An interesting report from 10/18 done in conjunction with National Identity Fraud Prevention Week in the UK reveals most businesses in the United Kingdom, and almost all the citizens, throw away documents containing personal information, such as accuont numbers, that can be used from crime and fraud as a result of not being irreversibly destroyed/shredded/etc. prior to disposal.  The rate of such risky disposal practices is up over 20% from last year’s findings.

Because of these alarming findings a website was created to educate individuals and businesses about the risks and how to better dispose of sensitive information.  The site is interesting, with a variety of facts, statistics and recommendations.  One in particular was:

"It takes 467 days to discover that you are a victim of identity fraud according to Experian."

This makes those statements that are released just days or even a few weeks following a breach that basically say "there is no evidence the data has been used to commit fraud" seem overwhelmingly meaningless, doesn’t it?

Technorati Tags
information security
IT compliance
policies and procedures
privacy incident
awareness and training
identity fraud
data disposal
privacy

An interesting report from 10/18 done in conjunction with National Identity Fraud Prevention Week in the UK reveals most businesses in the United Kingdom, and almost all the citizens, throw away documents containing personal information, such as accuont numbers, that can be used from crime and fraud as a result of not being irreversibly destroyed/shredded/etc. prior to disposal.  The rate of such risky disposal practices is up over 20% from last year’s findings.

Because of these alarming findings a website was created to educate individuals and businesses about the risks and how to better dispose of sensitive information.  The site is interesting, with a variety of facts, statistics and recommendations.  One in particular was:

"It takes 467 days to discover that you are a victim of identity fraud according to Experian."

This makes those statements that are released just days or even a few weeks following a breach that basically say "there is no evidence the data has been used to commit fraud" seem overwhelmingly meaningless, doesn’t it?

Technorati Tags
information security
IT compliance
policies and procedures
privacy incident
awareness and training
identity fraud
data disposal
privacy

Last Friday (10/13) the U.S. Government Reform Committee released a report on the adequacy of the government’s agency security practices, “STAFF REPORT AGENCY DATA BREACHES SINCE JANUARY 1, 2003.”

The report discusses incidents within all the government agencies involving the loss or compromise of any sensitive personal information held by an agency or a contractor since January 1, 2003.

An important point made by the report is that, even though the agencies possess tremendous volumes of personal data, there is no requirement for any of the agencies to report breaches to the public, or even to the impacted individuals.  It seems that they should also have to abide by the existing state level breach notification laws, doesn’t it?

“Legislation authored by Committee Chairman Tom Davis and included in the House passed Veterans Identity and Credit Security Act of 2006 (Veterans Identity and Credit Security Act of 2006) would change that.”

Actually it appears as though this proposed bill would only apply to the Veterans Affairs agency.  A privacy breach notification, and actually a more encompassing data protection, bill is needed that applies to all organizations, government, public, private, non-profit, and any others that handle personally identifiable information (PII).

The report makes clear that the amount and types of responses from the agencies regarding their incidents varied greatly, so that this report cannot be considered as comprehensive.  However, there are certainly some very interesting statistics and breach examples found within it.  The four conclusions of the report were:

“1. Data loss is a government-wide occurrence.
All 19 Departments and agencies reported at least one loss of personally identifiable information since January 2003. This is not a problem that is restricted to the Department of Veterans Affairs or any other single agency.

2. Agencies do not always know what has been lost.
The letters received by the Committee demonstrate that, in many cases, agencies do not know what information has been lost or how many individuals could be impacted by a particular data loss. Similarly, agencies do not appear to be tracking all possible losses of personal information, making it likely that their reports to the committee are incomplete. For example, the Department of Justice reports that, prior to the May 2006 Veterans Administration data breach, “the Department did not track the content of lost, stolen, or otherwise compromised devices.”

3. Physical security of data is essential.
Only a small number of the data breaches reported to the Committee were caused by hackers breaking into computer systems online. The vast majority of data losses arose from physical thefts of portable computers, drives, and disks, or unauthorized use of data by employees.

4. Contractors are responsible for many of the reported breaches.
Federal agencies rely heavily on private sector contractors for information technology management services. Thus, many of the reported data breaches were the responsibility of contractors.”

The report then goes on to detail the reported privacy breaches within each of the agencies.  It is quite interesting!  Many incidents that have not previously been reported.

The report concludes:

“Taken as a whole, the agency reports outline hundreds of instances of data breaches involving sensitive personal information since January 1, 2003. The reports show a wide range of incidents, involving employee carelessness, contractor misconduct, and third-party thefts. The number of individuals affected in each incident ranges from one to millions. However, in many cases, the agency does not know what information was lost or how many individuals potentially could be affected. Few of these incidents have been reported publicly, and it is unclear in many cases whether affected individuals have been notified or whether remedial action has been taken.

Data held by Federal agencies remains at risk.  In many cases, agencies do not know what information they have, who has access to the information, and what devices containing information have been lost, stolen, or misplaced. In addition, in almost all of the reported cases, Congress and the public would not have learned of each event unless the Committee had requested this information.

Finally, each year, the Committee releases information security scorecards. This year the scores for many departments remained low or dropped precipitously. The federal government overall received a D+.”

Technorati Tags
information security
IT compliance
policies and procedures
privacy incident
awareness and training
government report
privacy breach
privacy

My local news reported late last week that a woman’s personal information, including medical details, were printed on the back of a back-to-school flier Wal-Mart made available in their Boone store.  The person who got the flier in the store called the woman whose personal details were printed on it, it included her phone number, to let her know about the incident. 

The woman’s attorney indicates they are filing a lawsuit against Wal-Mart, and said "The customer was very, very upset with what she found. She told Pat [the person whose info was on the flier] that ‘You don’t know me, but I have some information that I should not have, and I obtained it at the Wal-Mart store.’"

It is not known if this was the only flier with personal information printed on it, or if it was on more, or all, of the fliers.  It would be interesting to know if others got this same woman’s information on the fliers they picked up, or if they got medical information about other persons.

Wal-Mart indicated that, as of the date of the report, they had not received a lawsuit, and did not say anything at all about the incident.  I have not found any other news reports about this.

This is another good example of how mistakes or oversights happen that result in privacy breaches that are not technical.  It is possible that Wal-Mart was printing the fliers on recycled paper, some of which may have come from their pharmacy area.  If so, they need to have better controls in place to ensure such sensitive printed data is secured and shredded when disposed.

Someone also should have looked through the fliers prior to putting them out for the customers, just as a QA activity.  Doing so could have caught this blunder.

It once more boils down to the human element, and the importance of having well communicated and enforced information security policies and procedures.

Another issue is whether or not this is a HIPAA violation.  The pharmacy portion of Wal-Mart would be a covered entity.  If the medical details did come from it and investigation shows there were not reasonable controls in place to prevent the incident from happening, it would seem that this incident could be a good candidate for qualifying as a HIPAA violation.

Technorati Tags
information security
IT compliance
policies and procedures
privacy incident
awareness and training
HIPAA
privacy breach
privacy