Yesterday the Ponemon Institute and PortAuthority Technologies released a new study, "National Survey on the Detection and Prevention of Data Breaches" that is an interesting read. 

Representatives from 853 U.S.-based organizations took a web-based survey for the following issues:

"1. How do information security practitioners respond to data breaches?
2. What technologies, practices and procedures are employed by organizations to detect and prevent data breaches?
3. What are the issues, challenges and possible impediments to effectively detecting and preventing data breaches?
4. How do organizations attempt to enforce compliance with its data protection policies?"

You can download the full report, which has much, much more informaton than the few stats I reference here, from the PortAuthority site.

Some findings that caught my eye…

Only 66% of the respondants use technology to detect and/or prevent data breaches. 

The following were the reasons given by the organizations who indicated they do *NOT* use technologies to detect and/or prevent data breaches:

35%  Technology-based solutions are too expensive.   
16%  Existing manual procedures are more than adequate for our company’s data breach detection and prevention activities.   
16%  Our company is not vulnerable to data breaches.   
12%  The false positive rate of existing technology-based solutions is too high.   
8%  Technology-based solutions are too difficult to implement.   
6%  Our company does not have the in-house expertise to utilize these solutions.   
5%  Existing technology-based solutions are not able to detect or prevent breaches with a high level of assurance.   
2%  Detecting breaches is not a priority for our company’s senior executive team.   

In response to the question, “In addition to technology solutions, what other manual practices and procedures does your organization rely upon to detect and prevent data leaks?” the respondents indicated:

81%  Policies, including standard operating procedures (SOPs)   
71%  Close supervision and management of all data handling functions   
65%  Training and communication programs   
40%  Rigorous background checks for all employees who handle sensitive or confidential information   

30%  Independent audits   
29%  Self assessments by business or functional units   

Some of these reasons are somewhat surprising, and some are quite risky for businesses.  Particularly relying upon manual practices alone. 

Manual practices are certainly necessary and all listed are very important, but manual procedures alone cannot detect and/or prevent all the many types of data breaches that have occurred at increasingly alarming rates.  Technology solutions are necessary to enhance and support the manual efforts.  How will manual procedures alone prevent keyloggers from being installed through covert methods and channels?  How will manual methods alone prevent an employee from accidentally sending personal information out through email within the message or as an attachment?  How will manual methods alone prevent a database of customer information from being accidentally posted to a website?  And so many other types of incidents that have actually occurred‚Ķmany times‚Ķthat have resulted in significant business impact and disruption of individuals‚Äô lives through identity fraud, theft and other cybercrime.

I believe strongly that the human factor is the weakest link in information security, but I also believe strongly that technology must also be used to enhance the human factor where training, policies, and the other human methods just cannot suffice on their own as dependable detection or prevention solutions.

In response to the question, “What technologies does your organization use to detect data breaches?” the participants gave the following responses:

39%  Content filtering technologies   
28%  Keyword monitors   
25%  Data leak detection and prevention   
23%  Intrusion detection systems (IDS)   
21%  Other   
15%  Packet sniffers   
9%   Digital rights management solutions   

It surprised me that IDS was only used by 23%.  I know a growing number of organizations are using content filters and keyword scanners, but it is very surprising if they are actually used more than IDS and ‚ÄúOther‚Äù methods.  I wonder too about how the survey was worded.  Some of these terms are somewhat ambiguous, some subjectively redundant with some of the other terms, and depending on the respondent’s background they may not have answered in a way that most IT or Info Sec practitioners would have answered.  According to the survey 50% of the respondents had IT titles while the other 50% were from other ‚Äútitles,‚Äù so this may have impacted the results.

In response to the question, “What technologies does your organization use to prevent data breaches?” the respondents answered as follows:

41%  Identity and access management systems   
27%  VPN or other secure token-based networks   
22%  Encryption technologies   
16%  Keyword monitors   
15%  Intrusion detection systems (IDS)   
13%  Intrusion prevention systems (IPS)   
13%  Data leak detection and prevention   
11%  Content filtering technologies   
10%  Other   
8%    Packet sniffers   
7%    Digital rights management solutions   

Although the report indicated surprise at the identity and access management systems being at the top of the list, it really doesn‚Äôt surprise me that much.  Most organizations‚Ķprimarily business unit leaders‚Ķstill believe using passwords and network access controls is enough to prevent security incidents and breaches.  However, I hope there are actually MORE companies using identity and access management systems than just 41%.  Again, I’m not sure if this term was clearly defined within the survey or not, but if it wasn’t it is open to a very wide range of interpretations.

In response to the question, "Has anyone in your organization been fired, demoted or reprimanded as a result of leaking sensitive or confidential information outside the company?" the respondents indicated:

31%  Yes
46%  No
23%  Unsure

The way this question reads it sounds as though close to half of the respondents indicate that individuals who DID leak information, or cause data breaches, were not reprimanded.  And if the 23% that were unsure actually should have been ‚ÄúNo‚Äù answers, this would mean almost 70% of organizations do not apply any disciplinary action at all when they know people have broken policies or did something careless or malicious that resulted in a data breach.   This is very troubling, and also points to why depending upon manual methods of prevention and detection alone will not work; if policies are not enforced with disciplinary actions such as demotions, terminations, etc., then personnel will not be motivated to follow the policies or the other processes to protect data.  Do you think 70% of organizations really do not hold their personnel accountable and do not apply sanctions when they do things against policies?  Scary. 

