Breach Notification Law

Price of a Information Alienation

Bill Gardner , in Building an Information Security Awareness Program, 2014

State Breach Notification Laws

A number of states of now enacted breach notification laws that consequence in data breach cost over and in a higher place regulations such as HIPAA, SOX, and PCI DSS. Co-ordinate to the National Conference of Land Legislatures (NCSL), 46 states, the District of Columbia, Guam, Puerto Rico, and the Virgin Islands take enacted alienation notification laws [ 12]. Breach notification laws were enacted as a upshot of a number of high-profile data breaches such equally the much-covered TJX alienation.

The ideas behind the laws were to give consumers notification and credit protection in the event customers' information accept been lost. Not providing notification and credit protection tin result in large fines to the organization that lost the data via thief or negligence. In the case of a loss, an organization's first duty is to determine what has been lost: social security, credit card data, domicile address, date of birth, or other personally identifiable information (PII). Each state has different triggers for the laws. Common criteria include a number of records and the type of data lost [13].

Below is the breach notification police for the state of West Virginia, which is typical of other state alienation notification laws:

Chapter 46A. West Virginia Consumer Credit and Protection act

Article 2A. Breach of Security of Consumer Information

§46A-2A-101. Definitions

As used in this commodity:

(ane)

"Breach of the security of a system" means the unauthorized access and acquisition of unencrypted and unredacted computerized data that compromises the security or confidentiality of personal information maintained by an private or entity every bit function of a database of personal information regarding multiple individuals and that causes the private or entity to reasonably believe that the breach of security has caused or will crusade identity theft or other fraud to whatever resident of this country. Good religion acquisition of personal information by an employee or amanuensis of an individual or entity for the purposes of the individual or the entity is not a breach of the security of the organization, provided that the personal information is not used for a purpose other than a lawful purpose of the individual or entity or subject to further unauthorized disclosure.

(2)

"Entity" includes corporations, business trusts, estates, partnerships, limited partnerships, limited liability partnerships, limited liability companies, associations, organizations, articulation ventures, governments, governmental subdivisions, agencies or instrumentalities, or any other legal entity, whether for profit or not for turn a profit.

(3)

"Encrypted" ways transformation of data through the use of an algorithmic process to into a class in which there is a low probability of assigning pregnant without employ of a confidential process or key or securing the information by another method that renders the data elements unreadable or unusable.

(4)

"Financial institution" has the significant given that term in Section 6809(3), United States Lawmaking Title xv, as amended.

(v)

"Individual" means a natural person.

(6)

"Personal information" ways the beginning proper name or first initial and last name linked to any 1 or more of the following data elements that relate to a resident of this land, when the data elements are neither encrypted nor redacted:

(A)

Social security number;

(B)

Driver'south license number or state identification carte du jour number issued in lieu of a commuter'south license; or

(C)

Financial account number, or credit card, or debit card number in combination with any required security code, access code, or countersign that would permit access to a resident'south financial accounts.

The term does not include information that is lawfully obtained from publicly bachelor information, or from federal, state or local authorities records lawfully made bachelor to the general public.

(7)

"Notice" means:

(A)

Written notice to the postal address in the records of the private or entity;

(B)

Telephonic notice;

(C)

Electronic notice, if the notice provided is consistent with the provisions regarding electronic records and signatures, fix forth in Section 7001, U.s.a. Lawmaking Title xv, Electronic Signatures in Global and National Commerce Act.

(D)

Substitute detect, if the individual or the entity required to provide observe demonstrates that the toll of providing notice will exceed fifty thousand dollars or that the affected class of residents to be notified exceeds one hundred thousand persons or that the individual or the entity does not have sufficient contact information or to provide notice as described in paragraph (A), (B), or (C). Substitute notice consists of any two of the following:

(i)

Email observe if the individual or the entity has email addresses for the members of the affected class of residents;

(ii)

Conspicuous posting of the discover on the website of the individual or the entity if the individual or the entity maintains a website; or

(iii)

Notice to major statewide media.

(8)

"Redact" means amending or truncation of data such that no more than than the last 4 digits of a social security number, driver's license number, country identification carte du jour number, or account number is accessible equally office of the personal information.

§46A-2A-102. Detect of breach of security of computerized personal data

(a)

An individual or entity that owns or licenses computerized information that includes personal information shall give notice of whatsoever breach of the security of the system following discovery or notification of the breach of the security of the system to any resident of this state whose unencrypted and unredacted personal information was or is reasonably believed to have been accessed and acquired by an unauthorized person and that causes, or the private, or entity reasonably believes has caused or will cause, identity theft, or other fraud to any resident of this country. Except as provided in subsection (e) of this section or in order to accept whatever measures necessary to determine the scope of the breach and to restore the reasonable integrity of the organisation, the notice shall be made without unreasonable filibuster.

(b)

An private or entity must give discover of the alienation of the security of the organization if encrypted information is accessed and caused in an unencrypted course or if the security alienation involves a person with access to the encryption key and the private or entity reasonably believes that such breach has caused or will cause identity theft or other fraud to any resident of this state.

