Do your users take USB Flash Drive home with them? Are those drives encrypted? If not, they are taking a big risk when they get in the car.
Unsecured USB Drives are a big problem because:
A) Flash Drives get stolen from cars
B) Flash Drives tend to fall out of pockets in parking lots
These incidents are embarrasing and potentially expensive. Data breaches are increasingly subject to fines and penalties at the state and national level throughout North America and Europe.
Data Security, Portable Storage
Two hospitals in Kentucky have been forced to notify the public of data breaches under the new HITECH legislation. Both breaches involved the loss of unencrypted portable drives. According to the story in Health Data Management, one flash drive contained protected health information for 24,600 individuals admitted to the hospital since 2002.
The HITECH Act is changing the way that healthcare providers think about data security. Small devices can store massive amounts of data and should be considered high risk if they are not properly secured.
Data Security, Healthcare, Portable Storage
The Office of Inadequate Security has a list of newly reported data breaches provided by the Maryland Attorney General. Many of the incidents involved stolen laptops, external hard drives or flash drives that contained sensitive information and were not properly encrypted.
More information about the Maryland Personal Information Protection Act (PIPA) can be found at the AG’s website.
Data Security, Portable Storage
Last week we mentioned that over a million MA residents have been affected by data breaches since the Office of Consumer Affairs started keeping track in October of 2007.
If your business is based in Massachusetts or your company does business there, you may be affected by the new state encryption law starting March 1. Kanguru has a new whitepaper available that explains the law and how to meet compliance requirements.
Learn more:
Kanguru Whitepaper – Massachusetts Data Encryption Law (PDF)
Kanguru Website – General compliance information for Public Sector, Financial Services and Healthcare organizations.
Data Security
Connecticut AG Richard Blumenthal is suing health provider Health Net over a lost external hard drive that contained sensitive information for 1.5 million past and present customers. Under the new HITECH legislation passed last year, states can obtain statutory damages in the event of a HIPAA security breach. The hard drive was not encrypted.
In a related story, BCBS of Tennessee just notified the public about a data breach affecting 500,000 customers. 57 unencrypted hard drives have gone missing. The drives contained names, birth dates, social security numbers, and diagnostic healthcare information. BCBS will pay for credit monitoring. No word on HITECH penalties or lawsuits yet.
Data Security, Healthcare, Portable Storage
In the last two years, 1,057,560 Massachusetts residents have been affected by reported data breach incidents according to a report released by the Commonwealth (PDF).
A new Massachusetts law, set to go into effect on March 1, 2010, will require that “personal information” stored on laptops and other portable devices must be encrypted. Personal information is defined under the law as, “a resident’s first and last name, or first initial and last name, in combination with any one or more of the resident’s: (a) social security number; (b) driver’s license number or state issued ID number, or (c) financial account number, or credit or debit card number…”
It is believed that with the new Data Breach Law,
the incidence of security breaches caused by unintentional but careless practices will decrease, as will the potential damage to residents whose information is gathered by unauthorized persons, since their information will be guarded by more robust protections, including encryption of information.
Data Security
Bart Porter at (re)blog compiled a list of data breach greatest hits of 2009. Many of the incidents have been noted on the Kanguru Blog including the MP3 Player containing US Army data, local school district mishaps and hospitals that lose USB thumbdrives.
The conclusion:
There are many interesting details to note in this dubious line-up of data security breaches, including how many health care, government and education organizations are represented. Even more significant is how few business enterprises show up on the list. This may be a clear indication of what many in the data security industry realize and fear – that most businesses suffering a significant data security breach do not publicly acknowledge incidents as they occur.
We expect this to change as more and more data breach notification laws are enforced at the state level. The landmark Massachusetts law will take effect in March, 2010. Data encryption will become mandatory for portable devices that store customer or employee information.
Data Security
A recent report from ICSA Labs and Verizon Business found that a majority of security products failed to perform when first tested by independent labs. Most products “require two or more cycles of testing before achieving certification”, showing that users should be skeptical of claims made by vendors unless they are backed up by independent testing.
Rounding out the top three is the startling finding that 44 percent of security products had inherent security problems. Security testing issues range from vulnerabilities that compromise the confidentiality or integrity of the system to random behavior that affects product availability. Even though it can be a demanding process, certification with a trusted, established third party is critical to verifying product quality, states the report.
The industry standard for encryption products is the FIPS 140-2 certification given jointly by the US Government (NIST) and the Canadian Government (CSEC). This process requires vulnerability testing by a third-party lab followed by Government review. FIPS 140-2 ensures that encryption products do what they say they do, and is the recommended security level for HIPAA and other regulations. Click here for more info on the cryptographic module validation program (CMVP).
Data Security, Malware
GCN reports that Congress may (or may not) pass federal data breach legislation this year. The Senate Judiciary Committee is currently considering a bill that would set standards for protecting sensitive personal information. Staffers are optimistic that something will get done this year.
A patchwork of state laws has grown up in recent years requiring organizations holding personal information to notify individuals when that information is exposed. This has been a big step forward in data protection, giving millions of potential identity theft victims a heads up when they might be at risk and highlighting identity theft as a major crime issue. But just about everybody agrees that a national standard would be an improvement, although there is concern that federal preemption of state laws could gut some of the stronger standards states have put into place and might limit citizens’ legal recourse.
It is not clear whether Federal legislation would specifically require encryption of sensitive data, similar to Massachusetts and Nevada state laws. It’s certainly an effective way to avoid a costly data breach.
Data Security, Government
GovInfoSecurity.com has a timeline of data breaches affecting US Financial Institutions in 2009. “Stolen or Missing Hardware” was cited in a number of the incidents, along with “Insider Theft”.
These data breaches could lead to penalties under a number of state laws. The FTC could also impose fines under the Gramm Leach Bliley Act (GLBA), which requires financial institutions to protect consumer data.
Data Security, Financial
Follow us on Twitter