In response to the question, “What is the primary reason why enforcement may not be effective?” the respondents answered:

29%  Enforcement is difficult because of the large number of methods to bypass the detection system.   
28%  Enforcement is difficult because of the large number of false positives generated by detection systems and manual procedures.   
16%  Enforcement solutions are too costly to implement.   
14%  Enforcement is difficult because management does not appear to be too concerned about compliance with our policy.   
8%  Enforcement is difficult because of our inability to detect data leaks in a timely fashion.   
4%  Other   

Interesting.  Recall 34% did not use technology to detect or prevent a breach, so there is no technology-based detection system to bypass for the top two highest percentages.  It would have been interesting to know what is meant by it being too costly to implement ‚Äúenforcement solutions.‚Äù  I wish they had described what they meant by this.

Management concern can certainly be raised by making them accountable for bad things and  applying sanctions to them when breaches happen that could have been prevented.

Detecting data breaches in a timely manner must be done using a combination of methods, starting with documenting where all your personal information is located and keeping your data inventory up-to-date.

There are many more findings and statistics within the report, but this gives you an idea of what types of issues were covered. 

How does your organization compare with the survey results?

Technorati Tags
information security
IT compliance
data breach
corporate governance
privacy study
regulatory compliance
policies and procedures
awareness and training
privacy

Identity theft is reported often in the press.  If you haven’t read the news reports lately, just check the Privacy Rights Clearinghouse site to see all the different types of privacy breaches that occur that could ultimately lead to identity theft.

It is a great awareness raising activity to let your personnel know the impact that identity theft can have upon them.  They can then better understand the impact of, and empathize with, identity theft and how it impacts your customers, consumers and all employees.  A very good book to provide to all personnel to help them understand this impact is "Safeguard Your Identity: Protect Yourself  With A Personal Privacy Audit" by Mari Frank. 

Identity theft is also the theme of this year’s Global Security Week (GSW), the week of September 4.  The GSW web site contains some great ideas about activities to do within your organization to raise awareness.

Technorati Tags
information security
IT compliance
identity theft
Global Security Week
regulatory compliance
policies and procedures
awareness and training
privacy

TechWorld published an interesting and thought-provoking article about data mining today pointing out some of the potential benefits of data mining, but also some of the problems when there is lack of oversight. 

"Data mining is a relatively new field within computer science. In the broadest sense, it combines statistical models, powerful processors, and artificial intelligence to find and retrieve valuable information that might otherwise remain buried inside vast volumes of data. Retailers use it to predict consumer buying patterns, and credit card companies use it to detect fraud. In the aftermath of September 11, the government concluded that data mining could help it prevent future terrorist attacks."

In 2004 a Government Accountability Office (GAO) report found that US federal agencies were actively engaged in or planning 199 data mining projects, with 122 of them involving personal information.  A 2005 GAO report indicated that there were significant concerns about the lack of following oversight procedures and implementing the recommended (possibly meant to be required) privacy and information security procedures for the data minig initiatives. 

A disturbing loophole in the directive covering data mining is nicely summarized in this statement, "While the federal laws and guidance previously outlined provide a wide range of privacy protections, agencies are allowed to claim exemptions from some of these provisions if the records are used for certain purposes."  It sounds as though a large number of agencies claim such exemptions.

The GAO report included the following steps the GAO had recommended to protect privacy.

Table 1: Key Steps Agencies Are Required to Take to Protect Privacy, with Examples of Related Detailed Procedures and Sources
Source: GAO analysis of the Privacy Act, E-Government Act, FISMA, and related guidance.
Key steps to protect privacy of personal information Examples of procedures

1.  Publish notice in the Federal Register when creating or modifying system of records
• Specify the routine uses for the system
• Identify the individual responsible for the system
• Outline procedures individuals can use to gain access to their records

2.  Provide individuals with access to their records
• Permit individuals to review records about themselves
• Permit individuals to request corrections to their records

3.  Notify individuals of the purpose and authority for the requested information when it is collected
• Notify individuals of the authority that authorized the agency to collect the information
• Notify individuals of the principal purposes for which the information is to be used

4.  Implement guidance on system security and data quality
• Perform a risk assessment to determine the information system vulnerabilities, identify threats, and develop countermeasures to those threats
• Have the system certified and accredited by management
• Ensure the accuracy, relevance, timeliness, and completeness of information

5.  Conduct a privacy impact assessment
• Describe and analyze how information is secured
• Describe and analyze intended use of information
• Have assessment reviewed by chief information officer or equivalent
• Make assessment publicly available, if practicable

All good recommendations.  I wonder, which of the government agencies read, let alone implement, GAO reommendations?  What percentage claim exemptions?  As the TechWorld report noted:

"Most data mining projects are not subjected to a rigorous business case analysis. Two current intelligence CIOs who were otherwise unable to comment for this story agreed that this is an issue that they struggle with. The US DoD’s Technology and Privacy Advisory Committee (TAPAC) developed a 10-point system of checks and balances that it recommended every agency head apply to data mining projects, but Cate says that it has never been implemented. Similarly, the US National Academy of Sciences recently appointed a committee to develop a methodology that the government can use to evaluate the efficacy of its antiterror data mining projects, but the target date for its report is still more than a year away."