(c)

An individual or entity that maintains computerized data that includes personal information that the private or entity does not own or license shall give find to the owner or licensee of the data of any breach of the security of the system every bit soon every bit practicable following discovery, if the personal information was or the entity reasonably believes was accessed and acquired by an unauthorized person.

(d)

The find shall include:

(1)

To the extent possible, a description of the categories of data that were reasonably believed to have been accessed or acquired past an unauthorized person, including social security numbers, commuter'south licenses, or state identification numbers and fiscal data;

(ii)

A telephone number or website address that the individual may use to contact the entity or the agent of the entity and from whom the individual may larn:

(A)

What types of information the entity maintained about that private or almost individuals in general; and

(B)

Whether or not the entity maintained information about that private.

(iii)

The price-free contact phone numbers and addresses for the major credit reporting agencies and information on how to place a fraud alert or security freeze.

(e)

Notice required by this section may exist delayed if a police force-enforcement agency determines and advises the private or entity that the notice will impede a criminal or civil investigation or homeland or national security. Find required by this department must exist made without unreasonable delay after the law-enforcement agency determines that notification will no longer impede the investigation or jeopardize national or homeland security.

(f)

If an entity is required to notify more m persons of a breach of security pursuant to this article, the entity shall too notify, without unreasonable filibuster, all consumer reporting agencies that compile and maintain files on a nationwide basis, every bit defined by fifteen U.South.C. §1681a (p), of the timing, distribution and content of the notices. Nothing in this subsection shall be construed to crave the entity to provide to the consumer reporting agency the names or other personal identifying information of breach notice recipients. This subsection shall not apply to an entity who is discipline to Championship V of the Gramm Leach Bliley Act, 15 U.S.C. 6801, et seq.

(grand)

The notice required by this section shall not be considered a debt advice as divers by the Fair Debt Collection Practise Act in 15 U.s.C. §1692a.

§46A-2A-103. Procedures accounted in compliance with security alienation notice requirements

(a)

An entity that maintains its own notification procedures as role of an data privacy or security policy for the handling of personal information and that are consistent with the timing requirements of this article shall be deemed to be in compliance with the notification requirements of this article if it notifies residents of this state in accordance with its procedures in the event of a breach of security of the system.

(b)

A fiscal institution that responds in accordance with the notification guidelines prescribed past the Federal Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Observe is accounted to exist in compliance with this article.

(c)

An entity that complies with the notification requirements or procedures pursuant to the rules, regulation, procedures, or guidelines established past the entity's principal or functional regulator shall be in compliance with this commodity.

§46A-2A-104. Violations

(a)

Except equally provided past subsection (c) of this section, failure to comply with the observe provisions of this commodity constitutes an unfair or deceptive human action of practice in violation of section one hundred four, article six, affiliate forty-half dozen-a of this code, which may be enforced by the Attorney General pursuant to the enforcement provisions of this chapter.

(b)

Except as provided by subsection (c) of this section, the Attorney Full general shall have exclusive authority to bring action. No civil penalty may exist assessed in an activeness unless the court finds that the accused has engaged in a form of repeated and willful violations of this article. No civil penalty shall exceed one hundred fifty grand dollars per breach of security of the system or series of breaches of a like nature that are discovered in a single investigation.

(c)

A violation of this article by a licensed financial institution shall exist enforceable exclusively by the financial institution's primary functional regulator.

§46A-2A-105. Applicability

This article shall apply to the discovery or notification of a breach of the security of the system that occurs on or after the effective appointment of this article [14].

Notification and mandatory credit protection cost coin. Depending on the size of the breach, it could price millions of dollars to notify all the persons affected. Non reporting the breach could effect in criminal and civil penalties. The cost of defending such legal actions would result in even more than costs [xv].

Read total chapter

URL:

https://www.sciencedirect.com/science/commodity/pii/B978012419967500003X

Domain nine

Eric Conrad , ... Joshua Feldman , in CISSP Written report Guide (Second Edition), 2012

U.S. breach notification laws

At nowadays, the electric current U.Southward. breach notification laws are at the land level, with well over thirty split up laws in identify. In that location have been attempts at passing a full general federal breach notification law in the U.s.a., but these efforts take been unsuccessful thus far. Although it would be impossible to make coating statements that would apply to all of the various country laws, some themes are common to quite a few of the land laws that are apace existence adopted by organizations concerned with adhering to best practices.

The purpose of the alienation notification laws is typically to notify the afflicted parties when their personal information has been compromised. Ane issue that frequently comes upwardly in these laws is what constitutes a notification-worthy breach. Many laws have clauses that stipulate that the business only has to notify the affected parties if there is evidence to reasonably presume that their personal data will be used maliciously.

