The Texas Comptroller notified about 3.5 million people last month that their personal information (including names, addresses and Social Security Numbers, and in some cases driver’s license numbers and dates of birth) was publicly exposed for about one year because of data security lapses by the government.
The Facts
The breach occurred after various state agencies and entities transferred information about individuals to the Comptroller’s office for use in verifying unclaimed property records. The information was required to be provided to the Comptroller by state law. Unfortunately, there were several missteps in how the data was transferred and handled. For starters, the transferred files were required to be encrypted — but they weren’t. Then, Read more…
On April 27, 2011, Sony publicly disclosed that hackers had breached its PlayStation Network (which includes its Qriocity video and music-streaming services) and had gained access to 77 million consumer records. This revelation came several days after Sony had shut down the Network, saying at the time only that an outage had been responsible for the interruption. On the 27th Sony disclosed that the compromised consumer information included names, addresses, email addresses, birth dates, login and password information, purchase history, and possibly credit card information. A statement indicated that the credit card information was encrypted, and that there was no evidence it had been taken.
The massive size of the breach has caused much speculation about the expenses that Sony will incur in dealing with the matter. One article said that the costs could rise as high as $24B (yes, billion) Read more…
The recent extended outage of Amazon’s “cloud computing” business has generated many questions about what insurance policies would be likely to provide indemnification for losses caused by the crash.
Amazon has a significant cloud computing business, which it calls Amazon Web Services (AWS). AWS rents data storage and web services to its customers. These customers use the outsourced services to avoid the expense and distraction of providing those services for themselves. As a risk management matter, cloud computing customers should make sure that their data is stored in different locations and that they have adequate backup and disaster recovery options in the event of outages or crashes. As such “redundancy” services can be expensive, some of Amazon’s smaller corporate customers did not purchase them. When Amazon’s data center in Northern Virginia experienced an extended outage, these customers did not have effective contingency plans, and their websites performed slowly or crashed. Read more…
Much has been written about the recent settlement by the Massachusetts Attorney General with the Briar Group in connection with a significant data breach that occurred in 2009. Some of the early postings are very helpful (see links below), some have important mistakes, but I haven’t yet seen any that address a key insurance issue raised by the matter.
The Facts
Some of the basic information, as gleaned primarily from the complaint filed by the Massachusetts Attorney General, is as follows:
- The Briar Group, LLC owns and operates several bars and restaurants in the Boston area.
- In April 2009, hackers breached Briar Group’s network security and installed malicious code on its computer systems. Read more…
All over the U.S., people have been receiving emails from familiar corporate giants (including Best Buy, Walgreens, Citi, Home Shopping Network, JPMorgan Chase, Kroger, The College Board, Brookstone, U.S. Bank, and Tivo, among others) informing them that their names and email addresses had been hacked and could possibly be used in phishing attacks attempting to perpetrate financial fraud by convincing individuals to reveal account information, passwords or other confidential information. The hackers’ capture of both names and emails has increased concerns about “spear phishing” – the use of personalized emails containing the customer’s name and maybe even address, as well as the logo of the relevant financial institution. Such personalized emails often appear authentic so that consumers reveal sensitive account or other information. Many of the affected companies have responded by advising their Read more…
Thomas Edison said that genius is 1% inspiration and 99% perspiration. In the realm of privacy breach responses, the formula for genius might be expressed as 1% perspiration and 99% preparation. The contrasting responses of Hamilton Beach Brands and of Health Net to recent breaches demonstrate the importance of being prepared to act swiftly when the time comes.
Hamilton Beach
In early January 2011, Hamilton Beach discovered that some malicious code had been placed on the server processing its online ordering. The hacker code captured credit card data entered by would-be purchasers, before that data was encrypted and sent for processing. The credit card information was then automatically Read more…
Most experts predict that 2011 will bring a significant increase in regulatory proceedings and fines against companies that suffer privacy breaches. The mushrooming number of privacy-related laws at the federal, state, local and foreign levels provides fertile ground for investigations and enforcement actions. Potential regulatory protagonists may come from the federal Department of Health and Human Services, the FTC, the SEC, FINRA, State Attorneys General, the EU, or other sources.
The July 2010 settlement by Health Net of a HIPAA enforcement action by the Connecticut Attorney General provides a window to the potential near-term future. In settlement of an action resulting from its loss of a portable hard drive containing unencrypted patient records, Health Net paid a $250,000 fine, agreed to an additional contingent payment of up to $500,000, agreed to take several corrective steps – and spent more than $7,000,000 Read more…
A report issued by Panda Security describes how the cyber theft marketplace is adapting to economic circumstances. Among other things, the report belies any notion that cyber crime is dominated by small, disconnected actors haphazardly hacking into randomly chosen troves of electronic information. It is big business, driven by profit-maximizing business operators who continually adapt to the shifting economy and the laws of supply and demand. The Panda Security report makes interesting, and sobering, reading.
The report makes clear that cyber thieves are diversifying their business to offer a range of services and information to different audiences. Basic credit card information, for example, can be bought relatively cheaply for as little as $2 per card, while credit cards with guaranteed lines of credit can cost the buyer as much as $80 per card. The cyber theft market offers bulk discounts and special deals, is subject to pricing wars, and is broadening the range of “goods and services” offered. The menu for buyers of confidential information is a la carte. Read more…
In many data security circles, the word “encryption” will bring a glow of peaceful serenity. Encrypting data is one of the best ways to protect it from prying eyes and is recommended by almost all experts and required by many laws and regulations. But it is not always enough. A recent incident illustrates how human error can foil even the best data security methods.
Rainbow Hospice and Palliative Care in Illinois had duly encrypted its laptops in accordance with everyone’s best practices recommendations and many jurisdictions’ legal requirements. The laptop at issue contained personal medical and financial information about nearly 1,000 patients. Encryption was activated whenever the computer was shut off or its top closed, and two passwords were required for access to the confidential data. So far, so good. Read more…
The lead story in the Wall Street Journal today reports Facebook in Privacy Breach. The article describes how several of the applications available on Facebook transmit identifying information to Internet tracking and advertising companies. The breach affects millions of users. An especially resonant sentence in the article notes that “The practice breaks Facebook’s rules, and renews questions about its ability to keep identifiable information about its users’ activities secure.”
A casual reader of the article might understandably think that the Facebook breach has little relevance to the risks that most companies confront in the collection and handling of confidential information. While it is true that most don’t have 500 million customers or embed third-party applications in their websites, several important aspects of Facebook seemingly sui generis situation can have analogues for almost all companies.
Some important questions raised by the Facebook matter could also arise for any other company that collects confidential personal information. Read more…
The Texas Comptroller notified about 3.5 million people last month that their personal information (including names, addresses and Social Security Numbers, and in some cases driver’s license numbers and dates of birth) was publicly exposed for about one year because of data security lapses by the government.
