AlertBoot Endpoint Security : cost of computer security breach

BYOD Australia: Data Breach Notification Laws Coming Sooner Than You Think (Updated)

sang_lee — Wed, 01 May 2013 11:41:00 GMT

It looks like Australia may finally join the rest of the world and push forward a data breach notification law. According to itnews.com.au, Attorney-General Mark Dreyfus is helming the introduction of a law mandating notifications when Australians' personal information end up exposed. This time, it looks real (I blogged in 2009 that such laws were coming real soon. I guess I'm not quitting my day job for fortunetelling).

Update (02 MAY 2013): Well, well...perhaps I shouldn't give up so fast on the fortunetelling. According to SC Magazine, drafts of the data breach notification law have been leaked (at least, "leaked" seems like the correct word, since they were stamped "confidential.")

Among other things, this means more Australian companies will have to start considering the use of data security software and services, such as AlertBoot's mobile device management security suite, or face the consequences when a data breach takes place.

Growing Number of Breaches Shows Need for Mandatory Notification

The road for mandatory reporting of data breaches is a long one. In 2008, the Australian Law Reform Commission (ALRC) published a report on privacy. This three-volume report also included recommendations on data breach notifications for Australia. When you take into consideration that the report is the culmination of a 28-month effort, you can see that the issue of data breach notifications could have been discussed as early as 2006. (The very first such law, California SB 1386, went into effect in 2002).

In 2009, it was rumored that Australia would be passing a mandatory data breach notification law "real soon". Four years later, we're still hearing the same story.

It's Different this Time...?

But, this time, it's different. In October of 2012, feedback was sought on a mandatory Australian data breach law. And, the Attorney-General commented that,
...the growing amount of breaches reported in the media continued to raise community concerns about the need for a mandatory scheme.

"If there continues to be under reporting of data breaches, or we continue to find out about them only through media reports, some would argue there is a strong case to move to a mandatory scheme," he said.
Between 2011 and 2012, there was an 11% increase in privacy complaints. Plus, many surveys are showing that Australians support the idea of mandatory data breach notifications. The Privacy Commissioner has called for such a law as well.

Guide to Information Security Published

Another indication that Australians will see such a law sooner than later? The Office of the Australian Information Commissioner (OAIC) has released the final draft of the "Guide to Information Security: 'Reasonable Steps' to Protect Personal Information".

While the guideline is not binding, the Commissioner has noted that "its recommendations provides [sic] the best insurance against data breaches" and that "[the OAIC] intend to refer to it when assessing compliance with the data security obligations under the Privacy Act."

It looks like a number of different parameters are beginning to converge, and the writing is on the wall. If your company is based in Australia, this may be a good time to check out AlertBoot's data security offerings: mobile security for BYOD (tablet and smartphone protection) and full disk encryption for laptops.

Canada Data Breaches: 3,000+ Cases Over 10 Years, Affects 725K

sang_lee — Wed, 24 Apr 2013 13:41:00 GMT

Organizations around the world, both in the private and public sectors, are leveraging the use of technology to their advantage. Take BYOD as an example: "bring your own device" initiatives are meant to reduce costs while increasing job satisfaction and worker efficiency. There is a darker side to BYOD, however: losing sensitive and private data, which doesn't sound like a big whoop until something goes terribly wrong. Because of the potential for data breaches, BYOD data security solutions and services like AlertBoot Mobile Security are not only a good idea, but can be a compliance requirement.

The key word there is "can," though. When you consider the value of personal data in the black market, or even to legitimate data brokers, one can only wonder why there aren't stricter laws addressing the issue of personal data security. It's a complex situation and a simple answer isn't readily available. However, a significant part of the answer could be that people have no idea how bad the situation is because it doesn't get reported. Take into consideration the Canadian government's recent revelation.

Over 725,000 Affected Over the Past 10 Years

According to a document that was presented in Canada's Parliament, there were more than 3,000 data breaches in the past 10 years. More than 725,000 Canadians were affected.

However, less than 13% of data breaches were reported (the implication, I guess, is that they were supposed to be reported to the Canadian Privacy Commissioner). Furthermore, there is a good chance that the 13% figure is inflated. According to the same report, the government's list cannot possibly include all data breaches. Hence, the 13% figure would actually be lower:
For instance, the Canada Revenue Agency didn’t provide any numbers, saying that a search of the hard copy records of breaches would be too cumbersome to be completed.
And those are instances of "known unknowns." Imagine what the picture would look like if the veil of "unknown unknowns" were lifted as well.

GIGO: Garbage In, Garbage Out

If you were in charge of coming up with a policy and found that there were only 300 or so breaches over the past 10 years (as opposed to 3,000), would if affect how you approached the project? Would it affect your conclusions on what needs to be done? Would your calculations show that the use of certain information security solutions were not "cost effective"?

