Identity Theft

You are currently browsing the archive for the Identity Theft category.

Data Breach Trends

January 18, 2009 in Identity Theft, Legal

breach

Recently, several organizations have released data on security breaches for 2008. As you would expect, there were more reported breaches in 2008 than in 2007. Based on information from the , the trend is summarized below:

  • 2008 – 656 breaches with 35.6 million records exposed
  • 2007 – 446 breaches with 127 million records exposed
  • 2006 – 315 breaches with 20 million records exposed
  • 2005 – 158 breaches with 64.8 million records exposed

Clearly the trend indicates that more breaches are being reported with a more than 4X increase in the last four years. The question is whether this indicates an actual increase in compromised systems or an increase in the number of organizations reporting breaches.

In 2003, California became the first state to pass a data breach disclosure law. Since then, at least 43 other states have passed similar legislation requiring organizations to notify their customers in the event that their personal information is disclosed. And the federal government is considering passing similar legislation. Thus, enterprises are now required to report data breach incidents, whereas in the past this was not the case. Therefore, it would be a mistake to assume that the rise in the incident of reported data disclosure incidents is strictly due to a greater number of such incidents. It is difficult to know whether the rise is due to greater reporting requirements or an actual increase in the number of incidents.

One thing is certain; state laws requiring notification of data disclosures have lead to a wealth of information on such incidents. And organizations such as the have built web sites that track and publish information on data loss incidents. This is a positive outcome of state breach notification laws, as it will force companies to take proactive measures to secure their customers’ personal information which will help make us all more secure.

A Business Guide to North Carolina’s Identity Theft Protection Act

September 17, 2008 in Identity Theft, Legal | 1 comment

Like many other states, North Carolina has enacted a data breach notification law in an effort to help protect its citizens from identity theft due to the disclosure of personally identifiable by private enterprises.  Passed in 2005, the sets out guidelines that companies must follow for the proper use, protection, and destruction of personal information.  It also outlines the steps a business must take to notify its customers, business partners and possibly the state government in the event of a breach of personal information.  If you operate a business in North Carolina and maintain personal information, whether in digital or paper form, please read on to ensure you are familiar with the law.

The law defines personal information as either a first name or first initial and a last name in combination with any of the following:

  • Social security or employer taxpayer identification numbers
  • Drivers license, state identification card or passport numbers
  • Checking account numbers
  • Savings account numbers
  • Credit card numbers
  • Debit card numbers
  • Personal Identification (PIN) Code
  • Digital signatures
  • Any other numbers or information that can be used to access a person’s financial resources
  • Biometric data
  • Fingerprints
  • Passwords

If a business stores this information in either digital or paper form, it is required to abide by the following rules in the case of unauthorized access:

  • In the case of a breach of personal information in which the business owns or licenses the information, the business must notify each person affected “without reasonable delay”.
  • In the case of a breach of personal information in which the business does not own or license the information, the business must notify the owner or licensee “immediately following discovery of the breach”.
  • The notice must include information about the breach, the type of information that was disclosed, acts taken by the business to prevent further unauthorized access and a phone number that the customer can call for assistance.
  • The notice may be written, telephonic or electronic under certain circumstances.
  • If more than 1000 notifications are made the business must also notify the Consumer Potection Division of the state Attorney General’s office.

Additionally, businesses must take the following safeguards regarding the disposal of personal information:

  • Implement policies and procedures to ensure the physical destruction of paper documents that contain personal information.
  • Implement policies and procedures to ensure the physical destruction or permanent erasure of electronic media that contain personal information.
  • Develop an official policy regarding the disposal of personal records.
  • Perform due diligence when contracting with a disposal company to ensure that they take adequate measures to properly destroy paper and/or electronic media containing personal information.

