A recent article on Infosec Island outlined the new Personal Data Protection and Breach Accountability Act of 2011, S.1535 (the “PDPBA Act”) as proposed by Senator Richard Blumenthal (D-CT). The Bill is the latest to address data security and privacy of personally identifiable information.
Some of the key elements from this article include the “enforcement by the United State Attorney General, by State Attorneys General, and by individuals via a private right of action that allows for civil penalties of up to $10,000 per violation per day per individual up to a maximum of $20,000,000 per violation.”
These are some hefty fines should the bill be passed. The bill also contained some notable exceptions, namely organizations already covered by the Gramm-Leach-Bliley Act (“GLBA”) and Health Insurance Portability and Accountability Act (“HIPAA”).
For the full article from Infosec Island, click here.
To view the proposed bill, click here. (PDF)
Data Security
Co-Authored by Matthew Losanno and Emmett Jorgensen
I’ve stressed the importance of encryption in the past and, if you are an avid InfoSec follower, you will probably agree that encryption is important. Is it the most important aspect of data security though? I’d say it ranks high, very high even; however, often encryption alone simply isn’t enough. A lot more should go into the security of your confidential data than just encryption.
There are variables at work that often require security measures above and beyond encryption. The confidentiality of the data you are working with, state, federal and industry regulations, user habits, platforms and more all factor into the security measures needed to safeguard your data. Read more…
Data Security
Later this year the Department of Health and Human Services (HHS) will begin auditing health providers to ensure they are in compliance with the Health Insurance Portability and Accountability Act (HIPAA).
Despite both HIPAA and the HiTECH Act, healthcare data breaches have been popping up regularly in the news. A recent study found that over 70% of hospitals had patient data breaches last year. Read more…
Data Security, Healthcare
A new study from the Digital Forensics Association, called The Leaking Vault 2011, covers 3,765 publicly disclosed data breach incidents over the past six years. The estimated cost of these data breaches totaled more than $156 Billion. “Hacking” exposed the largest number of records, while “Drive/Media” exposures were the second leading cause.
The study also shows the breakdown of incidents among business, education, government and medical sectors. It clearly shows that data breaches can happen to a wide variety of institutions, not just those that handle “classified” information. State data breach laws and industry regulations like HIPAA have increased the spotlight on data security outside of traditional national security organizations. In fact, medical data breaches were the fastest growing segment from 2005-2010.
Read the full report for conclusions and recommendations.
Data Security, Financial, Government, Healthcare, Malware, Portable Storage
by Ken Lee
When it comes to selling used computers, many people don’t understand the potential risks that lie within their computer’s hard drive. Many of us store private and confidential data (social security numbers, bank account or retirement info, passwords, etc.) on our hard drives; information that you wouldn’t just carelessly hand over to another person. This, however, is often what happens when people dispose of or sell their old hard drives.
Consider the following examples of second hand drives that were sold with sensitive information still on them. Read more…
Data Security, data storage
A recent article posted in Information Week details some interesting trends related to USB Flash Drive usage and security. According to the story “In the past two years, 70% of businesses have traced the loss of sensitive or confidential information to USB flash memory sticks”
Flash drives are incredibly useful; however, as the Information Week article shows, their tiny size and massive storage capacity make them a security threat as well. Although encryption seems like it would be a requirement for organizations dealing with sensitive data, it seems that more often than not, flash drives aren’t encrypted.
With that in mind, here is a list of recent flash drive security snafu’s: Read more…
Uncategorized
InformationWeek highlights a new study showing that malware on USB sticks is wreaking havoc on information security. The new survey by the Ponemon Institute found:
In the past two years, 70% of businesses have traced the loss of sensitive or confidential information to USB flash memory sticks. While such losses can obviously occur when the devices get lost or stolen, 55% of those incidents are likely related to malware-infected devices that introduced malicious code onto corporate networks.
Most of the respondents do not have any form of endpoint security in place, or don’t enforce their own USB security policies. Cost may be an important factor as “75% of respondents said they wouldn’t pay a premium to ensure that USB drives are safe and secure.”
Setting aside the fact that this is short-sighted given the cost of a data breach, you don’t need to break the bank to secure your USB drives. The Kanguru Defender Basic features automatically enforced military-grade encryption, plus an onboard anti-virus scanner to prevent malicious code from entering your network. Best of all, it’s available at a mainstream price.
Data Security
Kanguru’s own Matthew Losanno and Emmett Jorgensen contributed this article to Infosec Island outlining the importance of secure password storage. A few excerpts:
Essentially there are two versions to every password; the password that the user enters at the login screen, and the password stored on the website/server for authentication.
This, of course, begs the question; how secure is the location of the password stored for authentication?
As the recent Sony breach demonstrates, securely storing the password is just as, if not more, important than the strength of the password itself. In this article recently posted by CNET, Lulzsec, the group claiming responsibility for the most recent breach states, “This target gave us LOLs as it provided internal release dates of records, barcodes, sales reports, and plaintext Sony employee passwords.”
Read the full article here.
Data Security
Convenience or Security? It’s a dilemma encountered by IT professionals every day.
Smart phones, flash drives, and other personal mobile devices have become the norm within business environments today. Each brings unique features that contribute to business productivity and many professionals will tell you they are indispensable in their everyday activities.
So how can infosec professionals deal with the plethora of devices out there?
Ban them altogether and there is a very real risk that productivity will suffer. Allow them without having some sort of management plan in place and a costly data breach could be in your future. So, can mobile devices be managed without severely limiting their functionality and convenience? Read more…
Data Security
State legislatures around the country continue to enact stronger and stronger data breach laws to protect their citizens against unlawful use of personal information. The two latest actions are in California and Massachusetts. See the Workplace Privacy Report to learn more about the new bills.
Massachusetts already has one of the toughest data security laws. Most other states have regulations that require public notification of data breaches and allow for civil or criminal penalties. Many, but not all of them, provide safe harbor from penalties if the data was properly encrypted.
Data Security
Follow us on Twitter