Another issue that is institute in some of the land laws is a safe harbor for data that was encrypted at the time of compromise. This safe harbor could be a strong impetus for organizations to encrypt data that otherwise might not take a regulatory or other legal requirement for the data to be encrypted. Breach notification laws are certainly hither to stay, and a federal law seems as if it is quite likely to come in the near future. Many organizations in both the Us and abroad consider encryption of confidential data to be a due diligence outcome fifty-fifty if a specific alienation notification law is not in forcefulness within the organization's item jurisdiction.

Read total chapter

URL:

https://www.sciencedirect.com/science/article/pii/B9781597499613000108

Domain one: Security and Risk Management (eastward.g., Security, Risk, Compliance, Constabulary, Regulations, Business Continuity)

Eric Conrad , ... Joshua Feldman , in CISSP Written report Guide (Third Edition), 2016

United States Alienation Notification Laws

Now, over 47 US states accept enacted breach notification laws (see: http://www.ncsl.org/issues-inquiry/telecom/security-alienation-notification-laws.aspx). There have been attempts at passing a general federal alienation notification police in the Usa, but these efforts accept been unsuccessful thus far. Although it would be impossible to make coating statements that would apply to all of the various state laws, at that place are some themes common to quite a few of the country laws that are quickly beingness adopted past organizations concerned with adhering to best practices.

The purpose of the breach notification laws is typically to notify the affected parties when their personal information has been compromised. 1 consequence that frequently comes upwardly in these laws is what constitutes a notification-worthy breach. Many laws accept clauses that stipulate that the business only has to notify the affected parties if there is prove to reasonably assume that their personal data will be used maliciously.

Some other issue that is found in some of the state laws is a prophylactic harbor for data that was encrypted at the time of compromise. This rubber harbor could exist a strong impetus for organizations to encrypt data that otherwise might not accept a regulatory or other legal requirement for the information to be encrypted. Alienation notification laws are certainly here to stay, and a federal police seems every bit if it is quite likely to come up on the horizon in the near hereafter. Many organizations in both the US and abroad consider encryption of confidential data to be a due diligence issue fifty-fifty if a specific breach notification law is not in forcefulness inside the organization's particular jurisdiction.

Read full chapter

URL:

https://www.sciencedirect.com/science/article/pii/B9780128024379000023

PCI and Other Laws, Mandates, and Frameworks

Dr. Anton A. Chuvakin , Branden R. Williams , in PCI Compliance (Second Edition), 2010

Publisher Summary

There are several ways that Payment Card Industry (PCI) and Country Data Alienation Notification Laws compliment each other. PCI DSS covers all types of media (paper and electronic), as do some states and the US Federal Government. From a notification perspective, one may not be required to notify individual cardholders under PCI DSS, simply it is required to have an incident response plan (Requirement 12.9) and notify acquirers, card brands, and potentially law enforcement, depending on the situation. PCI DSS evolves to cover modernistic attack methods and modern security technologies such as if a alienation happens through a method not even remotely covered by PCI DSS, information technology is highly likely that the side by side edition of the standard would include a new safeguard or control addressing that vulnerability. The Sarbanes–Oxley Act of 2002 (SOX) was enacted equally a result of the numerous public company accounting scandals of the late 1990s and early on 2000s in the U.s.a. such as Enron, and Tyco International. Although the SOX and PCI DSS teams attack different problems, there are things that each can learn from each other such equally if ane has password and authentication controls divers then one should be able to map those back into PCI DSS during an assessment of PCI DSS.

Read full chapter

URL:

https://world wide web.sciencedirect.com/science/article/pii/B9781597494991000192

Legal Considerations

James M. Aquilina , in Malware Forensics, 2008

State Law

On May 10, 2008, Iowa joined 42 other states in passing a data alienation notification law requiring owners of computerized information that includes consumer personal information to notify any affected consumer following a information breach that compromises the security, confidentiality, or integrity of that personal data. 24 The statutes generally share the aforementioned key elements, but vary in how those elements are defined, including the definitions of "personal information," the entities covered by the statute, the kind of breach triggering notification obligations, and the notification procedures required. 25

"Personal information" has been defined across these statutes to include some or all of the following:

Social Security, Alien Registration, Tribal, and other federal and state government issued identification numbers

Drivers' License and Non-Operating License identification numbers

Date of nativity

Individuals' mothers' maiden names

Passport number

Credit card and debit card numbers

Financial account numbers (checking, savings, other need deposit accounts)

Business relationship passwords or personal identification numbers (PINs)

Routing codes, unique identifiers, and any other number or information that can exist used to admission fiscal resource

Medical information or wellness insurance information

Insurance policy numbers

Individual taxpayer identification numbers (TINs), Employer taxpayer identification number (EINs), or other tax data

Biometric information (fingerprints, voice print, retina or iris epitome)

Individual DNA profile data

Digital signature or other electronic signature

Employee identification number

Voter identification numbers

Work-related evaluations

Nearly statutes exempt reporting if the compromised information is "encrypted," although the statutes do not set along the standards for such encryption. Some states exempt reporting if, under all circumstances, there is no reasonable likelihood of harm, injury, or fraud to customers. At least one state requires a "reasonable investigation" earlier concluding no reasonable likelihood of harm. i

