Rep. Mary Bono Mack (R-Calif.) has introduced legislation to protect American consumers from data theft. The legislation is in response to concerns over recent cyber attacks and data breaches.

The Secure and Fortify Electronic Data Act (HR 2577) will require reasonable security policies and procedures to protect personal information, as wells nationwide notice in the event of a security breach.

The announcement of the SAFE Data Act comes on the heels of data breaches at Sony, Epsilon and Citigroup.

“In recent years, sophisticated and carefully orchestrated cyber attacks, designed to obtain personal information about consumers, have become one of the fastest growing criminal enterprises here in the United States and across the world. Today, Americans need new safeguards to prevent identity theft, and the SAFE Data Act will help accomplish this goal,” said Bono Mack. “My legislation is crafted around a guiding principle: Consumers should be promptly informed when their personal information has been jeopardized. The time has come for Congress to take decisive action. We need a uniform national standard for data security and data breach notification, and we need it now.”

The act will not, however, do anything to prevent or deter online crime. A key feature of the act, however, requires notification to the FTC and consumers within 48 hours of the time that a breach has been secured and the scope of the breach has been assessed. If passed, the act would allow the FTC the authority to levy civil penalties if entities fail to respond in a timely and responsible manner.

Click Here To Bookmark It

Hide Sites

The news of data breaches causes ripples of panic among consumers – and the threat of a possible data breach has business owners sitting up and taking notice as well. At any given moment, an employee may be accessing confidential information, either by accident or dishonestly. This presents a unique challenge for businesses today.

Fortunately, through some simple management procedures, your human resources department can help prevent leaks from happening. These procedures will help protect employee and customer information from being exposed to unauthorized parties.

First of all, be aware of where critical employee and customer information is located and who has access to this data. Develop acceptable use policies for all employees that clearly outlines appropriate use of this information. You should include procedures as to what will take place should a violation occur. Be sure to consistently enforce these policies and procedures.

You should regularly review and revise these policies to make sure all changes and additions have been addressed, and that the procedures stay current with changing laws.

Make sure your company has an internal incident plan, and the appropriate resources in house to handle any incidents of employee or customer data loss or unauthorized access by an employee or outsider.

The worst thing your company can do is to compromise any investigation of a breach. Don’t turn on an suspect employee’s computer to “look around.” This may destroy potential evidence.

Don’t make the mistake of assuming your IT department will figure things out. Your IT guys are not forensic specialists. A professionally trained computer forensics expert should be retained for this purpose.

Be sure to report the breach as soon as possible, to both the public and, most importantly, those who may be potentially affected. Not doing so puts your customers at risk, and can potentially be suicide for your business. Be proactive and transparent.

Click Here To Bookmark It

Hide Sites

Spear phishing is now apparently the concern for Sony Online Entertainment users, following a data breach that has affected some 77 million users.

Users of games like EverQuest, which is found on the network, could face the exposure of their credit card numbers, despite the fact that Sony said its credit card data is encrypted.

The New York Times has reported that researchers have already spotted credit card numbers associated with the breach listed for sale on the Black Market.

Phishing is a common identity theft scam, which involves criminals sending out e-mails or letters, or even telephoning a potential victim, claiming to be a legitimate source, seeking personal information. It is common for these scammers to claim that “verification” of the victim’s personal information is needed, in the hopes that the victim will just hand over things like credit card or Social Security card numbers.

If you receive such a request, according to Sony, ignore it. Sony officials said the company never sends out e-mails or letters requesting such information, nor does it call customers.

The incident is being investigated by the FBI. Should you be affected by this breach, check your bank and credit card statements carefully, and review your credit report, looking for unauthorized charges.

Be sure you also change your passwords, and if you do receive an e-mail that appears to be from Sony, don’t click on any links it may contain. The links could contain malware, which criminals can use to steal your private information.

Click Here To Bookmark It

Hide Sites

Since the data breach by ChoicePoint six years ago, regulators, businesses and consumers have increased their awareness and reaction to organizations that mishandle sensitive consumer data.

In early 2005, California was the only state that had a breach notification law. ChoicePoint allowed information on approximately 150,000 consumers to be accessed fraudulently. When ChoicePoint only notified California victims of the breach, a precursor to identity theft, both victims and regulators reacted.

Since 2005, 46 states and three territories have enacted data breach laws. Only Alabama, Kentucky, New Mexico and South Dakota are left. Each state law is different, making compliance difficult for any organization that has security a security breach in which the victims reside in multiple states.

