in

This Blog

Syndication

Tags

News

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Archives

AlertBoot Endpoint Security

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Data Breaches: S.Carolina Took 9 Months To Notify Breach Victims

Nearly 17,000 affected by a data breach in York County, South Carolina were not contacted until nine months after the event took place.  South Carolina is one of the forty-odd states that have a breach notification law (and is part of a subset that includes safe harbor provisions from notification when digital data encryption like AlertBoot is used).

I briefly looked into South Carolina's data breach notification law back in 2009.

Couldn't Figure Out If Information was Accessed

One of the key tenets of South Carolina's data breach notification law is that those affected are to be alerted of the breach in "most expedient time possible and without unreasonable delay," as pointed out in infosecurity-magazine.com.  Nine months is anything but.

The excuse given for this massive delay:

County officials said that they took so long to notify potential victims because their investigation found no indication that the information was taken from the server. Forensic testing of the server revealed "no smoking gun", Joel Abernathy, director for Your County's IT department, told the newspaper. [infosecurity-magazine.com]

But, this does not mean that they weren't aware that a hacker or hackers were roaming inside their digital network: the county was concerned enough to order a shutdown of the database.

Badly Written Laws Lead to Bad Results

Two years ago, I had applauded the introduction of data breach notification laws by states.  Today, there are only four states that are holding out on passing such laws.  The federal government has also passed or strengthened laws, although they are specific to industries (such as the HITECH Act that strengthens HIPAA).

The results from the legislative efforts are making one thing abundantly clear: data breach notification laws do have their intended effect.  It sounds obvious in hindsight, but when they were being passed, plenty of cynics wondered whether it'd be legislation that would end up being ignored (like the Ohio law that makes it illegal to get fish drunk).

Also clear: badly written laws lead to bad results, like in the above case.  For example, how do you define "most expedient time possible and without unreasonable delay"?  Two days from when the breach is discovered?  Two weeks?  Two months?  Or is it two months since the breach itself?  Open-ended laws and definitions lead to ludicrous situations.

Compare the above to HITECH's Breach Notification Rule.  It also features the "most expedient time possible and without unreasonable delay" passage.  However, an upper limit is set, noting that notifications have to be sent out within 60 calendar days, no ifs or buts.

It's time for states to take a look at their current laws and see if they fall short in any areas.  Updating a law only three years after it was passed might seem a little too soon, but let us not forget that three years is a lifetime for the underlying currents that have led to such laws to be passed.


Related Articles and Sites:
http://www.infosecurity-magazine.com/view/25751/south-carolina-county-takes-nine-month-to-notify-thousands-of-data-breach-victims/

 
<Previous Next>

Data Encryption Software: California Home Care Workers Data Missing

Cost Of A Data Breach: State of Utah Fires Tech Director Over Medicaid Breach

Comments

No Comments

About sang_lee

Sang Lee is a Senior Account Manager and Security Analyst with AlertBoot, Inc., the leading provider of managed endpoint security services, based in Las Vegas, NV. Mr. Lee helps with the deployment and ongoing support of the AlertBoot disk encryption managed service. Prior to working at AlertBoot, Mr. Lee served in the South Korean Navy. He holds both a B.S. and an M.S. from Tufts University in Medford, Massachusetts, U.S.A.