Notification to the affected customers may ordinarily be made in writing, electronically, telephonically, or in the case of large calibration breaches, through publication. Under about state statutes, Illinois existence an exception, notification can be delayed if it is determined that the disclosure volition impede or compromise a criminal investigation. two

Agreement the breach notification requirements of the state jurisdiction in which the investigation is conducted is of import to the integrity of the digital examiner's work, as the scope and extent of permissible say-so to handle relevant personal information may be different than expected. Consult counsel for clear guidance on how to navigate determinations of encryption exemption and appraise whether applicable discover requirements will alter the course of what otherwise would have been a more covert functioning designed to avoid tipping the subject or target

Read full chapter

URL:

https://www.sciencedirect.com/science/article/pii/B9781597492683000062

NET Privacy

Marco Cremonini , ... Claudio Agostino Ardagna , in Reckoner and Information Security Handbook, 2009

Privacy Threats

Threats to private privacy have become publicly bloodcurdling since July 2003, when the California Security Breach Notification Law eight went into effect. This law was the first one to force country authorities agencies, companies, and nonprofit organizations that conduct business concern in California to notify California customers if personally identifiable information (PII) stored unencrypted in digital athenaeum was, or is reasonably believed to take been, caused by an unauthorized person.

The premise for this constabulary was the rise of identity theft, which is the conventional expression that has been used to refer to the illicit impersonification carried out by fraudsters who use PII of other people to complete electronic transactions and purchases. The California Security Breach Notification Police lists, every bit PII: Social Security number, commuter's license number, California Identification Card number, depository financial institution account number, credit- or debit-card number, security codes, access codes, or passwords that would permit access to an individual's financial account. eight By requiring past law the immediate notification to the PII owners, the aim is to avoid direct consequences such as financial losses and derivate consequences such every bit the burden to restore an individual's own credit history. Starting on January 1, 2008, California's innovative data security alienation notification police as well applies to medical information and health insurance data.

Too the benefits to consumers, this law has been the trigger for like laws in the Us—today, the majority of U.S. states have 1—and has permitted the flourishing of regular statistics about privacy breaches, once near absent. Privacy threats and analyses are at present widely debated, and research focused on privacy issues has go i of the nearly important. Figure 28.1 shows a nautical chart produced by plotting data collected past Compunction.org Data Loss Archive and Database, nine one of the virtually complete references for privacy breaches and data losses.

Figure 28.1. Privacy breaches from the Attrition.org Information Loss Archive and Database up to March 2008 (X-axis: Years 2000–2008; Y-axis (logarithmic): PII records lost).

Looking at the data series, we see that some breaches are strikingly large. Etiolated.org maintains some statistics based on Attrition.org'south database: In 2007, about 94 one thousand thousand records were hacked at TJX stores in the U.s.; confidential details of 25 one thousand thousand children accept been lost by HM Revenue & Community, U.K.; the Dai Nihon Press Visitor in Tokyo lost more than than 8 million records; data about 8.5 meg people stored by a subsidiary of Fidelity National Information Services were stolen and sold for illegal usage by a quondam employee. Similar paths were reported in previous years too. In 2006, personal data of about 26.five million U.S. war machine veterans was stolen from the residence of a Department of Veterans Affairs data analyst who improperly took the material home. In 2005, CardSystems Solutions—a credit card processing company managing accounts for Visa, MasterCard, and American Express—exposed 40 million debit- and credit-bill of fare accounts in a cyber intermission-in. In 2004, an employee of America Online Inc. stole 92 million email addresses and sold them to spammers. Even so recently, in March 2008, Hannaford Bros. supermarket concatenation announced that, due to a security breach, about iv.2 meg customer credit and debit bill of fare numbers were stolen. 10

Whereas these incidents are the about notable, the miracle is distributed over the whole spectrum of breach sizes (encounter Figure 28.ane). Hundreds of privacy breaches are reported in the order of a few thousand records lost and all categories of organizations are afflicted, from public agencies, universities, banks and fiscal institutions, manufacturing and retail companies, and and so on.

The survey [electronic mail protected]: 2007 Privacy & Data Protection, conducted by Deloitte & Touche and Ponemon Institute, eleven provides another piece of data well-nigh the incidence of privacy breaches. Among the survey's respondents, over 85% reported at least i breach and about 63% reported multiple breaches requiring notification during the aforementioned time period. Breaches involving over 1000 records were reported by 33.9% of respondents; of those, almost 10% suffered information losses of more than 25,000 records. Astonishingly, virtually 21% of respondents were not able to estimate the record loss. The picture that results is that of a pervasive management trouble with regard to PII and its protection, which causes a continuous leakage of chunks of data and a few dramatic breakdowns when huge archives are lost or stolen.

It is interesting to clarify the root causes for such breaches and the type of information involved. I source of information is the Educational Security Incidents (ESI) Twelvemonth in Review–2007, 12 by Adam Dodge. This survey lists all breaches that occurred worldwide during 2007 at colleges and universities effectually the world.

