A new study from the Digital Forensics Association, called The Leaking Vault 2011, covers 3,765 publicly disclosed data breach incidents over the past six years.  The estimated cost of these data breaches totaled more than $156 Billion.  “Hacking” exposed the largest number of records, while “Drive/Media” exposures were the second leading cause.

The study also shows the breakdown of incidents among business, education, government and medical sectors.  It clearly shows that data breaches can happen to a wide variety of institutions, not just those that handle “classified” information.  State data breach laws and industry regulations like HIPAA have increased the spotlight on data security outside of traditional national security organizations.  In fact, medical data breaches were the fastest growing segment from 2005-2010.

Read the full report for conclusions and recommendations.

Data Security, Financial, Government, Healthcare, Malware, Portable Storage

State legislatures around the country continue to enact stronger and stronger data breach laws to protect their citizens against unlawful use of personal information.  The two latest actions are in California and Massachusetts.  See the Workplace Privacy Report to learn more about the new bills.

Massachusetts already has one of the toughest data security laws.  Most other states have regulations that require public notification of data breaches and allow for civil or criminal penalties.  Many, but not all of them, provide safe harbor from penalties if the data was properly encrypted.

Data Security

Here at Kanguru we frequently talk about encrypting and securing your mobile data, but sometimes don’t stress enough the importance of tracking and monitoring data usage.  As important as it is to secure your data, it is equally important to know where it is going. 

When an employee leaves the office for the day, taking his work with him on a flash drive, where is that data going?  A quick stop by the local coffee shop and opened up on one of their unsecure wireless networks?  To an unsecure home computer? 

These possibilities along with the risks associated with them are why Kanguru emphasizes a total security solution.  This can be especially advantageous to organizations that are required to meet security regulations like HIPAA, the Hitech Act or any one of the many state-level data breach laws. 

Tracking and monitoring can be done via Kanguru’s Remote Management Console and USB Device Control, a tandem of products designed specifically to allow organizations to keep tabs on and secure their portable data. 

It’s time to look beyond encryption and recognize the importance of end point security as a key element to the overall big picture of securing your data.  Some options to look for in endpoint security and remote management:

1.) Device Control - Control what, when and how USB devices are allowed to access your computers

2.) IP and Domain Control - Manage which IP addresses and/or domains are allowable for devices to access via whitelist and blacklist methodology.

3.) Auditing and Reporting - Get a full audit trail with detailed graphical reporting and the ability to export both customizable audit logs and graphs for external analysis to ensure proper compliance.

4.) Remote Provisioning - Remotely manage security policy changes from a single location. Control password complexity, password expiration, software updates, patches, A/V definitions, online and offline access, and more.

Data Security

The loss of an unencrypted portable hard drive containing private health information has proven extremely costly and time consuming for Health Net, Inc., and Health Net of the Northeast, Inc. 

The health insurance company is now being fined $55,000 by the State of Vermont and must also submit to a data-security audit and file reports with the State regarding the company’s information security programs for the next two years.

“The lawsuit is Vermont’s first enforcement action under the Security Breach Notice Act and the second HIPAA enforcement action of its kind since state attorneys general were given HIPAA enforcement authority in 2009.”

Read more at Infosec Island.

Data Security, Healthcare

Which is more costly to a business?  Spending the money to become compliant with federally mandated security regulations or remaining noncompliant? 

A recent study by the Ponemon Institute compared the cost of complying with state and federal security regulations vs. the cost of potential business disruption, productivity loss, revenue loss, and fines.   Read more about it here.

Data Security

The Connecticut State Teachers Retirement Board notified teachers last week that it’s missing a USB flash drive containing personal data.  Fortunately, proper security procedures appear to have been in place and the data on the device was encrypted.

“We have numerous controls in place so that financial transactions are properly authorized and executed and have enhanced our internal procedures over the physical control of flash drives,” according to the letter, which was signed by Darlene Perez, administrator of the retirement board.

In Connecticut, data breach notifications are required under General Statute 36a-701(b).  This law only applies to data that “has not been secured by encryption or by any other method or technology that renders the personal information unreadable or unusable”.

Does your state have a data breach notification law?

Data Security

While Non-Profits may operate under budget constraints, they still require high-end technology solutions to meet their information security requirements.  Kanguru is now offering discounted pricing on Defender and Defender Pro secure USB flash drives for Educational and other Non-Profit institutions.

Many Non-Profits handle and store sensitive information on clients, patients, students and employees.  These organizations may be subject to State Data Breach Laws, HIPAA or the Family Educational Rights and Privacy Act (FERPA).  The Kanguru Defender product line is designed to be a simple, cost effective solution for securing portable data and complying with applicable regulations.  Contact Kanguru or your preferred Reseller for information on discounted pricing.

Data Security, Portable Storage

The California Dept of Public Health has fined five hospitals for failing to prevent unauthorized access to patient’s medical information.

CDPH assessed the penalties under new California legislation intended to protect the confidentiality of medical records. Under the law, an administrative penalty of $25,000 may be assessed against a medical facility for the breach of each patient’s medical information. A penalty of up to $17,500 is added for each subsequent breach of each patient’s medical information.

Penalties are also increasing at the Federal level thanks to last year’s HITECH Act.  Enforcement of the new legislation started earlier this year.

Data Security

Do your users take USB Flash Drive home with them?  Are those drives encrypted?  If not, they are taking a big risk when they get in the car.

Unsecured USB Drives are a big problem because:

A)  Flash Drives get stolen from cars

B)  Flash Drives tend to fall out of pockets in parking lots

These incidents are embarrasing and potentially expensive.  Data breaches are increasingly subject to fines and penalties at the state and national level throughout North America and Europe.

Data Security, Portable Storage

The Office of Inadequate Security has a list of newly reported data breaches provided by the Maryland Attorney General.  Many of the incidents involved stolen laptops, external hard drives or flash drives that contained sensitive information and were not properly encrypted.

More information about the Maryland Personal Information Protection Act (PIPA) can be found at the AG’s website.

Data Security, Portable Storage