Since the CheckPoint incident, over a half-billion profiles have been compromised in 2,500 reported incidents. Some Americans have been victimized by security breaches multiple times, for example, by their schools, local, state or federal government, a retailer, financial institution or their favorite charity. Some organizations have suffered numerous breaches.

Of the 2,500 reported breaches, one third of the reporting organizations could not quantify how much information was accessed, lost, stolen or improperly disposed.

The most frightening statistics are a bit more general. Most organizations haven’t inventoried the consumer information they possess, and they don’t have a method in place to detect a breach. Others report that their employees don’t report breaches because they fear retribution by consumers and regulators.

It pays for consumers to take action to protect themselves with a service such as LifeLock.

LifeLock is the only proactive identity protection service on the market today. As a LifeLock customer, you will be notified the moment any threat to your personal information, whether credit related or not, is detected. This, in effect, stops identity theft in its tracks, and makes any information a thief could acquire during a data breach useless.

Call LifeLock today. Receive 30 days free and get a 10 percent discount on enrollment with the LifeLock Promo Code “Defense.”

Click Here To Bookmark It

Hide Sites

Nearly 24,000 Broward College summer school students are at risk for identity theft after a data breach at the Florida college leaked the students’ personal information during a computer upgrade.

The leak was not announced until recently, and college officials say the information was on the Web, unprotected, for five days in late May and early June.

The College Center for Library Automation, which provides library services and electronic resources to Florida’s community colleges, apologized Aug. 10 for the breach, which also affected five other schools.

The affected parties will receive a letter from the center, which will contain instructions on what to do to protect their credit and minimize the risk for identity theft.

Statewide, about 126,000 community college students, faculty and staff were affected by the breach. There is no evidence to date that the information has ben used by criminals.
According to identity theft statistics, about 11.1 million Americans – one out of every 20 adults – became victims of identity theft last year, with the cost to victims estimated at $54 billion.

To take a proactive stance to protect your personal information and your good credit, contact LifeLock today. With LifeLock Identity Alert™, you can rest assured that LifeLock will monitor for credit and non-credit related identity threats. You’ll be notified immediately via e-mail, postal mail or telephone of any potential compromises.

And should you fall victim to identity theft while under LifeLock’s watchful eye, LifeLock will spend up to $1 million to make it right. In addition, LifeLock’s member representatives are available 24 hours a day, seven days a week to assist you and answer all your questions.

Receive 30 days free and get a 10 percent discount on enrollment with the LifeLock Promo Code “Defense.”

Click Here To Bookmark It

Hide Sites

Data breaches reported from 12 medical facilities last month

A dozen medical data breaches were added to the Privacy Rights Clearinghouse list last month – and that doesn’t even include Affinity Health Plan’s leaving personal information of more than 400,000 people on their digital copier when the lease was up.

• Our Lady of Peace (Louisville, KY)
  Someone lost or stole a flash drive containing personal information of nearly 25,000 of the psychiatric hospital’s patients. Some of the records are from as far back as 2002.
• St. Jude Heritage Medical Group (Orange, CA)
  Five computers storing the information of 20,000 patients were stolen during a break-in. In this case, the info included names, birth dates and Social Security numbers; some patients’ health information was also on the computers.
• The Medical Center (Bowling Green, KY)
  Someone stole a hard drive that contained the info of women who had bone density testing at the mammography suite between 1997 and 2009.
• Hutcheson Medical Center and a plastic surgery center (Chattanooga, TN)
  Thousands of patient files dating back to 1998 were sent to the Dupont Recyling Center. Information within the files included personally identifying info. Patients who underwent plastic surgery will be mortified to know their photos were also up for grabs. (This data breach actually occurred May 2009, but just made the list April 2010.)
• DRC Physical Therapy Plus (Monticello, NY)
  Thousands of patients’ records were unceremoniously dumped when the business folded. Police impounded a dump truck loaded with boxes of files and removed another 12 boxes of patient records from the bucket of a front-end loader.
• Massachusetts Eye and Ear Infirmary (Boston)
  When thieves snatched a doctor’s laptop, they also got 3,526 patients’ names, addresses, phone numbers, emails, Social Security numbers, birth dates, medical records, prescription records and –in four cases – prescription insurance account numbers.
• Brooke Army Medical Center (San Antonio, TX)
  The three-ring binder stolen from a case manager’s car contained medical and personally identifying information of 1,272 soldiers and their families.
• St. Peter’s Hospital (Albany, NY)
  A medical records clerk is accused of stealing an unknown number of patients’ information and using it to open credit card accounts.
• ManorCare Health Services (Wheaton, MD)
  Which is worse: When a neighbor’s dog craps in your yard, or when patient files from the nursing home next door repeatedly blow into your yard over a period of months? The records include extensive personal and medical information.
• St. Francis Hospital (Tulsa, OK)
  A grand jury indicted a hospital employee for using the personal information of at least 60 patients to open fraudulent credit card accounts.
• Providence Hospital (Southfield, MI)
  The hospital is missing a hard drive chock-full of patient information. Hospital officials say only 12 of the records include Social Security numbers, but won’t say how many patient records are on the hard drive.
• John Muir Physician Network (Walnut Creek, CA)
  Roughly, 5,500 perinatal patients will get the news that their information was on one of two recently stolen laptops.