Concerning the causes of breaches, the results over a total of 139 incidents are:

38% are due to unauthorized disclosure

28% to theft (disks, laptops)

22% to penetration/hacking

nine% to loss of information

Therefore, incidents to be accounted for by mismanagement by employees (unauthorized disclosure and loss) account for 47%, whereas criminal activity (penetration/hacking and theft) account for 40%.

With respect to the type of data exposed during these breaches, the result is that:

PII have been exposed in 42% of incidents

Social Security numbers in 34%

Educational information in 11%

Financial information in 7%

Medical data in v%

Login accounts in ii%

Once more, rather than direct economic consequences or illicit usage of computer facilities, such breaches represents threats to private privacy.

Privacy Rights Clearinghouse is some other arrangement that provides excellent data and statistics virtually privacy breaches. Among other things, it is particularly remarkable for its assay of root causes for dissimilar sectors, namely the individual sector, the public sector (military included), higher education, and medical centers. 13 Table 28.1 reports its findings for 2006.

Tabular array 28.1. Root causes of information breaches, 2006

Private Sector (126 Incidents) Public Sector (Inc. Armed services; 114 Incidents) College Education (52 Incidents) Medical Centers (xxx Incidents)
Outside hackers 15% 13% 40% 3%
Insider malfeasance 10% 5% ii% 20%
Human being/software incompetence 20% 44% 21% 20%
Theft (not-laptop) xv% 17% 17% 17%
Laptop theft 40% 21% 20% twoscore%

Source: Privacy Rights Clearinghouse.

Comparing these results with the previous statistics, the Educational Security Incidents (ESI) Year in Review–2007, breaches caused by hackers in universities expect remarkably unlike. Privacy Rights ClearingHouse estimates every bit largely prevalent the external criminal activity (hackers and theft), which accounts for 77%, and internal problems, which business relationship for xix%, whereas in the previous study the two classes were closer with a prevalence of internal problems.

Hasan and Yurcik fourteen analyzed data virtually privacy breaches that occurred in 2005 and 2006 by fusing datasets maintained by Compunction.org and Privacy Rights ClearingHouse. The overall result partially clarifies the discrepancy that results from the previous two analyses. In particular, it emerges that considering the number of privacy breaches, education institutions are the most exposed, accounting for 35% of the total, followed by companies (25%) and state-level public agencies, medical centers, and banks (all close to 10%). Yet, past considering personal records lost by sector, companies lead the score with 35.5%, followed by federal agencies with 29.5%, medical centers with xvi%, and banks with 11.6%. Educational institutions record a lost total of merely 2.7% of the whole. Therefore, though universities are victimized past huge numbers of external attacks that crusade a continuous leakage of PII, companies and federal agencies are those that have suffered or provoked ruinous losses of enormous archives of PII. For these sectors, the bear on of external Net attacks has been matched or even exceeded past internal fraud or misconduct.

The case of consumer data broker ChoicePoint, Inc., is perhaps the one that got the near publicity as an example of bad management practices that led to a huge privacy incident. 15 In 2006, the Federal Merchandise Commission charged that ChoicePoint violated the Off-white Credit Reporting Act (FCRA) by furnishing consumer reports—credit histories—to subscribers who did not have a permissible purpose to obtain them and past declining to maintain reasonable procedures to verify both their identities and how they intended to use the information. 16

The opinion that threats due to hacking have been overhyped with respect to others is one shared by many in the security customs. In fact, information technology appears that root causes of privacy breaches, physical thefts (of laptops, disks, and portable memories) and bad management practices (sloppiness, incompetence, and scarce allotment of resources) need to be considered at least as serious as hacking. This is confirmed past the survey [email protected]: 2007 Privacy & Data Protection, 11 which concludes that most enterprise privacy programs are just in the early or heart phase of the maturity cycle. Requirements imposed by laws and regulations have the highest rates of implementation; operational processes, take a chance assessment, and training programs are less adopted. In addition, a minority of organizations seem able to implement measurable controls, a deficiency that makes privacy management intrinsically feeble. Training programs dedicated to privacy, security, and risk management look at the weakest spot. Respondents study that training on privacy and security is offered just annually (about 28%), just once (about 36.5%), or never (about eleven%). Take chances management is never the subject of training for well-nigh 28% of respondents. With such figures, it is no surprise if internal negligence due to unfamiliarity with privacy problems or insufficient resources is such a relevant root cause for privacy breaches.

The ChoicePoint incident is paradigmatic of another important aspect that has been considered for analyzing privacy problems. The breach involved 163,000 records and information technology was carried out with the explicit intention of unauthorized parties to capture those records. However, actually, in just 800 cases (about 0.5%), that breach leads to identity theft, a severe criminal offence suffered by ChoicePoint customers. Some analysts accept questioned the actual value of privacy, which leads u.s.a. to discuss an of import strand of inquiry nearly economical aspects of privacy.

