colorado Casualty.

The University has brought Sutherland and United Insurance Services into the suit as a third party claimant alleging they were “careless, negligent and made various negligent misrepresentations about Perpetual’s insurance coverage from Colorado Casualty.”

The Colorado Casualty suit does not provide any specific details on why the company feels it is not obligated to pay for this claim. Notwithstanding what the Colorado Casualty policy may actually state, the above claim would probably have been covered under most network security and data breach privacy policies currently available.

Lesson learned: It is critical for every agency to inform their client’s about the coverage limitations for any claim arising from a client data and information breach. And, they should offer to provide them with a quote for a Network Security and Data Breach Privacy policy.

Here is an article from the Salt Lake Tribune.

Do you have the proper insurance coverage for the costs of a client information breach?