Using a one to 10 scale, how’s your pain now? Would you like something for your pain?

Use the LifeLock promo code DEFENSE and save 10% off the cost of LifeLock’s identity theft protection services.

Click Here To Bookmark It

Hide Sites

Data breach at Countrywide Financial leads to class action lawsuit

When it was discovered that Rene Rebollo came into the office every Sunday for two years and stole a total of roughly two million files, Countrywide’s management said they were unaware he was downloading customer information to sell it; they just though Rene Rebollo, 36, was an especially hard working employee. Now, a class action lawsuit asks whether Rebollo was working on his own, or whether he was just the fall guy tasked with selling off the stolen information to raise money for the failing Countrywide Home Loan.

The plaintiffs are asking for a $20 million settlement and additional punitive damages because of their elevated identity theft risk they face and the invasion of their privacy.

According to the FBI and U.S. Attorney’s office, Rebollo, a senior financial analyst, downloaded 20,000 customer files containing extensive personal and financial information every week, and sold them to an outsider. The data breach was detected in 2008 when the mortgage company was failing and they were negotiating the sale of Countrywide Home Loans and Countrywide Financial to Bank of America, which is also named in the suit.

The FBI investigated the theft and arrested Rebollo, a former employee of Countrywide Home Loans. Rebollo allegedly sold the stolen information to Wahid Siddiqi, who, in turn, sold the information to other mortgage companies, according to the U.S. Attorney’s office. In statements to the FBI, claimed the sale of the files netted him somewhere between $50,000 and $70,000. At his court appearance, Rebollo pleaded not guilty.

The plaintiffs claim Countrywide delayed notifying their customers of the data breach for several months in order to “gain time and money.” When they were forced to admit to the data breach, they still notified only some of the affected customers and then offered them nothing more than counseling.

Before their economic meltdown, Countrywide was the largest mortgage lender in the country and specialized in subprime loans.

Click Here To Bookmark It

Hide Sites

Consumer education key to cybercrime war

Is it better to try to chase down cybercriminals, or educate computer users? That’s the ongoing debate among security experts.

On one hand, there have been some huge victories recently in the battle against the bad guys. This week, three men were arrested in connection with a creating a “botnet” that infected an estimated 13 million computers from 190 countries and stole personal and financial information.

In 2008, the alleged mastermind of the largest cybercrimes in history was arrested. Albert Gonzalez is responsible for the greatest data breaches in history, including Heartland Payment Systems, TJX, Hannaford Brothers, 7-Eleven, Citibank and Dave and Buster’s, according to his indictments.

Gonzalez also supervised an online forum in which more than 160 million credit cards, birth certificates, Social Security cards, PIN numbers and computer login information was exchanged.

So, the good guys must be winning the war, right? Probably not.

Security firm Symantec says it identified 2.9 million discrete viruses in the last 15 months—more than the total found over the last 18 years.

“The virus writers and the Trojan [horse] writers, they’re still out there,” said Tom Karygiannis, a computer scientist and senior researcher at the National Institute of Standards and Technology. “So I don’t think they’ve deterred anyone by prosecuting these people.”
It would be smarter, Karygiannis said, to develop new anti-virus technologies and to teach people how to protect themselves from Internet crime.

Considering the magnitude of these recent hackings, how can individuals protect their computers and their information? What can they do to protect themselves from massive data breaches when many corporations and financial institutions aren’t applying even the most basic security practices?

