Data Breaches Up in 2010

Tuesday, June 22, 2010

Jack Anderson


A data breach is painful for everyone, with the exception of the thief.  The bad publicity, cost of notification, cost of internal and external audits, not to mention the loss to the person whose data is breached is enormous. 

Yet most companies are still loathe to spend enough to protect their data.  The results are in for the first part of 2010 and they are grim. 

The Identity Theft Resource Center (“ITRC”), reported that the total number of reported data breaches for the first four months of 2010 is 245, compared to 498 total breaches reported for the entire year in 2009.

The foundation for a sound privacy and information security program is documented polcies and procedures which are the business rules by which you run your business. 

These policies and procedures inform and educate company staff on how to handle and protect data in any format.  In any audit the first target is going to be policies and procedures. 

Are they documented, have the staff been properly trained, is there ongoing education and training, and finally do the staff actually follow the policies and procedures in their daily activities? 

Having an outdated policy and procedure manual sitting on the shelf will not suffice.

A company we have worked with sent out paper manuals to their clients and then followed up with updates to be posted to the manuals. 

In theory a good system, however an unannounced on-site visit frequently revealed the manual in it's original shipping materials, with the updates neatly stacked on top. 

In the industry we refer to this as "credenza-ware".

What has proved effective is an on-line interactive policy and procedure manual with oversight provided by an outside "Helper" who is rewarded based on the level of compliance of their client. 

Supplemented by monthly updates and task lists this provides quidance and performance metrics.

In the 21st century the cost of getting compliant, staying compliant, and proving compliance is much less expensive and easier than in the past. 

Make this small investment and save you and your clients a lot of grief.

Cross-posted from Compliance Helper


Possibly Related Articles:
Post Rating I Like this!
Stephen Ferdinand Good article Jack. Definitely agree that making the small investment for a short-term auditing package can save loads of money on the long-terms costs of data breaches and failed compliance audits. I recently purchased netwrix change reporter suite and added USB blocker to compliment-- so far I'm very pleased. Loads of other solutions out there too, but this is definitely worth a look-- hiope it helps.
Jack Anderson Take a look at our website at for more information on HIPAA HITECH compliance.
Elias Psyllos In a world where the "paper trail" is dying out quickly and being replaced by digital means, companies have not taken the necessary precautions to protect there data. I work within the Digital Forensics arena and see this on a daily basis. It is much easier to steal information in digital form, as there are more avenues available in doing so. The article doesn't surprise me the least. Think about it this way, if someone wanted to take a copy of a confidential document in paper form, they would have to physically have access to that document, then they would have to photocopy the document, and then place the original back without being noticed. In the digital world someone could simply put a USB thumb drive into the computer, copy the document and paste it onto the thumb drive, and walk away. For those who know what they are doing, they don't even have to be physically present to have access to the document, they can remote into the computer, via the internet, and simply copy, delete, alter, etc. the document. I am Sr. Forensic Investigator for a Digital Forensics company, so I see this on a daily basis. There are ways to protect digital data, and there are ways to ensure that information is truly deleted before throwing a computer out or sending a copy machine back to the leasing agent. There is a list of items that contain records of all documents that have gone through it. A few to mention are scanners, printers, copiers, and fax machines. All have means of obtaining data off of, which can be used for identity theft, leaking of proprietary information, etc. There are means to protect yourself and your company against such instances which were mentioned in the article. Feel free to reach out to me if you would like to learn ways to protect your data, or would like to inquire about my companies services in doing so.
Jack Anderson We work with several companies that provide tools for different problem sets; ACR2 Solutions handles risk assessment, ID Experts handles breach notfication, Digital Copier Security manages device security, and we focus on developing policies, procedures, and forms to establish a privacy and information security program for small CEs and BAs.
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.