I believe, based upon what I’ve heard from colleagues, clients and other info sec and privacy professionals at meetings and conferences that the use of data mining is going to increase exponentially in the next few years.  As widely evidenced by the NSA’s data mining of phone records, and also by the growing data mining of public socializing sites, such as described within the January 2006 CRS U.S. government report, "Data Mining and Homeland Security: An Overview."  A couple of snippets to give you a feel for the data mining issues described within report:

"Data mining has become one of the key features of many homeland security initiatives. Often used as a means for detecting fraud, assessing risk, and product retailing, data mining involves the use of data analysis tools to discover previously unknown, valid patterns and relationships in large data sets. In the context of homeland security, data mining can be a potential means to identify terrorist activities, such as money transfers and communications, and to identify and track individual terrorists themselves, such as through travel and immigration records."

"As with other aspects of data mining, while technological capabilities are important, there are other implementation and oversight issues that can influence the success of a project’s outcome. One issue is data quality, which refers to the accuracy and completeness of the data being analyzed. A second issue is the interoperability of the data mining software and databases being used by different agencies. A third issue is mission creep, or the use of data for purposes other than for which the data were originally collected. A fourth issue is privacy. Questions that may be considered include the degree to which government agencies should use and mix commercial data with government data, whether data sources are being used for purposes other than those for which they were originally designed, and possible application of the Privacy Act to these initiatives. It is anticipated that congressional oversight of data mining projects will grow as data mining efforts continue to evolve."

"As additional information sharing and data mining initiatives have been announced, increased attention has focused on the implications for privacy.  Concerns about privacy focus both on actual projects proposed, as well as concerns about the potential for data mining applications to be expanded beyond their original purposes (mission creep). For example, some experts suggest that anti-terrorism data mining applications might also be useful for combating other types of crime as well. So far there has been little consensus about how data mining should be carried out, with several competing points of view being debated. Some observers contend that tradeoffs may need to be made regarding privacy to ensure security. Other observers suggest that existing laws and regulations regarding privacy protections are adequate, and that these initiatives do not pose any threats to privacy. Still other observers argue that not enough is known about how data mining projects will be carried out, and that greater oversight is needed. There is also some disagreement over how privacy concerns should be addressed. Some observers suggest that technical solutions are adequate. In contrast, some privacy advocates argue in favor of creating clearer policies and exercising stronger oversight. As data mining efforts move forward, Congress may consider a variety of questions including, the degree to which government agencies should use and mix commercial data with government data, whether data sources are being used for purposes other than those for which they were originally designed, and the possible application of the Privacy Act to these initiatives."

Data mining is nothing new…it’s been used in one way or another since the advent of the "super computer."  The differentiators from around 25+ years ago to now are the 1) increasing connectivity of multiple repositories of data and multiple computers…computer grids with seemingly unlimitless data storage and containing what is moving to be unlimited amounts of personal information; and 2) the increasing speed and capabilities of the technology to cull through the data in a blink of an eye to find and correlate personal data.

"With great power comes great responsibility."  I use this Spiderman quote often…I think it applies to so many challenges that information security and privacy practitioners face…technology power and related responsibility really do make our professions interesting, important and often infuriating.  Data mining is powerful and that power must be contained.  You don’t want a data mining effort to turn into an out-of-control privacy destroying Doc Oc monstrosity.

Data mining does not have to invade privacy with proper oversight, established accountability, and enforced procedures.  Without these ingredients, however, privacy gets trampled and runs amuck.  There have been any incidents resulting from data mining results that were bad, and misuse of the data.  The discussion of these incidents is a good topic…for another time.

Does your organization have data mining initiatives going, or planned?  Be sure you are addressing information security and privacy issues…from the start of the projects and all the way through until the data mining effort is retired…if it ever is.  Remember:

1.  Your organization risks violating your own privacy policies and agreements when you link the consumer and customer data you collect to carry out different customer-facing processes, and subsequently amass them in different databases.
2.  When your organization analyzes web site data and then links the findings with data acquired from other applications or third-party data providers in order to develop lists targeting specific consumers, you are running a high risk of being in noncompliance with your own policies, contracts and applicable laws.  This is particularly true for your non-U.S. customers/consumers.
3.  Does your organization use the data within your data mining initiatives for other purposes outside the scope of your intended and communicated use?  You run a high risk of regulatory noncompliance and potential lawsuits if you do this.
4.  Incorporate information security and privacy requirements and checks throughout your entire systems and applications development life cycle.  Document them.
5.  Document and communicate information security and privacy policies, procedures and standards for data mining projects, initiatives, applications and systems.  This demonstrates due diligence in addition to complying with several data protection laws.
6.  Learn from the mistakes and recommendations of others.  Read the GAO reports covering data mining and implement the recommendations that you could apply within your organization.  This demonstrates due diligence particularly in the eyes of regulatory auditors.
7.  Conduct privacy impact assessments.  Do them while planning the data mining initiative; following implementation; and regularly thereafter.