Individuals can protect themselves in two ways: They can follow the basic rules of PC security, and subscribe to services that comprehensively monitor their financial and identifying information.

To protect PCs:
• Never click on attachments in email or instant messaging, or from social media if you don’t know the sender.
• Install a firewall.
• Install security software with anti-malware.
• Use the latest operating system.
• Immediately apply patches and updates.

The second line of defense—monitoring your information—is best left to the professionals. The fact is, their technology and resources are more powerful and effective than anything available to individuals. Additionally, overseeing every aspect of your identity and finances is a full-time job.

LifeLock now provides an extensive suite of services designed for the utmost in security. Command Center™ watches illegal Internet forums, court records, peer-to-peer (P2P) networks, payday loan applications, address change requests, and requests for mortgages, utility hookups, cell phone contracts and more. If they ever detect an indication that your information is being misused, they contact their member immediate and begin remediation and restoration services.

Click Here To Bookmark It

Hide Sites

Data breaches in hotel industry higher than any other sector in 2009, according to Trustwave report

Which is most worrisome: (A) that hackers hit the hotel industry in 38% of data breaches last year; (B) that it took the hotels an average of five months to notice a data breach; (C) that the hackers often got into the data by using software glitches that had patches available 10 years ago; or, (D) all of the above?

A new report from security firm Trustwave indicates that the hotel industry was targeted for data breaches more than any other last year primarily because they were such an easy target and the takings were so rich. The hackers gained access to potentially millions of credit card account details from hotels that did little to protect the data, and never reported the resulting identity theft risk to officials or customers. (Picture a frisky young pit bull gleefully trotting after a fat, blind, three-legged cat while the cat’s owner sleeps in a hammock nearby.)

Nicholas Percoco, a Trustwave security auditor and data breach investigator, presented the report at an annual gathering of cyber security experts, the Black Hat Conference. The data was drawn from the results of 1,900 audits and 200 post-data breach investigations.

The Trustwave report also points out an interesting negative correlation between sectors that proactively hired Trustwave to attempt penetrations to identify weaknesses, and those sectors that hired Trustwave to conduct post-data breach forensic investigations. Last year, companies in the hospitality industry accounted for only 3% (roughly 60) of the 1,900 proactive audits Trustwave performed in 24 countries last year. However, the hospitality industry accounted for 38% (roughly 76) of the forensic investigations they were for after data breaches had taken place.

Most companies avoid reporting data breaches if they can, but data breaches Radisson Hotels, Wyndham Hotels and Hilton Hotels all reported data breaches in 2009.

Click Here To Bookmark It

Hide Sites

Health Net data breach prompts attorney general’s “historic lawsuit”

Connecticut Attorney General Richard Blumenthal said last November that he was “outraged and appalled” upon learning of Health Net’s massive data breach and their keeping it hush-hush for six months. He acted on those feelings this week by filing suit against the insurer and its new owners, United Health Group and Oxford Health Plans.

The data breach occurred May 2009 when a hard drive containing the information of 1.5 million customers went missing. Records were for the period 2002 through 2009. Roughly 446,000 of the members are from Connecticut.

Blumenthal’s lawsuit asserts Health Net gave its employees inadequate supervision and training on appropriate maintenance, use and disclosure of protected health information.

The company explained the six-month lag time between their awareness of the breach and their notifying state officials by saying the time was necessary to complete a “detailed forensic review.” Kroll, a computer forensic consulting firm hired to complete the investigation determined the information wasn’t encrypted or protected in any way from access or viewing.

The unsecured data included a total of 27.7 million scanned pages of 20 types of documents such as insurance claims forms and medical records. Members’ Social Security numbers, names, birth dates, prescription information, credit card numbers and bank account numbers were exposed.

Blumenthal also alleges Health Net violated the Health Insurance Portability and Accountability Act (HIPAA) by not encrypting medical information stored on a portable electronic device.

“Sadly, this lawsuit is historic—involving an unparalleled health care privacy breach and an unprecedented state enforcement of HIPAA,” Blumenthal said in a statement.

Regarding the lawsuit, a Health Net spokesman said only that they’ve received a copy of the lawsuit and are reviewing it, and that they “will continue to work cooperatively with the Connecticut Attorney General on this matter.”

The company issued a statement in November when they notified the public of the data breach. In it they said, “Protecting the privacy of our members is extremely important to us. We apologize for any inconvenience or concern this may cause our members.”

Click Here To Bookmark It

Hide Sites