The ICO conducted an investigation on a case of hardware loss in May at the Rochdale Metropolitan Borough Council. The incident consisted in the loss of an unencrypted memory stick by a Council’s finance department employee, stick which contained names, addresses and payment details for 18.000 residents. The missing hardware was not found to the date.
The investigation concluded that the Rochdale Council has breached the Data Protection Act by not providing employees with encrypted memory sticks (although it was a known fact that these devices would be used to transfer private information) and by not training their employees to properly use portable devices for work purposes.
Sally Anne Poole, ICO’s head of enforcement qualifies this mishap as ‘unacceptable’ and says ‘This incident could have been easily avoided if adequate security measures had been in place.’ in a quote by eWeek.
The measures taken by the ICO in this case consist of signing an undertaking of actions to take to implement data protection policies by 31st March 2012.
Let’s hope that more than one private data handling organization learns from this incident and encrypts their portable devices using proper solutions.
We’ve all heard of the mind-blowing cases where it takes companies months and even years to disclose data and security breaches to their customers. They keep the information to themselves, run the investigations and only later release the details to their customers, the direct victims of the breaches. But apparently, blowing the whistle too soon is not a much better idea either, according to security experts.
The debate over which time frame helps customers and which rushed actions actually do more harm was started by the SAFE Data Act data breach law which is now making its way through US committees in an attempt to better regulate what happens when a company is affected by a data breach. The new law requires “companies and other entities that hold personal information to establish and maintain appropriate security policies to prevent unauthorized acquisition of that data.” If passed, it will also make it compulsory for breached companies to inform customers within 48 hours of discovering an incident. Read more
As result of a court settlement, three credit report reselling companies – Washington state-based ACRAnet Inc. and SettlementOne Credit Corporation and Statewide Credit Services of California – have agreed to obtain independent security audits every other year for the next two decade. Also more comprehensive security programs designed to protect the confidentiality of the consumer data they sell will be developed.
The three companies use credit information to create special reports which are then delivered to mortgage brokers. These resellers of credit information have been charged with lack of security, fact that lead to allow security breaches exposing sensitive consumer information. Read more
Peter Hustinx, European data protection supervisor, has signaled a change of approach when dealing with EU institutions. According to a new policy paper, The European data protection supervisor (EDPS) will enforce accountability and tougher punitive measures when it comes to EU institutions, especially for serious, deliberate or repeated non-compliance with laws.
The document was published Yesterday and aims to provide greater transparency on the framework that allows EDPS, Peter Hustinx, to monitor, measure and ensure data protection compliance in the EU’s various institutions and bodies.
Accountability is emphasised the most in this document, thus EU bodies are required to take the appropriate measures to ensure compliance with data protection laws. Read more
Federal prosecutors have stated that a former employee of the University of Pittsburgh Medical Center has been indicted for the alleged theft of patient data. This is the first HIPAA-related prosecution in Western District of Pennsylvania.
Paul C. Pepala, 34, of Monroeville, PA, faces 14 counts related to the alleged disclosure of patients’ data for personal gain in February 2008, when he was an employee at UPMC Shadyside Hospital. The indictment lists Pepala as the sole defendant. Read more
While their cybersecurity czar plans have been delayed for so long we were all a bit tired for waiting, the White House approach to fighting cyber threats seems to have found a new focus these days: recommending training, exams and detailed certification requirements for cybersecurity professionals employed or contracted by the federal government. And this is going through the careful review of a commission whose main purpose is to advise the Obama administration on cybersecurity policy.
The Commission on Cybersecurity for the 44th Presidency, which in December 2008 issued its Securing Cyberspace for the 44th Presidency report to Congress, is currently working on a sequel to that report, due sometime in late June or early July. The commission, made up of a who’s who of experts and policy-makers, is debating strategies for building and developing a skilled cybersecurity workforce for the U.S., as well as issues surrounding an international cybersecurity strategy and online authentication.
Yet another warning about data loss, company policy and how easily all your files can be liked over the internet comes into the security world, this time from the Federal Trade Commission. Long overdue some would say, including Robert Siciliano in a recent post on Information Security Resources.
Yes, it is quite bewildering to see how after warning after warning and a long line of data breach incidents, companies still allow the misuse of software and hardware resources. It is also confusing to see the FTC now getting ready to directly warn about 100 companies about the risks of peer-to-peer. It’s a bit late, years and years after the problems appeared. Read more
A data breach that results in exposing private details usually means bad consequences. Especially when an institution fails to properly inform those affected of what had happened. Such is the case of the recent Blue Cross Blue Shield’s (BCBS) loss of confidential information, including tax identification and social security numbers, for about 800000 healthcare providers from all US.
The data breach in question is currently being investigated by Connecticut Attorney General Richard Blumenthal as BCBS may have broken the state law by suffering the breach and then failing to inform those affected on time.
The information in question was lost back in August when a laptop containing it was stolen. Although the theft has affected providers all across the US, the Connecticut AG is only investigating on behalf of 18,817 of its Connecticut health care providers. What he aims is to obtain credit monitoring for more than just one year, as commonly offered, and seek additional identity theft protection.
On the other hand, BCBS states they started notifying those involved within days from the incident, not a month later as implied by the AG. Either way, they are more than willing to offer credit monitoring for two years, or at least a branch of the institution is!
The data breach rules that become effective on September 23rd have been harshly criticized by a security firm specializing in encryption. According to the Health Information Technology for Economic and Clinical Health (HITECH) Act, US health organization using encryption will no longer be required to notify their clients of data breaches, regardless of how ineffective the encryption system is.
According to the act, only healthcare providers and plans that have implemented the HIPAA standards but fail to encrypt the sensitive data they keep on their clients will have to let individuals know their private details have been breached. Even in such a case, explains The Register, it will be up to each organization to decide if there is a real risk for those affected and only afterward issue data breach notices.
“The protection law should address everyone – including those who have already implemented encryption, since most encryption systems are point-to-point even when they say otherwise,” said Mark Bower, director of information protection solutions at Voltage Security.
In its present form, the HITECH Act provides a quick and often inefficient fix to make ammends with data security rules.
The Federal Trade Commission has recently issued a final rule that requires Web-based companies to notify consumers when the security of their electronic health information has been breached. The new rule was put into place by Congress as part of the American Recovery and Reinvestment Act of 2009.
As explained by Dark Reading, the rule applies to both vendors of personal health records “which provide online repositories that people can use to keep track of their health information ” and entities that offer third-party applications for personal health records.
The FTC’s Final Rule comes to complete the requirements of the Health Insurance Portability and Accountability Act (HIPAA), which left out many types of organizations that could have exposed health related information.
The Final Rule requires vendors of personal health records and related entities to notify consumers following a breach involving unsecured information. In addition, if a service provider to one of these entities has a breach, it must notify the entity, which in turn must notify consumers.
The Final Rule also specifies the timing, method, and content of notification, and in the case of certain breaches involving 500 or more people, requires notice to the media. Entities covered by the rule must also notify the FTC.