Technorati Tags
information security
IT compliance
data mining
regulatory compliance
policies and procedures
awareness and training
privacy

TechWorld published an interesting and thought-provoking article about data mining today pointing out some of the potential benefits of data mining, but also some of the problems when there is lack of oversight. 

"Data mining is a relatively new field within computer science. In the broadest sense, it combines statistical models, powerful processors, and artificial intelligence to find and retrieve valuable information that might otherwise remain buried inside vast volumes of data. Retailers use it to predict consumer buying patterns, and credit card companies use it to detect fraud. In the aftermath of September 11, the government concluded that data mining could help it prevent future terrorist attacks."

In 2004 a Government Accountability Office (GAO) report found that US federal agencies were actively engaged in or planning 199 data mining projects, with 122 of them involving personal information.  A 2005 GAO report indicated that there were significant concerns about the lack of following oversight procedures and implementing the recommended (possibly meant to be required) privacy and information security procedures for the data minig initiatives. 

A disturbing loophole in the directive covering data mining is nicely summarized in this statement, "While the federal laws and guidance previously outlined provide a wide range of privacy protections, agencies are allowed to claim exemptions from some of these provisions if the records are used for certain purposes."  It sounds as though a large number of agencies claim such exemptions.

The GAO report included the following steps the GAO had recommended to protect privacy.

Table 1: Key Steps Agencies Are Required to Take to Protect Privacy, with Examples of Related Detailed Procedures and Sources
Source: GAO analysis of the Privacy Act, E-Government Act, FISMA, and related guidance.
Key steps to protect privacy of personal information Examples of procedures

1.  Publish notice in the Federal Register when creating or modifying system of records
• Specify the routine uses for the system
• Identify the individual responsible for the system
• Outline procedures individuals can use to gain access to their records

2.  Provide individuals with access to their records
• Permit individuals to review records about themselves
• Permit individuals to request corrections to their records

3.  Notify individuals of the purpose and authority for the requested information when it is collected
• Notify individuals of the authority that authorized the agency to collect the information
• Notify individuals of the principal purposes for which the information is to be used

4.  Implement guidance on system security and data quality
• Perform a risk assessment to determine the information system vulnerabilities, identify threats, and develop countermeasures to those threats
• Have the system certified and accredited by management
• Ensure the accuracy, relevance, timeliness, and completeness of information

5.  Conduct a privacy impact assessment
• Describe and analyze how information is secured
• Describe and analyze intended use of information
• Have assessment reviewed by chief information officer or equivalent
• Make assessment publicly available, if practicable

All good recommendations.  I wonder, which of the government agencies read, let alone implement, GAO reommendations?  What percentage claim exemptions?  As the TechWorld report noted:

"Most data mining projects are not subjected to a rigorous business case analysis. Two current intelligence CIOs who were otherwise unable to comment for this story agreed that this is an issue that they struggle with. The US DoD’s Technology and Privacy Advisory Committee (TAPAC) developed a 10-point system of checks and balances that it recommended every agency head apply to data mining projects, but Cate says that it has never been implemented. Similarly, the US National Academy of Sciences recently appointed a committee to develop a methodology that the government can use to evaluate the efficacy of its antiterror data mining projects, but the target date for its report is still more than a year away."

I believe, based upon what I’ve heard from colleagues, clients and other info sec and privacy professionals at meetings and conferences that the use of data mining is going to increase exponentially in the next few years.  As widely evidenced by the NSA’s data mining of phone records, and also by the growing data mining of public socializing sites, such as described within the January 2006 CRS U.S. government report, "Data Mining and Homeland Security: An Overview."  A couple of snippets to give you a feel for the data mining issues described within report:

"Data mining has become one of the key features of many homeland security initiatives. Often used as a means for detecting fraud, assessing risk, and product retailing, data mining involves the use of data analysis tools to discover previously unknown, valid patterns and relationships in large data sets. In the context of homeland security, data mining can be a potential means to identify terrorist activities, such as money transfers and communications, and to identify and track individual terrorists themselves, such as through travel and immigration records."

"As with other aspects of data mining, while technological capabilities are important, there are other implementation and oversight issues that can influence the success of a project’s outcome. One issue is data quality, which refers to the accuracy and completeness of the data being analyzed. A second issue is the interoperability of the data mining software and databases being used by different agencies. A third issue is mission creep, or the use of data for purposes other than for which the data were originally collected. A fourth issue is privacy. Questions that may be considered include the degree to which government agencies should use and mix commercial data with government data, whether data sources are being used for purposes other than those for which they were originally designed, and possible application of the Privacy Act to these initiatives. It is anticipated that congressional oversight of data mining projects will grow as data mining efforts continue to evolve."

