Tag Archives: Data Breach

Immediate Vault Immediate Byte

Compliance Heat Map

Posted on by

The seemingly never-ending breaches of data over the years has prompted most states to enact data privacy breach notification laws. But some states are ahead of others in this initiative.

buy seroquel online https://ozgurmd.com/wp-content/uploads/2023/10/jpg/seroquel.html no prescription pharmacy

buy xifaxan online https://royalcitydrugs.com/xifaxan.html no prescription

The below map from Imation shows which states are laying down the law when it comes to data breach notification laws and which states completely disregard the need for them.

Here is a breakdown of each state and the specific law that was enacted there. It’s hard to believe that, in 2012, four states remain without such legislation.

buy revia online https://ozgurmd.com/wp-content/uploads/2023/10/jpg/revia.html no prescription pharmacy

While the U.S. Congress has enacted breach notification requirements in a number of Acts, data breach concerns are not limited to federal law.

Crisis Management in the Age of Cybercrime

Posted on by

[The following is a guest post by Richard S. Levick, Esq, president and chief executive officer of Levick Strategic Communications. You can Follow Richard on Twitter @RichardLevick where he comments daily on risk management and crisis management.] 

Immense as it may be, the March 30 Global Payments data breach that dominated headlines is only the latest in a series of events that made this current crisis eminently predictable. If there are any illusions that this breach was anomalous, consider the extent to which high-profile data breaches similarly dominated headlines in 2011.

Sony suffered over a dozen data breaches stemming from attacks that compromised its PlayStation Network, losing millions and facing customer class action lawsuits as a result. Cloud-based email service provider Epsilon suffered a spear-phishing attack, reportedly affecting 60 million customer emails. RSA, whose very business related to on-line security, experienced an embarrassing and damaging theft of information related to its SecureID system, necessitating an expenditure of more than $60 million on remediation, including rebuilding its tattered reputation.

And the list goes on.

Right now, just about all businesses face cyber risks. The worst include intellectual property losses due to economic espionage — by far the greatest risk to companies — as well as data breaches and ideological “hacktivists.” And the growth rate of those risks often exceeds a company’s ability to fight them.

Over the last decade, companies have experienced exponential increases in the volume and type of their digital assets along with an explosion in the types of storage devices that house them. With enterprise resource planning software, email, cloud computing, laptops, iPads, smart phones, and other portable devises, companies may have data storage systems that number in the hundreds. Managing and securing critical information has become a commensurately more daunting task.

As the situation grows worse, many boards and senior management now take a head-in-the-sand approach to cyber-threat management. A recent survey from Carnegie Mellon University’s CyLab analyzed the cyber governance policies of the Forbes Global 2000. Its findings are troubling. “Boards and senior management are still not exercising appropriate governance over the privacy and security of their digital assets,” states the report. Less than one-third undertake even the most basic cyber-governance responsibilities.

These findings are supported by an in-depth look at cyber-crime published by PricewaterhouseCoopers late last year. According to the survey, which polled nearly 4000 executives from 78 countries, while cybercrime ranks as one of the top four economic crimes (falling just after asset misappropriation, accounting fraud, and bribery/corruption), 40% of respondents reported that they had not received any cyber-security training. A quarter said that their CEOs and boards do not conduct regular, formal reviews of cyber-crime threats, and a majority reported either that their company does not have – or they do not know whether their company has – a cyber crisis-response plan.

Welcome to the risk management officer’s worst nightmare.

According to the Ponemon Institute’s most recent statistics, the average cost of a data breach is $7.2 million with the average cost per compromised record coming in at $214. But the damage done by a cyber-breach goes well beyond the initial information loss. Real costs from business interruption, intellectual property theft, lost customers and diminished shareholder value due to reputation damage all can — and do — inflate those figures. In fact, for 40% of respondents in the PwC study, it is the reputational damage from cybercrime that is their biggest fear.

As cyber-risks continue to grow, companies must therefore focus on reputation as well as strengthening the mechanisms with which data is secured. A few things are imperative.

Boards and senior management must take responsibility for crisis response. Their objective must be to crystalize the company’s crisis instincts – to make crisis response part of the institutional DNA.

Crisis plans are actually counter-productive if they are created simply to be put on a shelf and read only when they are needed. Particularly in the context of cyber-crime, a realm in which new risks seem to emerge almost daily, the need to revisit and revise the plans is exigent. Regular rehearsals, refinements, discussions and additions transform the culture into one rooted in not the possibility but, rather, the expectation of crisis.

Education of employees is imperative. Employees often assume that securing company information is solely the responsibility of company IT specialists – an assumption fraught with risk. Every employee in an organization has the responsibility and the means to protect company data.

In addition to education, the key for companies is to keep less information in the first place, according to Paul Rosenzweig, Esq., founder of Red Branch Law & Consulting, PLLC. Backing up data on the other end is also vital. And while there are attendant costs involved, they are well worth it, he says. “In a world in which the bottom line is everything and the benefit of your expenditure may be recaptured only over years, if ever, this is hard,” said Rosenzweig. “It may well seem like all cost and no benefit in the beginning – that is, until the day it is all benefit and no cost.”

