The ICO conducted an investigation on a case of hardware loss in May at the Rochdale Metropolitan Borough Council. The incident consisted in the loss of an unencrypted memory stick by a Council’s finance department employee, stick which contained names, addresses and payment details for 18.000 residents. The missing hardware was not found to the date.

The investigation concluded that the Rochdale Council has breached the Data Protection Act by not providing employees with encrypted memory sticks (although it was a known fact that these devices would be used to transfer private information) and by not training their employees to properly use portable devices for work purposes.

Sally Anne Poole, ICO’s head of enforcement qualifies this mishap as ‘unacceptable’ and says ‘This incident could have been easily avoided if adequate security measures had been in place.’ in a quote by eWeek.

The measures taken by the ICO in this case consist of signing an undertaking of actions to take to implement data protection policies by 31^st March 2012.

Let’s hope that more than one private data handling organization learns from this incident and encrypts their portable devices using proper solutions.

We’ve all heard of the mind-blowing cases where it takes companies months and even years to disclose data and security breaches to their customers. They keep the information to themselves, run the investigations and only later release the details to their customers, the direct victims of the breaches. But apparently, blowing the whistle too soon is not a much better idea either, according to security experts.

The debate over which time frame helps customers and which rushed actions actually do more harm was started by the SAFE Data Act data breach law which is now making its way through US committees in an attempt to better regulate what happens when a company is affected by a data breach. The new law requires “companies and other entities that hold personal information to establish and maintain appropriate security policies to prevent unauthorized acquisition of that data.” If passed, it will also make it compulsory for breached companies to inform customers within 48 hours of discovering an incident.

While the lengthy so-called investigations when customers are notified months after the breach, when they have already fallen victims to data theft, fraud or identity theft are by far not helping customers in any way, neither will this extremely short two-day window. According to security experts, letting everyone know of a breach too early might result in spreading out the wrong information or alarming customers who are actually not affected in any way, creating unnecessary panic and worries for them.

According to Dark Reading, most “post-breach consultants recommend having a team and a plan ready to quickly conduct forensics on an incident, so that customers can be notified in a timely manner but also that the information disclosed actually helps them.”

How long does it take to conduct all the needed tests and realize the extent of a data breach? The middle ground between too short and too long of a wait seems to be a month. About 30 days are enough for a company to figure out what data has been breached, who has been affected and what they should be advised to do to minimize the negative impact of the security incident.

“Our research in general shows that a systematic and thoughtful notification following a data breach is where you want to be. You want to be able to say with a high degree of accuracy that you are really communicating with people who have been injured in some way or are now victims of data loss,” said Larry Ponemon, researcher of Ponemon Institute. “It’s not a good idea to wait too long but you don’t want to rush. You’ve to find that middle ground. It’s usually somewhere around the 30-day period. The average person says if you can get to me within thirty days and let me know where I stand on this issue, that’s probably OK.”

As result of a court settlement, three credit report reselling companies – Washington state-based ACRAnet Inc. and SettlementOne Credit Corporation and Statewide Credit Services of California – have agreed to obtain independent security audits every other year for the next two decade. Also more comprehensive security programs designed to protect the confidentiality of the consumer data they sell will be developed.

The three companies use credit information to create special reports which are then delivered to mortgage brokers. These resellers of credit information have been charged with lack of security, fact that lead to allow security breaches exposing sensitive consumer information.

More than 1,800 credit reports have been exposed via compromised client networks, according to a statement made by the  US Federal Trade Commission, and even after learning of the data breach, the companies failed to take reasonable steps to correct this issue. For example SettlementOne, has granted  “end users with unverified or inadequate security to access consumer reports”  through the company’s portal, according to a complaint (PDF) submitted in the case.

“As a direct result of these failures, between February and June 2008, hackers were able to exploit vulnerabilities in the computer networks of multiple SettlementOne end user clients, putting consumer reports in those networks at risk,” FTC officials wrote. “In multiple breaches, hackers accessed at least 784 consumer reports without authorization.”

According to the FTC, the alleged shortcomings violated several federal laws, including the Fair Credit Reporting Act, the FTC Act, and the Gramm-Leach-Bliley Safeguards Rule.

Federal prosecutors have stated that a former employee of the University of Pittsburgh Medical Center has been indicted for the alleged theft of patient data. This is the first HIPAA-related prosecution in Western District of Pennsylvania.

Paul C. Pepala, 34, of Monroeville, PA, faces 14 counts related to the alleged disclosure of patients’ data for personal gain in February 2008, when he was an employee at UPMC Shadyside Hospital. The indictment lists Pepala as the sole defendant.

14 counts of alleged disclosure of patients’ private information have been raised against Paul C. Pepala, 34, of Monroeville, PA. He stands accused of using this data for personal gain in February 2008 while being employed by the UPMC Shadyside Hospital and is the sole defendant in this case.

Pepala allegedly disclosed names, birth dates and Social Security numbers, this being a direct violation of HIPAA laws. Apparently, the data has been used for forging tax return papers in the year 2008. Charges for violating the Social Security Act by disclosing Social Security number, have been brought against Pepala.

80 years in prison and/or $4.7 million are the punishments provided by the law in such a case.

While their cybersecurity czar plans have been delayed for so long we were all a bit tired for waiting, the White House approach to fighting cyber threats seems to have found a new focus these days: recommending training, exams and detailed certification requirements for cybersecurity professionals employed or contracted by the federal government. And this is going through the careful review of a commission whose main purpose is to advise the Obama administration on cybersecurity policy.