"As additional information sharing and data mining initiatives have been announced, increased attention has focused on the implications for privacy.  Concerns about privacy focus both on actual projects proposed, as well as concerns about the potential for data mining applications to be expanded beyond their original purposes (mission creep). For example, some experts suggest that anti-terrorism data mining applications might also be useful for combating other types of crime as well. So far there has been little consensus about how data mining should be carried out, with several competing points of view being debated. Some observers contend that tradeoffs may need to be made regarding privacy to ensure security. Other observers suggest that existing laws and regulations regarding privacy protections are adequate, and that these initiatives do not pose any threats to privacy. Still other observers argue that not enough is known about how data mining projects will be carried out, and that greater oversight is needed. There is also some disagreement over how privacy concerns should be addressed. Some observers suggest that technical solutions are adequate. In contrast, some privacy advocates argue in favor of creating clearer policies and exercising stronger oversight. As data mining efforts move forward, Congress may consider a variety of questions including, the degree to which government agencies should use and mix commercial data with government data, whether data sources are being used for purposes other than those for which they were originally designed, and the possible application of the Privacy Act to these initiatives."

Data mining is nothing new…it’s been used in one way or another since the advent of the "super computer."  The differentiators from around 25+ years ago to now are the 1) increasing connectivity of multiple repositories of data and multiple computers…computer grids with seemingly unlimitless data storage and containing what is moving to be unlimited amounts of personal information; and 2) the increasing speed and capabilities of the technology to cull through the data in a blink of an eye to find and correlate personal data.

"With great power comes great responsibility."  I use this Spiderman quote often…I think it applies to so many challenges that information security and privacy practitioners face…technology power and related responsibility really do make our professions interesting, important and often infuriating.  Data mining is powerful and that power must be contained.  You don’t want a data mining effort to turn into an out-of-control privacy destroying Doc Oc monstrosity.

Data mining does not have to invade privacy with proper oversight, established accountability, and enforced procedures.  Without these ingredients, however, privacy gets trampled and runs amuck.  There have been any incidents resulting from data mining results that were bad, and misuse of the data.  The discussion of these incidents is a good topic…for another time.

Does your organization have data mining initiatives going, or planned?  Be sure you are addressing information security and privacy issues…from the start of the projects and all the way through until the data mining effort is retired…if it ever is.  Remember:

1.  Your organization risks violating your own privacy policies and agreements when you link the consumer and customer data you collect to carry out different customer-facing processes, and subsequently amass them in different databases.
2.  When your organization analyzes web site data and then links the findings with data acquired from other applications or third-party data providers in order to develop lists targeting specific consumers, you are running a high risk of being in noncompliance with your own policies, contracts and applicable laws.  This is particularly true for your non-U.S. customers/consumers.
3.  Does your organization use the data within your data mining initiatives for other purposes outside the scope of your intended and communicated use?  You run a high risk of regulatory noncompliance and potential lawsuits if you do this.
4.  Incorporate information security and privacy requirements and checks throughout your entire systems and applications development life cycle.  Document them.
5.  Document and communicate information security and privacy policies, procedures and standards for data mining projects, initiatives, applications and systems.  This demonstrates due diligence in addition to complying with several data protection laws.
6.  Learn from the mistakes and recommendations of others.  Read the GAO reports covering data mining and implement the recommendations that you could apply within your organization.  This demonstrates due diligence particularly in the eyes of regulatory auditors.
7.  Conduct privacy impact assessments.  Do them while planning the data mining initiative; following implementation; and regularly thereafter.

Technorati Tags
information security
IT compliance
data mining
regulatory compliance
policies and procedures
awareness and training
privacy

10 computers containing personal information on thousands of patients from a Hospital Corporation of America (HCA) regional office, and now the FBI is investigating.  The report did not tell when the theft occurred, though.

"The computers were stolen from a secure building, and the thieves slipped by video surveillance. HCA is one of the nation’s leading providers of health care services. The company’s 200 plus hospitals and surgical centers serve thousands of patients in the US and around the world. The company is warning patients, and the FBI is now involved.

‚ÄúFor now investigators aren’t saying which regional office was targeted by thieves, but the the stolen computers contain sensitive information — including social security numbers and thousands of files on Medicare and Medicaid patients treated at HCA hospitals.‚Äù

The theft affects patients on Medicare or Medicaid who have failed to pay their co-pay or deductible, and those who were seen in an HCA hospital in Colorado, Kansas, Louisiana, Mississippi, Oklahoma, Oregon, Texas or Washington between 1996 and 2006. HCA did not believe any of the files stolen belonged to patients in Tennessee.

The theft has sent shockwaves through the system of the Nashville-based company raising concerns about security. Now a special call center has been set up to answer questions for concerned patients. Investigators thought the thieves stole the computer hardware to sell, and had no interest in using the information for identity theft.

So far there have been no leads on the thieves, and no arrests. The original location of the computers has not been disclosed, and will not be while the FBI investigates. The thieves got past some elaborate security, including a keypad lock and a password for access, making it possible that it was an inside job. With this in mind, HCA has taken steps to further beef up security."

A few thoughts about this incident…

• Even though patient information was stolen from a healthcare provider (a HIPAA defined "covered entity") it is unlikely there will be any HIPAA violations declared.  They had what sounds like reasonable physical security in place.
• From the report it certainly does sound very likely it was an inside job…considering video surveillance was bypassed, along with the keypad lock and password.  Organizations must always remember that some "trusted" insiders will turn out to be threats and possibly commit crime through their authorized capabilities.
• It is good the hospital contacted all the patients involved, in addition to setting up a special call center to answer questions.
• It is odd/interesting that the investigators, without (supposedly) knowing who the thieves were, would say they "had no interesting in using the information for identity theft."  How could such a thing be known?  They must have much more information about this incident/theft than was reported.  No one can know the intent of an unknown person or persons.