Companies must also designate a response team and ensure that all participants understand their roles. During a crisis, the response team must make critical decisions with too little notice and too little information. Regular meetings ensure that team members understand their individual responsibilities and develop trust in one another. Periodic crisis team exercises allow companies to capture what goes right and what goes wrong in each simulation. The lessons learned are critical when a real crisis is at hand.

When a data breach does occur, companies must make full disclosure as quickly as possible and let stakeholders know how they plan to remediate the situation so that it will not recur. Focusing on corrective future initiatives can restore trust.

With the advent of new technologies, the risks for companies are now greater than ever. Companies’ ability to recognize this moment and transform the way they think about their information is key to long-term sustainability and brand value.

Zappos in the News: A Reputation Nightmare

Posted on by

Zappos, the world’s largest online shoe store, has taken a beating in the press this week after it became apparent that private information of its 24 million customers became compromised.

buy trazodone online pelmeds.com/wp-content/uploads/2023/10/jpg/trazodone.html no prescription pharmacy

CEO Tony Hsieh issued the following statement via email:

“We’ve spent over 12 years building our reputation, brand, and trust with our customers. It’s painful to see us take so many steps back due to a single incident.”

I’m sure it’s also painful for Hsieh to scan the headlines about his company that have surfaced in the last few days. The following are just a few:

  • Even Big Companies Cannot Protect Their Data — a blog piece from the New York Times, which states that more often than not, companies are resorting to telling their customers that it is up to them to protect their data stored on the company’s servers. The piece notes that even though the company claimed to have a security breach response plan in place, Hsieh provided no explanation about why the data was vulnerable.
    buy nizoral online pelmeds.com/wp-content/uploads/2023/10/jpg/nizoral.html no prescription pharmacy

  • Zappos Data Breach Response: Good Idea or Panic Mode?PC World ran an online article Tuesday that highlighted both sides of opinion spectrum. While some analysts praised Zappos for their response to the incident, others, including John D’Arcy, professor of information technology at the University of Notre Dame, called the overall response plan “not a good idea.”

Citigroup Data Breach Worse Than Initially Reported; CIA Website Also Hacked

Posted on by

It turns out that the Citigroup data breach that we reported about last Friday may actually have been almost twice as large as originally reported. Last week, Citigroup had said the breach involved 200,000 cardholders, or 1% of its 21 million North American cardholders. Now they are reporting that the breach may have exposed the private financial data of more than 360,000 customers.

While the bank has been criticized for waiting a month before notifying customers about the breach (the incident was discovered on May 10 but not revealed until June 9), it is to their credit that Citigroup has been up-front about what they have done to mitigate the threat.

Upon discovery, internal fraud alerts and enhanced monitoring were placed on all accounts deemed at risk. Simultaneously, rigorous analysis began to determine the precise accounts and type of information accessed. The majority of accounts impacted were identified within seven days of discovery. By May 24, we confirmed the full extent of information accessed on 360,069 accounts. An additional 14 accounts were confirmed subsequently. To determine the cardholder impact required analysis of millions of pieces of data.

The customers’ account information (such as name, account number and contact information, including email address) was viewed. However, data that is critical to commit fraud was not compromised: the customers’ social security number, date of birth, card expiration date and card security code (CVV).

While the investigation was underway, preparations began to notify customers and, as appropriate, replace affected customers’ credit cards.

buy stendra online blockdrugstores.com/wp-content/uploads/2023/10/jpg/stendra.html no prescription pharmacy

As of May 24, we began the process of developing notification packages including customer letters and manufacturing replacement cards, as well as preparing our customer service teams. Notification letters were sent beginning June 3, the majority of which included reissued credit cards.

buy spiriva inhaler online blockdrugstores.com/wp-content/uploads/2023/10/jpg/spiriva-inhaler.html no prescription pharmacy

Citigroup also indicated that they have implemented “enhanced procedures” to prevent another incident and said the customers would not be liable for any fraudulent charges on their accounts and could contact the bank to set up free identity theft protection.

Unfortunately this is not the only high-profile cybersecurity incident to make headlines in the last couple of days. A group of hackers calling themselves LulzSec hacked the CIA’s website and took it offline Wednesday night. The group claims to have been responsible for recent attacks on the U.S. Senate, Sony and PBS. According to experts, their motivation has been simply for “grins and giggles.” Evidently it’s the hacker equivalent of the old mountain climbing justification, “Because it’s there.”

The larger question, however, is what do these incidents say about the preparedness of the United States to fight cybercrime. According to a interesting Reuters report, the gap between criminals and those tasked with stopping them is widening.

“We’re much better off (technologically) than we were a few years ago, but we have not kept pace with opponents,” said Jim Lewis, a cyber expert with the Center for Strategic and International Studies think tank. “The network is so deeply flawed that it can’t be secured.

buy amoxicillin online blockdrugstores.com/wp-content/uploads/2023/10/jpg/amoxicillin.html no prescription pharmacy

While the government is working to improve security, it seems unlikely that anyone will ever be able to get ahead of the threat. For many organizations, the only strategy may be to minimize the damage and chalk up cybersecurity as another cost of doing business. Hopefully that cost doesn’t get too high.