Webinars

A conference held earlier today at the University of TX focused on customer concerns about online fraud and the impact it’s having on companies’ websites.

Kimberly Little of LexisNexis Risk Solutions quoted several surveys by LexisNexis, Blue Research and Javelin to illustrate what steps consumers have taken in the past year to avoid online id theft. Here are the highlights:

85% of consumers believe online fraud is a growing concern.

63% said they avoid online registrations requiring personal information.

88% of respondents said they omitted information or gave incorrect responses when creating a new account on a website.

54% said they were more likely leave a website rather than register.

26% said they just went to a different site when asked to register.

77% said they prefer social logins (using Google, Facebook, Twitter or other social media sites) instead of registering on specific sites.

Consider limiting the information required on your website and consider using social media logins if you need to identify visitors to your site.

Tweet This Post 

The 2011 Cost of Data Breach Study: United States produced by Symantec and the Ponemon Institute estimates that the average cost of an enterprise data breach was $5.5 million in 2011.

The Study found outside hackers (33%) and negligent insiders (39%) are the main causes of a data breach.

It’s interesting to note that according to the Study, if an organization has a Chief Information Security Officer (CISO) with responsibility for overseeing the entire Data Loss Prevention/Privacy and Security Program, the average cost of a data breach can be reduced by as much as $80 per record lost.

Keep in mind in order to comply with several federal data loss laws, companies are supposed to name a CISO.  Also, many insurance providers require a CISO in order to underwrite cyber insurance.

When referencing the 2011 Study, Dr. Larry Ponemon, President of the Ponemon Institute said, “One of the most interesting findings of the 2011 report was the correlation between an organization having a CISO on its executive team and reduced costs of a data breach. As organizations of all sizes battle an uptick in both internal and external threats, it makes sense that having the proper security leadership in place can help address these challenges.”

Tweet This Post 

Earlier this year, Kroll, the world’s leading risk consulting company that serves a global clientele of law firms, financial institutions, corporations, non-profit institutions, government agencies, and individuals published the following …

1. Expect more small scale data breaches. Document says health care providers must report any Breach of 500 or more individuals. (This will bankrupt many.)

2. Low Tech theft, where data is stolen through non-electronic means will increase.

3. The continuing crisis of lost devices will dominate the data theft landscape. HHS list shows 24% of reported breaches were laptops.

4. Third Parties will face more Stringent Breach Notification Requirements. HITECH placing Business Associates under increasing scrutiny. Expect to see more organizations, even those outside the health care industry, placing stringent contractual obligations on their third parties to protect company data.

5. Data encryption will be seen as a “golden ticket” to compliance. “Companies will have to remember two caveats: compliance doesn’t equal data security and encryption doesn’t equal a total solution – it is only one tool in the data security arsenal”.

6. EMPLOYEE PRIVACY AWARENESS TRAINING WILL GAIN PROMINENCE AS AN ESSENTIAL COMPONENT OF BREACH PREPAREDNESS. Kroll says “With comprehensive privacy awareness training, employees can act as privacy advocates who know how to recognize security hot spots, understand legal obligations, and use vigilance whenever they deal with PII. This is the kind of security equity that no technology can buy”.

7. The possibility of a federal breach notification law is high for 2011.

How many of these predictions have touched your company in the first five months of this year?  Is your organization in compliance with the federal and state laws? Is your corporate data security program in place?

Tweet This Post 

As if  medical providers didn’t have enough to do to comply with government regulations, new provisions to HIPAA in the economic stimulus law signed in February will add to the workload.  These new requirements could have broad implications for all employers, their relationships with health insurers and their liability in protecting personal health information.   All this could mean more of an HR administrative responsibility as well as a much greater risk of data loss/privacy related lawsuits.

Employee Benefits News in their April 2009 issue reports key changes to the law include:

“Employers and/or health plans must notify individuals and the Health and Human Services Department about any security breach where protected health information has been accessed, disclosed or acquired. This notification requirement applies to electronic and paper information.

-The notifications must be sent within 60 days of the discovery of the breach. It must be sent by first-class mail, unless the affected person has indicated a preference for e-mail. If the mailing addresses are out-of-date, the employer and/or health plan must post a notice about the breach on its Web site.

If the breach involves protected health information for more than 500 people, the employer and/or health plan must notify prominent media outlets in the local area.

-The notice should discuss the facts surrounding the privacy breach, the types of information that were involved in the breach and the steps that individuals should take to protect themselves.