Read full chapter

URL:

https://world wide web.sciencedirect.com/science/commodity/pii/B9780123743541000285

The Changing Corporate Landscape

John G. Iannarelli , Michael O'Shaughnessy , in Data Governance and Security, 2015

Police and Compliance

Information security laws are designed to protect personally identifiable data from compromise, unauthorized disclosure, unauthorized conquering, unauthorized access, or other situations where unauthorized persons accept admission or potential admission to such information for unauthorized purposes. Data breach notification laws typically require covered entities to implement a alienation notification policy, and include requirements for incident reporting, handling, and external breach notification. 1

In that location is no 1 particular police that governs data breaches. Essentially, every state has dissimilar regulations and requirements pertaining to data breaches, and companies must adhere to the laws of the states in which they reside besides as those of states in which they are doing business organisation.

Depending upon for whom the information is nerveless, the federal government will also have regulations that must be followed subsequent to a breach. For instance, medical data would involve HIPPA. These requirements have resulted from federal privacy legislation that covers such areas as health care, securities, and in some cases the Cyberspace. Whether land or federal, the regulations surrounding breaches seek to take information governance policies in identify in order to mitigate the risks every bit much as possible and—when the inevitable breach occurs—to ensure anyone who might have been a victim is properly notified and so that they tin take steps to protect themselves.

Currently, forty-seven states, the District of Columbia, and several US territories have enacted legislation that requires notification of security breaches involving personal information. Because the companies were victims themselves, these laws do non directly concord companies accountable for the losses sustained due to the breaches. However, there remains the potential for civil litigation in the form of class action lawsuits so that the afflicted individuals tin can be compensated for their losses. While the costs of notifying thousands of victims at a time can be expensive, the prospect of having to reimburse these thousands of individuals—equally nosotros have seen in the Target alienation—is frightening. Of grade, lawsuits of this blazon by and large succeed but when negligence is present. Hence, a proper information governance policy can testify a skillful religion effort on the office of the company, which can overcome a presumption of negligence.

The nation'southward largest data brokers, retailers, educational institutions, government agencies, health care entities, financial institutions, and Net businesses have disclosed numerous data breaches and computer intrusions. ii

The Privacy Rights Clearinghouse chronicles and reports that over 345 million records containing sensitive personal data were involved in security breaches in the U.s. since Jan 2005. From February 2005 to December 2006, 100 million personal records were reportedly lost or exposed. Equally an case, in 2006 the personal data of 26.5 meg veterans was breached when a VA employee's hard drive was stolen from his habitation. three The mutual denominator in these data breaches is that the attackers were seeking to obtain sensitive personal data, which they put to criminal use past means of identity theft to commit diverse frauds, such as taking out a mortgage in someone else's proper name or having credit cards issued on the victim's banking company account.

If whatsoever positive has come up out of the multitude of data breaches, it is that the public has get much more enlightened of the dangers. But a few short years agone, well-nigh would not accept given a second thought to the release of his or her own personal identifying information to a doctor's function or a business. At present, still, when asked for such information, many people volition immediately wonder who volition have access to this information and whether they have annihilation to fearfulness regarding its security. In today's irresolute corporate landscape, businesses have to consider these concerns and put their clients' minds at ease, reassuring the public that they are competent at managing personally identifiable data. Failure to do then will inevitably result in the loss of the public's trust—as well as the public'south business organization. With the diverseness of remedies that are available to consumers through the legal system, a breach ways corporations can await greater financial problems than merely the loss of future concern.

The medical profession in item has undergone dramatic changes in the way it collects patient information and the regulations nether which it must operate. By 2017, all medical records inside the U.s.a. are expected to have been transformed from handwritten patient charts to online medical records. The benefits of this are obvious. Doctors with multiple offices tin can pull up patient records wherever they are working. Medical reports prepared by one doctor can exist sent immediately to a treating specialist. If you are the victim of a serious accident or injury while away from dwelling house, your primary intendance dr. can send all of you medical information immediately to the emergency room that is treating yous. But when it comes to data breaches, this new advance in the way the medical profession retains its patient records brings with it boosted dangers that had not previously existed.

Say, for case, that your medical records have been compromised, only you are unaware of it. Someone decides they are then going to utilize your medical records and medical insurance to receive treatment in your proper noun. There is plainly the potential financial loss of paying another's co-pays, along with the possibility that your insurance rates might be raised or your policy cancelled. In the case of electronic medical records, the consequences can be far greater than just financial loss. What if the person using your medical records suffers from a item illness or ailment? They might exist treated with medications that volition help them, simply could have an adverse upshot on you should you be treated by some other doctor who uses these same medications. Nosotros have now entered an surround where a data breach could cost more than than money; it could costs lives.

Read full chapter

URL:

https://world wide web.sciencedirect.com/scientific discipline/article/pii/B9780128002476000042

What Is a Security Awareness Programme?