Finally, any business operating in North Carolina may not do any of the following:

  • Intentionally make known or publish to the general public an individual’s SSN.
  • Intentionally print an individual’s SSN on any card required for the individual to access products or services.
  • Require an individual to transmit their SSN over the Internet without a secure, encrypted connection.
  • Require the use of an SSN for authentication to a web site without the use of a password or PIN as well.
  • Print an individual’s SSN on any materials mailed to the individual unless required by state or federal law.
  • Sell, lease, loan, trade or otherwise disclose an individual’s SSN to a third party without written consent from the individual if it is known or should be known that the third party has no legitimate need for the information.

Businesses that violate the North Carolina IPTA can be subjected to lawsuits under North Carolina’s Unfair and Deceptive Trade Practices Act.  This, combined with the cost of notifying customers and potential loss of business due to loss of credibility, should be a wake-up call to take action to ensure your business is in compliance with this law.  Below is a list of recommendations that every North Carolina business handling personal information should undertake in order to ensure compliance:

  • Conduct an internal audit to determine the amount and type of personal information that is collected and stored as part of your business processes.  If this personal information is not required for business purposes, discontinue using it and dispose of it securely.
  • Ensure that personal data necessary for business purposes is stored securely and is only accessible to those who need to access it in order to perform their job duties.  Be sure to include your own employees’ data as this often contains personal information covered by the ITPA.
  • Develop policies and procedures for the secure collection, usage, storage and disposal of personal information.
  • Enact a training program for all employees to ensure that they are aware of the company’s policies and procedures for handling personal data.  A business can be held liable if a non-managerial employee breaks the law and he or she was not properly trained, supervised or monitored.
  • Develop an incidence response plan to address the unauthorized disclosure of personal data.  The plan should include determining the source of breach, corrective actions, mitigation plans and proper notification of those affected.

North Carolina’s ITPA is a positive step to help protect consumers from the very real threat of identity theft.  It requires businesses to take practical steps to safeguard this information and it ensures that consumers will be notified if their personal information is breached so that they can take appropriate action to protect themselves.  As a business owner, it is best to go even further than the requirements of the ITPA.  There are many other controls and safeguards that can and should be implemented to help reduce the likelihood that you may one day have to notify your customers that their personal information was disclosed due to your negligence.

Healthcare Providers Need Security Checkup

August 2, 2008 in Identity Theft

It seems like a week doesn’t go by that I don’t read about sensitive patient information being stolen, leaked or otherwise disclosed by a healthcare provider.  A recent event occurred in where staff employed at various healthcare facilities used information obtained from patient records to steal their identities and obtain fraudulent pay-day loans.  In all the group managed to steal more than $230,000.

Criminals are focusing more and more on healthcare providers because they typically maintain a treasure trove of sensitive information that can be useful for committing identity theft.  This includes social security numbers, credit card information, drivers license numbers, patient addresses: basically all the information a criminal would need to steal somone’s identity.  And based on my experience, many healthcare providers do not take adequate measures to ensure this information is secured.  This is especially true of small providers who often fail to understand the risks associated with collecting, storing and transmitting this type of information.

Below is a list of Do’s and Don’ts that all healthcare providers should follow to protect their sensitive patient data.  This is by no means an exhaustive list, but should get you started down the right path.

  1. Don’t collect any sensitive data that you do not absolutely need.  If you don’t need your patients’ SSN, don’t ask for it.  Use other unique patient identifiers.
  2. Don’t transmit any sensitive patient information without using encryption.  This includes diagnosis and treatment information as well as information that could be used by identity thieves.
  3. Don’t share one computer account for all staff to use simply because it is too much of a hassle to create individual userids for each staff member.
  4. Do use appropriate access controls to ensure that staff only have access to the data they need in order to perform their job.
  5. Do make sure all your computers have up-to-date anti-virus and anti-spyware software installed.
  6. Do ensure that your patient data is backed up regularly and that the backups are stored off-site for disaster recovery purposes.
  7. Do perform background checks prior to hiring staff and conduct regular security awareness training to ensure that staff are aware of security and privacy policies.
  8. Don’t assume that HIPAA doesn’t apply to you because it probably does.

Copyright © 2011 InfoSecStuff.com — All Rights Reserved