-Business associates, such as third-party administrators, consultants, actuaries, attorneys, pharmacy benefit managers, wellness program vendors and disease management vendors, must notify the employer and/or health plan when a privacy breach has occurred.

Civil and criminal penalties can apply to these business associates now.

The new HIPAA provisions must be incorporated into employers’ and health plans’ contracts with business associates.

- The penalties for HIPAA privacy violations have been raised. Depending on the circumstances, penalties range from $100 to $50,000 for each violation, up to $1.5 million total.

- State attorneys general now can bring lawsuits in federal court on behalf of state residents who were impacted by a privacy breach.

Most of these changes will take effect in February 2010, but the new notification rules are scheduled to take effect in September 2009.”

The article goes on to talk about the enforcement provisions, “The new rules give state attorneys general new enforcement authority and enable them to contract with outside lawyers to file civil lawsuits with the full authority of the state attorney general and federal law. ‘It is “nothing more than a gift to the plaintiffs’ lawyers,’ says Lisa A. Rickard, president of the U.S. Chamber Institute for Legal Reform.

‘Allowing private law firms to litigate HIPAA enforcement is a recipe for vastly higher costs and increased regulatory complexity.’ ”

In addition, the HIPAA privacy rules take precedence over state privacy laws, unless the state law is more stringent.  To date, 44 states have privacy & security laws in place.

And lastly, the medical providers’ vendors and service providers (whether or not they have access to medical information) must have a privacy program in place.  The man hours required to police this vendor management piece will be substantial.

Read article: http://ebn.benefitnews.com/news/new-hipaa

Tweet This Post 

As the economy continues to slide, the number of id theft stories being reported continues to increase. We all know identity theft is the fastest growing crime in the history of the world and there’s no way to stop it. We also know the government has recently enacted several laws such as FACTA, The Red Flags Rule, GLB and HIPAA in order to slow the incidence of ID Theft.

In a recent article, Tamara Barak Aparton from the San Francisco Examiner quotes Deputy District Attorney Steve Wagstaffe as saying “With the economy moving the way it is, we’re seeing more embezzlement, more identity theft.” Wagstaffe goes on to say, “While prosecutors haven’t tallied the rise, it’s certainly a noticeable increase.”

All business owners must implement policies and procedures to secure confidential information and educate their employees about id theft awareness and prevention. It’s the only hope we have to lessen all Americans’ risk. Read the entire article here:  http://www.sfexaminer.com/local/40455557.html

Tweet This Post 

This type of ID Theft occurs when a thief uses a stolen medical insurance number to get medical treatment.  On the surface this seems not to be much of a problem.  But when we take a moment to think about the ramifications of a thief using our medical insurance, we quickly understand the nightmare that can ensue.Of course there is a monetary issue when medical ID Theft happens because in a lot of instances, the victim is held financially reponsible for the debt resulting from fraudulent medical care.  Worse than that however, is the reality of the criminals blood type, allergy to medications and funky diseases now being in our permanent medical file.  If we’re treated based on that misinformation, it can seriously harm us … maybe even kill us.   And the kicker is HIPAA prevents us from correcting our medical files when the criminal’s information is contained in it.  HIPAA forbids the medical provider from sharing data on another patient with us … even if that patient is a criminal and stole our medical identity!Electronic medical records will make medical identity theft increase like nothing we’ve ever seen before.  Be careful!  Read more http://www.news-gazette.com/news/print/2009/02/22/medical_identity_theft_a_difficult_problem_to_diagnose_and_treat

Tweet This Post 

Kirk Nahra, one of the foremost privacy and security lawyers in the country says the Obama administration will make enforcing privacy laws a significant priority.  Nahra says “There is a virtual guarantee that the new Administration will take a more aggressive approach on enforcement of the HIPAA rules. Accordingly, we can expect a general increase in enforcement activity in 2009.”  Nahra continues with “Because of the new likelihood of enforcement action, companies should pay particularly close attention to complaints about privacy and security, and should act aggressively to mitigate any security breaches or other potential harms from privacy and security failures”.

Read the entire memo here:

http://www.wileyrein.com/publication.cfm?publication_id=14097

Tweet This Post 

Welcome to my blog.  I will use these pages to share business ideas, and stories about the people I meet, as well as breaking news in the field of business identity theft.   I welcome your comments.

Tweet This Post