Bill Gardner , in Building an Information Security Awareness Plan, 2014

Price Savings

Data breaches cost money. If y'all are an organization covered by regulations such as HIPAA/HITECH or PCI DSS, the penalties for data breaches could be millions of dollars depending on the size of the breach. Additionally, many states at present accept breach notification laws that crave organizations that lose data to inform those affected every bit to what was lost and in some cases provide credit protection to those affected. Ponemon Institute and Symantec released a written report in June of 2013 that found that breaches in 2012 cost an boilerplate of $136 per record globally [ 8].

In May 2012, the US Department of Wellness and Human Services Role of Civil Rights fined the Idaho State University $400   K for health data breaches [9]. In June 2012, the Alaska Section of Health and Human Services (DHHS) agreed to pay $1.seven million to settle potential violations of HIPAA/HITECH [10].

The payment card manufacture has established fines of up to $500,000 per incident for information breaches [11]. In 2010, Genesco, a Nashville, TN-based sportswear company, was fined more than $13 1000000 dollars for noncompliance with PCI DSS regulations subsequently the house discovered they had been hacked and regulators discovered noncompliance [12].

Read full chapter

URL:

https://www.sciencedirect.com/scientific discipline/article/pii/B9780124199675000016

Privacy on the Internet

Marco Cremonini , ... Claudio Agostino Ardagna , in Computer and Data Security Handbook (2nd Edition), 2013

Privacy Threats

Threats to individual privacy have become publicly appalling since July 2003, when the California Security Breach Notification Law [8] went into effect. This police force was the get-go one to force state government agencies, companies, and nonprofit organizations that conduct business organisation in California to notify California customers if personally identifiable information (PII) stored unencrypted in digital archives was, or is reasonably believed to have been, acquired by an unauthorized person.

The premise for this police was the rise of identity theft, which is the conventional expression that has been used to refer to the illicit impersonification carried out by fraudsters who use PII of other people to consummate electronic transactions and purchases. The California Security Alienation Notification Law lists as PII: Social Security number, commuter'south license number, California Identification Menu number, bank account number, credit- or debit-card number, security codes, admission codes, or passwords that would permit access to an individual's financial account (run across checklist, "An Agenda For Action For Protecting One'south Identity"). By requiring past law the firsthand notification to the PII owners, the aim is to avoid straight consequences such equally financial losses and derivate consequences such every bit the burden to restore an individual's own credit history. Starting on January 1, 2008, the data security breach notification police force in California likewise applies to medical information and health insurance data.

An Calendar for Action for Protecting Ane'south Identity

Y'all'll want to protect the privacy of your personal data while you're online. Here's a checklist of some of the most important things you can practice to protect your identity and prevent others from hands getting your personal data: (Check All Tasks Completed):

_____1.

Cheque a site's privacy policy before you lot enter any personal information and know how it will exist used.

_____2.

Make sure y'all have a secure net connexion, past checking for the unbroken key or closed lock icon in your browser, earlier you enter any personal information onto a webpage.

_____3.

Only give a credit card number when buying something.

_____4.

Register your credit cards with your card provider's online security services, such as Verified by Visa and MasterCard SecureCode.

_____5.

Utilise only one credit card for online purchases; if possible, use an account with a depression spending limit or small bachelor rest.

_____6.

Don't use a debit card for your online purchases. Credit cards are improve considering bank-provided security guarantees apply to credit cards, then an unauthorized accuse is limited to $50.

_____7.

Don't select the "remember my password" option when registering online.

_____8.

Change your passwords every 60 to 90 days and don't use personal information equally your password, instead use a cord of at least five letters, numbers and punctuation marks.

_____9.

Don't store your passwords near your computer or in your bag or wallet.

_____10.

Don't give more information than a site requires.

_____11.

Keep your anti-virus software up-to-date to reduce the risk of malicious code running on your PC.

_____12.

Don't become online unless you accept a personal firewall enabled to add a layer of protection to your PC by stopping unknown connections to your PC.

_____13.

Don't answer directly to eastward-mail messages asking for personal information.

_____14.

Type web addresses direct into your web browser instead of clicking on e-mail links.

_____15.

Become anti-virus and anti-spam filtering software and continue information technology upward to date by using its automatic update characteristic, if your service provider or employer doesn't provide it for you.

_____16.

Check out online retailers' ratings at BizRate and the Better Business Bureau and the before buying.

Besides the benefits to consumers, this law has been the trigger for similar laws in the United States—today, the majority of U.S. states have ane—and has permitted the flourishing of regular statistics about privacy breaches, once almost absent. Privacy threats and analyses are now widely debated, and research focused on privacy problems has become one of the most important. The DataLossDB, maintained by the Open Security Foundation, [9] publishes one of the most complete references for privacy breaches and data losses, recording incidents involving data losses back from 2003 to date.