Technorati Tags
information security
IT compliance
patient privacy
identity theft
regulatory compliance
HIPA
computer theft
insider threat
policies and procedures
awareness and training
privacy

7,601 people from Columbus Ohio had their social security numbers visible as part of the address on mailings they received from the city’s income tax department.

"More than 7,500 people received letters from the city’s income tax division with their Social Security numbers visible through the envelope window, a problem blamed on a computer glitch. No recipients have reported problems with identity theft, and the numbers will not be visible from the outside on future mailings, city tax administrator Melinda Frank said. Social Security numbers serve as city taxpayers’ account numbers and are included in mailings for identification."

Gee, good to know they will not continue to mail letters with visible SSNs!

Why wasn’t this noticed before the mailinges left the government office?  They should have had QA procedures for this. 

This is also a good example for the need to incorporate information security and privacy requirements and checks into the applications development process.  The inappropriate placement of the SSNs on the printouts that were subsequently stuffed into the envelopes should have been something checked during the application testing and quality assurance.  Blaming a "computer glitch" certainly is a weak effort to offload responsibility onto technology as though it was beyond their control.  Humans program computers, and humans are ultimately responsible for the applications flubs that result…not some mysterious and uncontrollable computer troll.

"The 7,601 mailings were sent Aug. 4 to alert people who had filed tax estimates for this year that they could pay their balances online. Followed by one or two additional characters, it wasn’t obvious that the nine-digit numbers were Social Security numbers, Frank said. "To their next door neighbor who doesn’t know what their Social Security number is, it’s a line of numbers with an alpha letter after it," she said."

Making what comes across as a flippant remark is not a good way to respond to an incident.  Most people in the U.S. *could* identify a SSN followed by "one or two additional characters" as being an SSN…especially on an envelope with a return address from the city income tax division. 

Make sure when you create your own incident response plans that your communications to the press and directly to the victims are not flippant, dismissive or condescending to the victims and readers.  This spokesperson comes across as basically saying that most people are too dumb to know a SSN when they see it.  This fans the flames of anger for those impacted by the incident.  Your communications should instead be compassionate, apologetic, truthful and show concern.

"The tax division received three complaints by phone and two by e-mail. "Yes, the nine digits are followed by a letter, but it’s not that hard to look at it and figure out that it might be a Social Security number," one taxpayer wrote. "You would think that in this day of ID theft, the last thing a taxing authority would want to do is expose all their taxpayers to identity theft and open the city up to being sued.""

The numbers of concerned victims who come forward voicing their concerns will continue to grow.  Don’t underestimate the impact their concern and anger over an incident could have on your organization.  This quote summed it up nicely…"the last thing a taxing authority would want to do is expose all their taxpayers to identity theft and open the city up to being sued."  No organization wants to be sued for something that could have easily been prevented with good information security and privacy practices built into their SDLC process, and with basic QA procedures.

This is another good example to put within your awareness files.

Technorati Tags
information security
IT compliance
social security number
identity theft
regulatory compliance
SDLC
applications+security
policies and procedures
awareness and training
privacy

According to a widely published news story, AOL today announced in an inter-office memo that their CTO, Maureen Govern was fired and immediately being replaced by an interim CTO, John McKinley.  A CNN report, however, indicates she resigned. 

Govern was in charge of the area that released search data for the 658,000 users during March through May earlier this year.  According to the initial reports about the release of the search data, AOL had indicated it had been released for "research purposes" to a publically available site, but that it was "mistakenly" released, and the decision to do so was "not appropriately vetted."

"A researcher in AOL’s technology research department and the employee’s supervisor have also left the company in the wake of the disclosure, a source familiar with the matter said on Monday." 

"In response to a torrent of criticism across the Internet, AOL also said it plans to create a task force to review its customer information privacy policy."

The AOL privacy policy is pretty much standard fare…including the statement, "Your AOL Network information will not be shared with third parties unless it is necessary to fulfill a transaction you have requested, in other circumstances in which you have consented to the sharing of your AOL Network information, or except as described in this Privacy Policy." 

It will be interesting to see how they update their policy as a result.

Since the AOL spokesperson, Andrew Weinstein, indicated this was "a screw up, and we’re angry and upset about it," in a BNA news release, and also indicated "AOL is undertaking an internal investigation into the matter to ensure that it does not happen again," these personnel eliminations are likely part of the actions they are taking to mitigate any potential fines and penalties and try to demonstrate due diligence in addressing the incident. 

So, the personnel eliminations could have been sacrificial lambs, or perhaps they really did perform their job responsibilities in ways that were either completely negligent in consideration of potential consequences, or maybe purposefully malicious in intent.  It will be interesting to see if any statements will be made by Govern…highly unlikely considering she and the other dismissed employees probably signed NDAs.

This AOL incident is a good example of the need for thoughtful and well communicated and enforced privacy policies and procedures.  Put it in your awareness and training file to use so your organization doesn’t make a similar mistake.