My guess is that the answers to all of the above would be in the affirmative.

The last question is especially interesting. In this day and age, the bottom line tends to be the arbiter of whether something gets implemented. Hence, many IT departments have attempted to calculate a ROI (return on investment) for data security products and services, including mobile device management and security services for securing devices that are used in BYOD programs.

I should mention that such a calculation is an exercise in foolishness: information security is not an investment in the financial sense. It will not produce money or any other type of financial asset; and, of course, just because it doesn't generate income doesn't mean it isn't worthwhile.

For example, what's the ROI of a toilet? None (unless you're a company that sells porcelain bowls). Would your company be better off without toilets in the workplace? Probably not. While there isn't a return on investment, there certainly is a return in some kind of value.

All of this being said, if one is going to do some calculations, it still behooves them to use data that is as accurate and as precise as possible. If one finds that a BYOD security program will cost the company $10,000, it might cause him to balk if he's looking to prevent 300 data breaches vs. 3,000 of them.

The report to Canada's Parliament could very well explain why there isn't more being done to protect sensitive data at the federal level, and why Canada's been experiencing increasingly bigger data breaches.

Personal Data Breach: Consumer Churn Rate Directly Tied To Infosec Events Is Significant

sang_lee — Mon, 22 Apr 2013 08:46:00 GMT

A global study has revealed that personal data breaches lead to sizable numbers of customers to turn their back on companies. This might not be news, but perhaps the figures are: 23% of the respondents affirmatively answered that they have stopped doing business companies that failed to properly safeguard their data. All the more reason why a company should up the security ante by using some kind of data protection solution like AlertBoot (especially in this age of BYOD).

We Will vs. We Have

News of this study comes courtesy of databreaches.net. As the author at the site noted, there is a tremendous difference between what people claim they will do vs. what they actually end up doing. To account for this discrepancy, the authors of a study by the Economist Intelligence Unit asked the following (my own paraphrase):

Would you stop doing business with an organization that breached your data?

Have you actually suffered from a data breach, and if so, did you stop doing business with the company that experienced the data breach?

To the former, 32% of the respondents answered in the affirmative. To the latter, 38% answered in the affirmative.

This is a very curious outcome. Generally speaking, the latter tends to be lower than the former. That is, there are always more people that say they will do something, in contrast to those who actually do something. Hark back to New Year resolutions, for example: you'll always have more people who promise to lose weight, or to read more, or to procrastinate less; how many keep that promise, though?

What does this unexpected finding mean? Off the top of my head, it seems to indicate that it's only after they've become victims of a data breach that people realize the severity of the situation.

Spillover Effect

Not only that, it turns out that there are further ramifications:
the EIU research also found that 46% of respondents that had suffered a data breach had advised friends and family to be careful of sharing data with the organization.
Many companies look to get their products to "go viral" or make it spread via word of mouth, knowing that recommendations from friends, family, and acquaintances carry more weight than any marketing campaign some guys in an office can create.

Imagine, then, the disastrous effects the above could have on a company.

Nip It in the Bud because It's a Drop in the Bucket

An ounce of prevention is worth a pound of cure; so goes the old saying. Nowadays, I'm under the impression that the value of the cure is much, much higher.

Consider all the things that could go wrong by not employing, say, a BYOD security solution like AlertBoot Mobile Security. Assume that you can get the service for $100 per year, per device (it's actually much more cost effective, but I like easy numbers to work with).

Also, assume you've got 100 employees who opt to bring in their smartphones and tablets to use at work. This means you'd be spending $100,000 per year on what appears to be a bottomless pit. After all, it's not as if security threats are going away any time soon. One hundred large ones sound like a big number.

But what about the flipside of the coin?

There's the approximate one-third of your customers that will not be doing business with you in the foreseeable future. What does that translate to in lost revenue?

Your marketing will see a drop in ROI as you work harder to bring in new clients to replace the ones you've lost. That's money you didn't need to spend if you had proper security, on an activity whose efficiency is debatable.

Depending on which sector your business is in (finance, healthcare, e.g.), you might have to incur the costs of an audit, internal as well as external (by the government, such as an audit by HIPAA/OCR). These easily run into the five figures, at least.

Reaching out to "breachees". Most state and federal laws that oversee personal data laws require that first-class mail (or equivalent) be used. If the breach involves 200,000 people and you can mail each letter for $0.25, that's $50,000 you're spending to shoot yourself in the foot. That cost doesn't include the loss of productivity as your employees are working to help you shoot yourself in the foot.

Why do I keep writing that "you're shooting yourself in the foot"? Because around 33% of the people you're reaching out to will probably turn their backs on you, per the survey.

Lawsuits. 'Nough said.

No doubt there is more to the flipside of the coin; I've just run out of time to list them all. What would all of this cost? Depends on the size of the breach, but it could very well be in the millions of dollars.