The Commission on Cybersecurity for the 44th Presidency, which in December 2008 issued its Securing Cyberspace for the 44th Presidency report to Congress, is currently working on a sequel to that report, due sometime in late June or early July. The commission, made up of a who’s who of experts and policy-makers, is debating strategies for building and developing a skilled cybersecurity workforce for the U.S., as well as issues surrounding an international cybersecurity strategy and online authentication.

Of course, the discussion got a bit stuck in the first part of the future report, the cybersecurity workforce. With no one knowing if the new certification recommendation will take into account existing certifications or not, with people in the commission and in the field of cybersecurity having different takes on the issues, and given the need to details qualification needed for each type of IT security pro, I assume it will take a while to get to a common decision on this one

According to Tom Kellermann, a member of the Commission and vice president of security awareness at Core Security Technologies, the federal government has bigger problems: an insufficient workforce that’s about to shrink some more if certifications become mandatory requirements:

“I would suggest that we need to increase our workforce, but not ostracize those that don’t have certifications to get them or lose their jobs. They should be grandfathered in,” Kellermann says.

Exploring a movie-like scenario, I have to wonder – If they ever want to cut a deal with a genius hacker and have him/her do some anti-hacking work for them, would they care if that person has the required certifications?

Yet another warning about data loss, company policy and how easily all your files can be liked over the internet comes into the security world, this time from the Federal Trade Commission. Long overdue some would say, including Robert Siciliano in a recent post on Information Security Resources.

Yes, it is quite bewildering to see how after warning after warning and a long line of data breach incidents, companies still allow the misuse of software and hardware resources. It is also confusing to see the FTC now getting ready to directly warn about 100 companies about the risks of peer-to-peer. It’s a bit late, years and years after the problems appeared.

But if there are any IT managers or CEOs who don’t know what peer-to-peer can lead to, here are a few quotes from Siciliano’s article:

Last year the House Committee on Oversight and Government Reform responded to reports that peer to peer file sharing allows Internet users to access other P2P users’ most important files, including bank records, tax files, health records, and passwords.

An academic from Dartmouth College found that he was able to obtain tens of thousands of medical files using P2P software.In my own research, I have uncovered tax returns, student loan applications, credit reports and Social Security numbers.

I’ve found family rosters which include usernames, passwords and Social Security numbers for entire family. I’ve found Christmas lists, love letters, private photos and videos (naughty ones, too) and just about anything else that can be saved as a digital file.

In some cases, the benefits of technology are far more important than the risks. It happens with all gadgets that make work fun, efficient and portable. But if you do allow your employees to install software that’s easily hacked, at least protect your files by restricting access to them…

A data breach that results in exposing private details usually means bad consequences. Especially when an institution fails to properly inform those affected of what had happened. Such is the case of the recent Blue Cross Blue Shield’s (BCBS) loss of confidential information, including tax identification and social security numbers, for about 800000 healthcare providers from all US.

The data breach in question is currently being investigated by Connecticut Attorney General Richard Blumenthal as BCBS may have broken the state law by suffering the breach and then failing to inform those affected on time.

The information in question was lost back in August when a laptop containing it was stolen. Although the theft has affected providers all across the US, the Connecticut AG is only investigating on behalf of 18,817 of its Connecticut health care providers. What he aims is to obtain credit monitoring for more than just one year, as commonly offered, and seek additional identity theft protection.

On the other hand, BCBS states they started notifying those involved within days from the incident, not a month later as implied by the AG. Either way, they are more than willing to offer credit monitoring for two years, or at least a branch of the institution is!

The data breach rules that become effective on September 23^rd have been harshly criticized by a security firm specializing in encryption. According to the Health Information Technology for Economic and Clinical Health (HITECH) Act, US health organization using encryption will no longer be required to    notify their clients of data breaches, regardless of how ineffective the encryption system is.

According to the act, only healthcare providers and plans that have implemented the HIPAA standards but fail to encrypt the sensitive data they keep on their clients will have to let individuals know their private details have been breached. Even in such a case, explains The Register, it will be up to each organization to decide if there is a real risk for those affected and only afterward issue data breach notices.

“The protection law should address everyone – including those who have already implemented encryption, since most encryption systems are point-to-point even when they say otherwise,” said Mark Bower, director of information protection solutions at Voltage Security.

In its present form, the HITECH Act provides a quick and often inefficient fix to make ammends with data security rules.

The Federal Trade Commission has recently issued a final rule that requires Web-based companies to notify consumers when the security of their electronic health information has been breached. The new rule was put into place by Congress as part of the American Recovery and Reinvestment Act of 2009.

As explained by Dark Reading, the rule applies to both vendors of personal health records “which provide online repositories that people can use to keep track of their health information ” and entities that offer third-party applications for personal health records.

The FTC’s Final Rule comes to complete the requirements of the Health Insurance Portability and Accountability Act (HIPAA), which left out many types of organizations that could have exposed health related information.

The Final Rule requires vendors of personal health records and related entities to notify consumers following a breach involving unsecured information. In addition, if a service provider to one of these entities has a breach, it must notify the entity, which in turn must notify consumers.

The Final Rule also specifies the timing, method, and content of notification, and in the case of certain breaches involving 500 or more people, requires notice to the media. Entities covered by the rule must also notify the FTC.