• Know your privacy policy and inplement procedures to support them.
• Communicate often and clearly about what is considered as personally identifiable information (PII) along with the other types of sensitive information (e.g., search data) that, when coupled with PII can create a huge invasion of privacy and violate your own privacy policies.
• Communicate how to protect PII and sensitive data often and effectively.
• Make businss leaders accountable for their decisions and enforce sanctions when they "screw up."
• Very, very basically, don’t use the Internet as your company’s open research data repository!  Just because a research URL may not be easy to guess, it usually is very easy to find.

Technorati Tags
information security
IT compliance
regulatory compliance
AOL
application security
policies and procedures
awareness and training
privacy

Yet another…and another…in the ongoing saga of stolen laptop computers was recently reported.

Last Thursday South Florida’s Herald Tribune reported healthcare provider PSA HealthCare, reported a laptop containing cleartext information about 51,000 patients was stolen from an employee’s car on July 15.

"The computer contained personal information on current and former patients, including their names, addresses, Social Security numbers and medical case information.  It did not include banking information or credit card numbers, and the computer was password-protected, the company said.  The company quietly announced the data theft in an Aug. 4 press release titled "PSA HealthCare Announces Data Security Update."  The company notified patients and their families four days later, in a letter dated Aug. 8, more than three weeks after the computer was stolen.  "That’s what was so staggering to me," said Bradenton resident Virginia Robertson, who received the letter last week. Her mother is a PSA HealthCare client.  "It took them this long to get the information to the people that were affected by it. It would have given someone time to do some damage.""

The article goes on to indicate PSA Healthcare "is improving its data security policies."  They are a HIPAA covered entity; they should have identified weaknesses within their policies as part of their compliance activities.  It is really too bad the Department of Health and Human Services does not seek to enforce this *law*…this really seems like a good candidate for HIPAA noncompliance actions.

It is also worth noting that the PSA Healthcare site does not make a HIPAA-mandated Notice of Privacy Practices statement available on their site…if they do, it certainly was hiding from me when I looked there.  Another potential HIPAA infraction if the HHS should have the notion to pursue it.

"Kohl said PSA HealthCare had policies preventing employees from taking data out of its offices. "That has been dealt with from a disciplinary standpoint," he said, declining to elaborate.  That didn’t satisfy Robertson.  "If they say they had a company policy against it, why in the world would the company allow someone to download personal information into a laptop in the first place?" she said."

Exactly!  Not only do courts and regulatory oversight agencies look at enforcement of policies and the associated sanctions leveled, but customers/patients/consumers also want to know that policies aren’t just empty words…meaningless promises.  Non-enforcement of policies can have major negative impact on an organization.  Business leaders need to understand that policies are basically another form of legally binding contract.  To date web site privacy policies have been the one most aggressively monitored for compliance, noticeably by the FTC.  However, as more incidents occur, the noncompliance penalties and fines net will expand to include consideration of whether or not companies are following and enforcing their own policies.

This incident came soon after a Department of Transportation laptop was stolen from a Miami-Dade Florida employee’s car; that laptop contained 133,000 driver’s license and pilot license records, was NOT encrypted, but was "password protected."  There is still no news about whether that computer was ever recovered; but even when it is, there is no way to tell whether or not the files have been copied and distributed, sold, or otherwise misused, until the involved individuals become victims of subsequent crimes.

These types of stolen and lost laptops reports have many similarities and almost always indicate that 1) the data was not encrypted, 2) there was a policy against such activity that led to the incident, and 3) that the information security practices were being improved as a result.

Before an incident happens, use encryption to protect sensitive data that is in the hands, and under the control, of end-users.  Moving data is vulnerable data; encrypt it on laptops and other mobile computers, when it is used by remote users, and when it is traveling through at risk networks, such as the Internet.

Review information security programs to find gaps with compliance for the policies you have, and in addressing important topics within your policies.  HIPAA and GLBA require you to do this if you are a covered entity under these regulations.

Don’t settle for a mediocre information security program; make sure yours is effective and adequately addresses your business risks, reducing them to an acceptable level.  Most incidents expose information security programs that are not up to par.

Technorati Tags
information security
IT compliance
regulatory compliance
stolen laptop
HIPAA
patient privacy incident
policies and procedures
awareness and training
privacy

Recently the Bellingham Herald reported a former employee of Madrona Medical Group "was charged with illegally downloading patient files onto his personal laptop computer.  Madrona officials don’t believe the files were copied or used for identity theft, but they sent letters this week to more than 6,000 patients anyway, asking them to take steps to make sure no one uses the information illegally.  The records include patients’ names, addresses, Social Security numbers and dates of birth."

The medical provider notified the 6,000 patients wtih letters and established a phone number those concerned could called with questions.

"Former Madrona Medical Group employee Timothy R. Kiel was arrested June 8 and faces trial Sept. 19 on first- and second-degree computer trespass charges. Whatcom County prosecutors say Kiel downloaded onto his personal computer patient records, proprietary software, licensing keys and other data Dec. 17, 2005.  Kiel resigned from the company Dec. 20, prosecutors say, but continued to use his laptop to connect to Madrona’s servers more than 50 times between Dec. 26, 2005, and Jan. 15, 2006.  For example, prosecutors say, Kiel on Jan. 13 used a stolen vendor account, his laptop and a high-speed Internet connection at his Lynden home to connect to Madrona’s computer system. He deleted backup files, e-mail files belonging to Madrona’s human resources director, and server log files to cover his tracks, prosecutors allege."