For example, BCBS of Tennessee saw its data breach costs soar to $7 million when 220,000 patients were affected by a data breach. By the end of the whole ordeal, they had spent nearly $10 million for contacting members affected, investigating the theft, and offering free credit protection".

And this is before the fine that OCR levied on them for breaching HIPAA (technically, BCBS settled for $1.5 million, which is the maximum penalty that OCR can assess), or the reputational damage they took.

Or the security solutions they ended up adding into their risk prevention portfolio.

UK BYOD Security: Should You Report A Security Incident To The Information Commissioner's Office?

sang_lee — Mon, 01 Apr 2013 14:24:00 GMT

As Bring Your Own Device programs make their transition from "hot trend" to "accepted business practice" across the world, one cannot escape the feeling that, at some point, companies will hurt their thumbs and find that "something wicked this way comes." If they decide to engage in BYOD without the right MDM protection for smartphones and tablets like AlertBoot, that is, and end up with a data breach on their hands.

When the time comes, should one report the incident to the appropriate agencies? In the UK, for example, should an organization voluntarily report a data breach to the Information Commissioner's Office (ICO)? The following finding may discourage you from doing so.

84% of ICO Fines are for Self-Reported Incidents

According to information-age.com, eight out of the ten monetary penalties issued by the ICO in 2012 involved data breaches where the violator reported the incident. If any were under the impression that the agency that's charged with enforcing the Data Protection Act of 1998 is soft on organizations that forthrightly come clean, they're sadly mistaken.

Field Fisher Waterhouse, a law firm that did the analysis, noted that,
84% of fines were for incidents that the organisations themselves had reported, demonstrating that self-reporters "are not given immunity from enforcement"
and expressed concern that "this may deter organisations from owning up to data breaches," according to information-age.com. A partner with the firm emailed the website and pointed out that "many controllers will be deterred from coming forward due to fear of fines and the absence of positive incentives" and, indeed, "that businesses [do] not feel obliged to report incidents themselves."

And while the person quoted above works for a law firm and I don't, if I may put in my two cents: not only do they not feel obliged, they aren't even obligated – there's no legal requirement to do so for most. The last time I checked, under the law, it's only a service provider that needs to notify the ICO, with "service provider" defined as:
a provider of any electronic communications service that is provided so as to be available for use by members of the public. This definition will cover, but is not necessarily limited to, telecommunications and internet service providers.
Also included in the above are the NHS Trusts, which is why they often show up on the news section of the ICO's website and bear the brunt of the monetary penalties.

So, Do You Report Yourself?

If a company or organization is legally required to do so, the answer is a loud, unequivocal "yes." But what if you're not? The answer is still yes.

The key question is, I guess: how many of data breaches that the ICO has come across in 2012 are self-reported? If the answer is 84%, then a 84% penalty rate for self-reporting organizations is par for the course.

What the above report by Field Fisher Waterhouse does not take into account is the number of instances where one self-reported a breach and didn't get penalized financially. It's a matter of statistics: we know that 84% of fines in 2012 went to self-reporting entities. We also know that only a handful of the total are assessed with a penalty. But is that unnaturally high when you consider the entire pool of data breaches in 2012?

If self-reporting companies represent a mere 50% of the entire pool, then a 84% rate is certainly high. If they represent 95% of the pool, then 84% is low. On the other hand, if a total of 15 companies were fined but over 700 breaches came across the ICO's radar, the percentages would appear meaningless regardless of whether they're representative of the total pool or not.

Other considerations: were the group of self-reporting companies penalized at a higher or lower rate than the group of companies that didn't do the reporting?

Remember: there are lies, damned lies, and statistics.

Sharing Laptops With Encryption: U. Of Mississippi Medical Center Patient Data Breach

sang_lee — Fri, 29 Mar 2013 09:07:00 GMT

The University of Mississippi Medical Center (UMMC) is notifying patients who visited UMMC between 2008 and January 2013 that their health information may have been stored on a laptop computer that's "missing." Apparently, the device was not protected with laptop encryption like AlertBoot, which may have been a result of the laptop being "a shared device, used by UMMC clinicians."

Giving Access to Shared but Encrypted Resources

One of the problems with encryption software is that, depending on the solution, there isn't a way to allow multiple logins to the same computer (or in some cases, there is a way but it's very complicated, rendering it useless. As an aside, AlertBoot does not suffer from this limitation. Indeed, we make it very easy to host multiple IDs and passwords on the same computer).

This hindrance is very problematic in a hospital setting because (a) resources are shared and (b) HIPAA Security Rules generally forbid the sharing of computer passwords and such.

The obvious answer, then, is to pick a solution that allows multiple IDs and passwords for the same computer. However, sometimes people opt for a different kind of solution: not using encryption. Since most computer operating systems come with the ability to support multiple users, one "solution" is to use only password-protection without encryption.

