According to the Associate Press, “Zappos alerted employees and customers by email Sunday that names, phone numbers, and email addresses of its customers may have been accessed in a hacker attack. The company said customers’ credit card and payment information weren’t stolen.”

The AP also reported, “The civil negligence lawsuit seeks unspecified millions of dollars in compensatory and exemplary damages for emotional distress and loss of privacy, along with a court order for the company to pay for customer credit monitoring and identity theft insurance and periodic audits to ensure customer data is secure.”

If data breaches are happening to the big companies like Zappos, how exposed is your company? Do you have the necessary compliance parameters in place to satisfy the feds, state and the plaintiffs’ attorneys in the event of a breach? Do you have the proper insurance in place as well?

As you’ve probably heard, Zappos, the online shoe retailer has experienced a data breach of 24M customers’ names, email addresses, billing and shipping addresses, phone numbers and last 4 digits of their credit cards.

Zappos believes the cyber attack was by a criminal who gained access to their internal network.

Fortunately, at least on the surface, it seems Zappos has a privacy & security program in place that involves a breach response strategy whereby customer service reps have been taken off the company’s toll-free order entry line and deployed to respond to customer email. A program such as this is part of both Federal and most State compliance requirements on how to handle sensitive information.

Is your company prepared for the inevitable data breach?

Do your employees use Facebook either at work or at home or both? Are you sure they have malware protection on their business related laptops and personal computers?

Are you aware that every day an average of 160 Million Facebook users are exposed to malware? Or that each day 600,000 attempts are made to hijack Facebook users’ accounts?

Be sure you require every employee to have malware protection on any computers accessing your company data bases. Otherwise, criminals may get access to your employees’ passwords and logins and thus have access to your data. And that would be considered a data breach.

As many of us travel to spend the holidays with family and friends, we can protect ourselves from identity thieves with a few simple maneuvers:

- Avoid using public Wi-Fi when purchasing items and logging into password protected accounts (especially your bank).

- Turn off the blue tooth setting on your phone when not using it. Hackers can scan your phone and access all of your stored information.

- Use a screen protector for your laptop and smart phones so thieves can’t see your logins and passwords.

- Avoid announcing/talking about your travel plans on social networks.

- Consider using an “app” that will track your phone if you lose it and/or delete data.

Travel safely and enjoy the holidays!

This year, an estimated 36% of holiday shoppers will purchase online and a whopping 18 million Americans will use their mobile devices to do so.

If you’re one of these statistics, here are some suggestions you can implement to protect yourself:

- Avoid having websites remember your login and credit card account number.

- Add a password to all laptops and mobile devices in case they’re lost or stolen.

- Make sure your security software is up to date.

- Don’t open emails from sources unfamiliar to you.

- Clear cookies on your computer.

- Make sure websites you’re using to purchase items contain an “s” (https://).

Happy Holidays!

Recently, Kim Holmes, Asst. VP of Chubb Specialty Insurance shared four key data loss preventative measures for hospital executives in Becker’s Hospital Review.

1) Create a culture of security. Holmes said “ … make sure it’s part of the organization’s day-to-day operations … an alive and breathing process so all employees are part of the solution of preventing a data breach or responding to one if it does happen.”

2) Encrypt data. According to Ms. Holmes, “… encryption can help hospitals prevent data breaches and minimize damage if a breach does occur.”

3) Develop written indemnification agreements with third parties. Holmes says, “Hospitals and health systems need to have written indemnification agreements in place with third-party service providers and vendors as a means to possibly mitigate financial losses if a data breach occurs at a third-party vendor.”

4) Manage the provider-vendor service relationship. Make sure the vendors have appropriate security measures in place to prevent a data breach. Ms Holmes suggests, “One strategy is to require the vendor procure cyber security liability insurance.”

All of these recommendations also come from our federal government in order to comply with the privacy/security/data loss laws and pertain to every type of employer, not just healthcare providers. Do you have these parameters in place?

NC State researchers have developed what may be a way to help protect personal information.

i-NVMM is a hardware encryption system that uses an algorithm to detect data probably not needed by the processor. 

Associate Professor of electrical and computer engineering, Dr. Yan Solihin says, “The algorithm detects idleness so any data not currently in use – such as your credit card number – is automatically encrypted.”  In addition, Solihin said “While 78% of the main memory is encrypted when the computer is in use, the remaining 22% is encrypted when the computer is powered down.  Unless someone accesses your computer while you’re using it, all of your data is protected.”

Although most days it seems the criminals are several steps ahead of the good guys, here’s an example of some good news on the cybercrime front.  

The recently published Norton Cybercrime Report 2011 shows the following dramatic increases:

• 2/3 online adults have been victimized
• 14 adults victimized every second
• More than 1M cybercrime victims per day
• 42% increase in mobile cybercrime
• Viruses and malware cause 54% of cybercrime.

It’s just a matter of time before your company experiences a data loss. Cyber is just half of the equation. Employee theft and errors are the other half.

In order to protect yourself, be sure your company is in compliance with the federal and state data loss, privacy & security laws and consider adding cybercrime insurance.

Cybercrime is as easy as putting together a fantasy football team according to the FBI and Secret Service.

“I’m concerned that the cyber-underground is a beautiful business model. It’s like going to eBay or Amazon. You just pick what you need — coders, mules — and build a dream team. It’s like fantasy football,” said Gordon Snow, assistant director in the U.S. Federal Bureau of Investigation’s cybercrime division.

“The level of professionalism is amazing and I don’t see a slowdown,” said Pablo Martinez, deputy special agent in charge at the U.S. Secret Service.

Instead of just focusing on large financial institutions, cyber criminals are now targeting small and medium sized businesses. Martinez said. “Why hack into Citibank and steal 10 million pieces of information when you could hack into restaurants and get the same information and not have a big target, a bulls-eye, on your back?”

Some ways to protect your business and yourself are: write a security plan, do an inventory of your data, train your employees, guard your business accounts, restrict employee and insider access to data, and monitor your bank accounts and credit cards.

Although Cyber Insurance has been around for the past 20 years, the requests for data breach coverage quotes have tripled in the last year according to Toby Merrill, VP at ACE Group. Merrill said, “We’ve seen more growth in the last three years than all the years prior.”

Part of the reason for increased interest is both the recent attacks on well known companies such as Sony, Citigroup and Tricare in addition to the enactment of several data breach laws on both the state and federal level that carry hefty fines and penalties.

“More and more of the exposures that these policies address come from being out of compliance with notification laws, regulations, rules, or consumer protection laws,” and not necessarily the actual lost laptop or data breach, says Merrill. “That is where, quite frankly, most of these battles are going to be won or lost.”

Be sure your company is in compliance with the data breach laws and consider cyber, breach notification, victim monitoring and comprehensive crime coverage insurance.