The amount of time elapsed from when the former employee started accessing the personal files illegally to when the patients were notified…close to 8 months…is incredibly long.  Especially considering there were "more than 50 times" he accessed the provider’s computer systems.  The amount of times personal information could have been copied, distributed, misused, and otherwise used with malicious intent, could be incredibly large.

"Though the security breach was discovered in December, Madrona officials didn’t know exactly which files had been compromised until they could review the police report that arrived in mid-July, said Madrona spokesman Mark Johnson.  Madrona officials are now more closely monitoring the few employees who have access to so many records, like Kiel did, Johnson said.  The practice already has "very sophisticated" computer security systems, Laine said.  "What we cannot secure ourselves against, unfortunately, are other people’s actions," he said. "Illegal actions, in particular.""

So, it appears that law enforcement took all those months to create a police report?  What are the reasons why the police reports for compromised personal information always seem to take an inordinately large amount of time?  What activities are actually going on?  All the while, the personal information could be being used for so many different fraudulent activities, all while the victims have had no notification or awareness at all that their personal information was compromised, and fraud could be occurring.  Doesn’t it seem time law enforcement establish some reasonable guidelines for allowing individuals to be notified much more quickly?  Does there need to be a clause in a federal breach notification law covering this?  It seems there should not need to be a law to do what is right to protect victims in the most timely manner possible, but unfortunately it seems without such laws victims are allowed to potentially be vicitimized for lengthening periods of time often for flimsy reasons for notification delays because of matters related to the investigation.

Donnie Werner wrote about this last week; here are the interesting follow-up questions he posed to the Madrona Medical Group and their replies:

"1. What is the patient data loss probability?
Apparently Mr Kiel either never intended nor did he utilize the patient data and the 6000 or so records appear to be ancillary files stemming from the main attack(s), according to forensics data.

2. What was the position held by Mr Kiel?
A manager in the company IT department with intimate knowledge of the internal network structure. In a statement to patients, Madrona had the following to say:

"We would like to emphasize that this employee had high security clearance while employed at Madrona Medical Group, due to the nature of the position within our organization.  This level of access is rare and limited to very few members of the staff here at Madrona Medical Group."

3. Were background checks and clearances run when Mr Kiel was hired?
Full standard background and security checks as required by a person with a sensitive position within the company.

4. Was there any warning signs of a possible "bad seed" at the company?
None that anyone noticed and he was considered a good employee and had great performance reviews.

5. What was the motive behind the attack?
Evidentially there was some issues with either the HR department or one of it staff members. While the exact specifics are not totally clear, Mr Johnson stated: "this individual  wanted to capture HR records from a fellow HR employee (for what exactly, who knows) and inadvertently captured certain patient records in the process. The HR info contained various types of data about a variety of subjects. It doesn’t appear, from on own data analysis or from the police data report, that this person did anything with the data other then view it for their own information"."

As the article points out, this is a very clear example of an insider threat that materialized into a data incident. 

Some questions that come to mind related to this incident:

• Why weren’t procedures in place to completely remove remote access when an employee leaves the organization?  Even if the employee had "high security clearance" the procedures should ensure continued access can no longer occur immediately upon termination or, particularly in the case of a high security clearance upon notice of imminent termination.  In fact, such procedures are even more important for high security clearance employees.
• What were the provider’s policies for employees using their personal computers for business purposes?  There are apparently ways in which they need to improve these practices.
• Do the lack of such procedures, or absence of good procedures, substantiate a HIPAA violation?  It seems it very well could.  It is true that authorized, trusted insiders will sometimes do illegal activities by taking advantage of their access, and this is very hard to prevent.  However, effective procedures for termination of employees and removing all authorized access may have prevented such an incident.  This weakness in policies and procedures would be identified within a good risk analysis, such as is required by HIPAA, and the implementatioin of policies, procedures and technologies (as necessary) could have possibly prevented the incident.  Wouldn’t this seem to point to a lack of HIPAA compliance diligence on the part of the covered entity?  It will be interesting if any Washington State government agencies or groups pursue an investigation into this, or (better yet) if the Department of Health and Human Services (HHS) investigates.

Technorati Tags
information security
IT compliance
regulatory compliance
insider threat
HIPAA
patient privacy incident
policies and procedures
awareness and training
privacy

For those of you that travel occasionally…or often…I’m sure you are wondering about the ever-changing restrictions for the airlines.  I know I worry about one day hearing the requirement for all electronics to be put into checked baggage; my computer is my livelihood and even if I do take all the precautions I described in my recent blog, I still do not want to have to check my computer or cell phone if at all possible.

A friend and colleague of mine (thanks Larry!) told me about the U.S. Transportation Security Administration (TSA) site that provides answers to questions about travel restrictions.  A nice feature is that you can sign up to get notice of updates to the site.

Technorati Tags
information security
IT compliance
regulatory compliance
travel restrictions
travel security
TSA
policies and procedures
awareness and training
privacy