The problem with this approach is that, while you're able to comply with a certain aspect of the HIPAA Security Rules, you're also exposing patients to a risk that could easily be avoided.

Is this what UMMC decided to do? It could very well be so, and it would be within their rights. After all, HIPAA doesn't require the use of encryption. If a covered entity's risk assessment shows that the odds of a data breach are low, and tantamount security measures can be used – UMMC's laptop was in a non-public area, meaning the odds of the device being stolen were low – then encryption is just one of the ways one can use to lower the risk of an ePHI breach.

On the other hand, these other methods are not as useful in the event that something does go awry.

UMMC: Insufficient Contact Information

Generally, a data breach results in the breached medical entity sending out breach notification letters (via first class mail, as specified by HIPAA and HITECH rules). However, the University of Mississippi Medical Center opted to make a public announcement only (the "only" part is implied) because it didn't have a complete notification list:
Federal and state laws require health-care institutions to notify patients potentially affected by such incidents. In this case, due to insufficient contact information for those who may be affected, individual notifications are not possible. [phiprivacy.net]
As I pointed it out before, the implication is that no one is getting a personal breach notification letter. Again, UMMC is within its legal rights to do so; however, honestly, what are the chances that all of the affected parties will be informed of this notice, be it via word of mouth, a segment in the local news, or some other method?

Perhaps that's the wrong question. My guess is that the odds of all affected parties being reached is close to 0%. Rather, the question ought to be: what percentage of the affected parties will be informed? Is it closer to 90% or 40% or 10% or what is it? The former is better than the latter, obviously, but the honest truth is that we have absolutely no way of knowing.

When you consider that the purpose behind breach notifications is to give who are affected a chance to do something about any potential risks, it feels like UMMC is following the letter of the law, but falling very short when it comes to the spirit of things.

Perhaps a better method may have been to send individual notification letters if a patient's current address was on file in addition to making a public announcement.

Related Articles and Sites:
http://www.phiprivacy.net/?p=12070

UK BYOD And Data Security: Nursing and Midwifery Council Fined £150,000

sang_lee — Thu, 07 Mar 2013 09:41:00 GMT

The Information Commissioner's Office (ICO) in the UK has issued a £150,000 monetary penalty to the Nursing and Midwifery Council (NMC) for a data breach involving one nurse and two children. In an age of smartphones and tablets, how the data was breached is almost anachronistic (three DVD discs were lost). The use of data security software like AlertBoot's Mobile Security and full disk encryption can help in such instances, but only if people decide to use it.

DVDs Delivered by Courier

According to techworld.com:
The three DVDs of highly sensitive witness videos of children were supposed to be delivered [for a misconduct hearing], but when it arrived the package was found to be empty.

Despite there being no obvious sign of tampering, the DVDs were never found.
It wasn't only the DVDs that couldn't be found. Because of the data breach, the ICO did a follow up on the NMC's security practices and found that there was nothing in place: not only were the DVDs in question not protected with encryption software, the council didn't have any policies in place for securing sensitive data, whether at rest or in transit.

This is a big no-no since it's the primary reason why a data breach takes place: because one wasn't preparing for it. In this day and age, a data breach is a matter of "when" and not "if". Thus, if you're dealing with information on a daily basis, you've got to assume that you'll be involved in a data breach at some point, especially if you are dealing with sensitive information. It's only logical, then, that you have policies in place to ensure that you minimize the risk of such an event from happening, policies that not only involve conduct, but the right tools.

For example, a policy that states "don't take sensitive data out of the office" doesn't work because (a) people ignore such policies and (b) someone will run across a situation where that rule has to be ignored (one may have to send DVDs full of information to a misconduct hearing, e.g.). So, a technological solution or tool must also be in place, such as easy to use encryption software. At the same time, policy must insist that these tools be used, no ifs or buts.

(In NMC's defense, they claim that they did have such policies. According to information-age.com, their policies require the use of encryption. The latest fiasco was an oversight, which happens, more often than you think).

One of the Largest Penalties to Date

The ICO's fine represents one of the largest penalties I've run across to date. Only the £250,000 penalty levied on Sony, in January 2013, for its notorious 2011 hack, is larger, if I'm not wrong. The irony is that £250,000 looks like a pittance on a "per individual" basis since it affected over 100 million people across the world (cents on the dollar. Granted, the ICO has only jurisdiction over the UK so the "per individual" figure can only rise if we limit the people count to the UK), but the NMC's represents a whopping £50,000 per person. In some ways, it feels like the ICO is stepping down on the "little guy" while a global Goliath is getting away with it.

That is, until you realize that the NMC has over 660,000 registered nurses, and there's nothing "little" about it. Once your data count starts involving more than three zeroes, it behooves you to step up to the data security challenge.