Looking at the largest incidents, the magnitude of some breaches is astonishing: In 2009, about 130 one thousand thousand records were lost by Heartland Payment Systems, Us; in 2007, about 94 million records were hacked at TJX stores in the U.s.a.; in 2011, the target was Sony Corp. and its 77 million customer's records. Many other incidents in the dozen of 1000000 size are recorded and have gained the headlines on the press, involving all sort of confidential information managed by very dissimilar kind of organizations. Most of the incidents accept been consequence of hacking from outside the corporate network, only with notable exceptions. In 2004, an employee of America Online Inc. stole 92 million email addresses and sold them to spammers; in 2006 a reckoner containing about 26 million personal records of the U.Southward. Department of Veterans Affairs was stolen, in 2007 two CDs were lost containing the unabridged HM Revenue and Customs (GB) child benefit database (nigh 25 million records) and vii million banking details. Similarly, lost record backups or other storage media containing meg of personal records were the reason for severe data loss incidents in 2008 at T-Mobile, at Deutsch Telekom company, at LaSalle Banking company, USA, and at GS Caltex in South korea.

It is interesting to note that the existence of criminals looking after huge archives of personal data is not a miracle that appeared with the appearance of the Internet and modern interconnected digital networks. In 1984, hackers accessed a credit-reporting database, likely managed on mainframe systems, at TRW Inc. containing 90 million records, and in 1986, document near xvi one thousand thousand vital records of Canadian taxpayers was stolen from Toronto's District Taxation Center.

Whereas these incidents are the most notable, the phenomenon is distributed over the whole spectrum of breach sizes. Hundreds of privacy breaches are reported in the guild of a few thousand records lost and all categories of organizations are affected, from public agencies, universities, banks and financial institutions, manufacturing and retail companies, and and then on. To this cease, information technology is interesting to quote the authors of the 2011 Data Breach Investigations Report by the Verizon RISK team [ten]: "2010 exhibited a much more than even distribution. The main factor in this shift is the lack of "mega-breaches" in our combined caseload. Many incidents involving the compromise of multi-millions of records (or more) in the concluding few years occurred in financial institutions. Without ane or two of these skewing the results, things naturally residual out a bit more. Another gene to consider is that criminals seemed to proceeds involvement in stealing data other than payment cards. Account takeovers, theft of IP and other sensitive data, stolen authentication credentials, botnet activity, etc. (which are typically less mega-breach-able) affected firms at increased rates in 2010". This is a precious warning not to focus excessively on that "mega-breaches" that get the headlines as the sole indicator of the status of privacy on the Internet. Even in 2010, when huge breaches did not happened (2011 is different, as we illustrated), privacy threats and incidents soared in numbers, while non in the amount of records stolen. Therefore, the threats are existent and still well alive even for small-scale-to-medium firms and organizations.

Again from the DataLossDB, nosotros have an overview nigh the incidence of information breaches by breach type, business blazon and vector. With respect to breach type, the main ones are: 19% due to hacking; fifteen% due to stolen laptops; 11% due to malicious Web services; and 11% due to frauds.

A plethora of other reasons for breach, from disposal documents, media and computers to lost or missing storage media, malwares and emails are responsible for nigh 40% of all breaches.

With respect to business organization type, incidents are distributed every bit follows: 49% touch business; 19% governments; 16% medical institutions; and 16% education.

Finally, the vectors mainly exploited to deport privacy and information breaches are: 55% of incidents originate from outside an organization; 39% from inside; and vi% unknown.

It is interesting to notation how, for incidents originated from inside an organization, the bulk is accidental, rather than intentional. This fact points out the relevant role of mistakes, disorganization, mismanagement and all other accidental reasons that may pose severe threats to data privacy.

Read full chapter

URL:

https://www.sciencedirect.com/scientific discipline/article/pii/B9780123943972000428

What'southward Next?

Tony Movie , Justin Morehouse , in Securing the Smart Grid, 2011

Making the Argument

Speaking in terms of theoretical doomsday scenarios will not sway most executives. If yous are responsible for presenting the risk to management, a quantitative analysis of the real cost of a breach backed past statistics and mandatory regulations will make the best statement. About states in the United States have breach notification laws that crave organizations to disembalm when personally identifiable data has been disclosed. Thus, finding statistics and existent-world examples to present to direction will not be difficult. Every bit an example, the Privacy Rights Clearinghouse maintains a list of the publicly disclosed breaches involving personally identifiable information (PII) since 2005, which they phone call the Chronology of Data Breaches. The list can be viewed at www.privacyrights.org/ar/chrondatabreaches.htm. In add-on, the Open Security Foundation maintains a database and has a mailing list for breaches involving PII. More information on the Open Security Foundation DatalossDB database and mailing list can exist institute at http://datalossdb.org/.

In addition to the costs associated with investigations, lawsuits, and remediating a vulnerability after a alienation has occurred, compliance with mandatory regulations is a powerful argument to use when discussing adventure with management. In Chapter six, "Public and Private Companies," compliance with NERC CIP reliability standards is discussed forth with the repercussions of noncompliance. Nether Section 215 of the Federal Power Human action, NERC has the authority to fine United States entities up to $1 one thousand thousand per day. 24 While NERC CIP compliance will not assistance in every situation, it should assistance security professionals accomplish a minimum baseline of security within their organization.

Read full chapter

URL:

https://www.sciencedirect.com/scientific discipline/article/pii/B9781597495707000145