Importance of Prompt Breach Notification

by Doug Pollack

It was reported yesterday by TheDay in Connecticut that People’s United Bank recently experienced a data breach that may affect hundreds of thousands of their customers. An affiliated third party had created unencrypted backup tapes with personal information of their customers and a box of these tapes was misplaced.

This situation provides a great case example of the importance of prompt notification to individuals that are part of a data breach population. Per the article:

“Connecticut state law requires banks to immediately notify customers when such information is lost. Rell said the Bank of New York Mellon did not quickly notify People’s United Bank of Bridgeport of the security breach. ”

As a result of the lack of notification, combined with the publicity surrounding this event, the bank has been deluged with calls from concerned customers.

“People’s United Bank has been flooded with calls over the past two days, ever since Attorney General Richard Blumenthal revealed Wednesday that a data breach had affected hundreds of thousands of its customers, according to a bank spokesman.”

Best practices in coordinating and managing a data breach response effort reinforce the importance of timeliness of notification. The Ponemon Institute Study on “Consumers’ Report Card on Data Breach Notification”  speaks to this issue based on a survey that, among other things, asks consumers who have been part of a data breach about whether rapid notification influences whether they remained a customer of the institution.

Needless to say, this situation illustrates the importance of communicating to your customers about a data breach before they read about it in the newspaper. By initiating the communication rapidly, prior to publicity, organizations can ameliorate some of the concern and confusion that surrounds a situation like this that is made public prior to formal notification by the organization.

Posted in Data Breach News | No Comments »

Q&A on New Ponemon Study

IT Business Edge recently published a question and answer style interview with Doug Pollack at ID Experts concerning the recently released Ponemon Institute study titled “Consumers’ Report Card on Data Breach Notification“.

The interview highlights key findings in this study which surveyed individuals who had been involved in one or more data breaches over the last two years.

“The thing that is amazing is that there is a statistic that says that of the one-third who were offered free or subsidized services, 97 percent of them rated those services as good or excellent. The people who were offered and accepted a free or subsidized service, such as credit report monitoring, were 2.5 times more likely to feel that the company was helpful in responding to their concerns.”

To read more, check out the entire interview at IT Business Edge.

Posted in Data Breach Resources | No Comments »

DataBreachWatch.org to encompass data breach alerts, breach news and online resources

BEAVERTON, Ore., May 13 — ID Experts(TM), the leader in data breach protection services, announced today its new blog DataBreachWatch.org that will feature data breach alerts, breach news and online resources for security and privacy professionals.

“DataBreachWatch.org is a great way for us to consolidate data breach events and information as they happen and organize that information in ways that are useful for subscribers,” said Rick Kam, president of ID Experts. “As an expert in data breach protection, we can also showcase our own expertise through best practices in managing breach notification, response and more.”

Among the information featured on the site is a recent study by The Ponemon Institute, “The Consumers Report Card on Data Breach Notification”, which revealed 63 percent of respondents were dissatisfied with data breach notification and as a result, 31 percent said they terminated their relationship with the organization.

“Our goal is to raise awareness levels around breach and close the gap between legal obligations of a data breach and consumer satisfaction for maintaining a sustainable business,” said Kam. “Corporations and other organizations can learn and adopt valuable best practices learned from this report and other information available at DataBreachWatch.org.”

The sponsor of the Data Breach Watch blog, ID Experts, has established data breach services, ID Experts Breach Respond and ID Experts Breach Assess, to address the growing consumer dissatisfaction with current breach and response methods. These services include breach assessment, notification and communications, monitoring and identity theft recovery components. Tailored to meet the individual needs of the private sector and government agencies, ID Experts is delivering a comprehensive approach to responding to data breach events that alleviates legal liability, manages public perception, and protects and restores individuals’ identities from identity theft.

About DataBreachWatch.org

Sponsored by ID Experts, DataBreachWatch.org is a dedicated information site for data breach alerts, breach news and resources for privacy and security professionals. The information contained on the site will better help establish information to develop best practices around data breach events, notification, response and recovery across all industry segments. To subscribe
to DataBreachWatch.org or contribute timely information, visit www.databreachwatch.org.

About ID Experts(TM)

ID Experts(TM) provides identity theft protection services for individuals, corporations and the public sector. Unlike other identity theft protection service providers that rely solely on credit monitoring, ID Experts takes a uniquely personal approach to identity protection-whether it’s an individual or family, or the largest corporations, government agencies and universities, ID Experts ensures each and every individual receives protection and recovery assistance. Today, ID Experts protects more than 3 million individuals nationwide from identity theft. These customers benefit from ID Experts’ team of experienced identity recovery advocates who have a 100 percent success rate in restoring victims’ identities to pre-theft status. For more information visit www.idexpertscorp.com.

Jeni Cantley of MacKenzie Marketing Group, +1-503-225-0725,
jenic@mackenzie-marketing.com, for ID Experts

Posted in Announcements | 1 Comment »

Consumers Reaction to Data Breach Notification

by Doug Pollack

The Ponemon Institute recently published a report titled “Consumers’ Report Card on Data Breach Notification” based on a survey sponsored by ID Experts.

There has been a lot of research on the costs and impact of data breaches on the organizations that have exposed the data. There has been little to date, however, looking at this issue from the perspective of the consumer. Dr. Ponemon said that:

“We decided to conduct this study to find out if consumers who received notification about a data breach involving their personal information were satisfied with the organizations’ response and transparency. In other words, if consumer had the ability to issue a report card on the current status of data breach notification would it be A for excellent or F for failing?”

The results of this study are quite informative. They can provide guidance to an organization in preparing for a data breach or in creating their data breach response plan. Some of the notable conclusions that reinforce the importance of the content of the notification letter and the offer that is provided to protect the breach victims:

“The study found that 63% of survey respondents said notification letters they received offered no direction on the steps the consumer should take to protect their personal information. As a result, 31% said they terminated their relationship with the organization and 57% said they lost trust and confidence in the organization.”

Download a copy of the Ponemon study on Data Breach notification.

Posted in Data Breach News | No Comments »

UCSF Delays Data Breach Notification For 6 Months

by Doug Pollack

Earlier this week, the San Francisco Chronicle reported that the personal information of over 6,000 UCSF patients had been been exposed on the Internet for over three months last year. This situation has caused these individuals to be vulnerable to potential medical identity theft. The data breach was discovered in October of last year although UCSF did not notify these individuals until early April of this year, over 6 months later.

As it is reported, the data breach itself was caused by a vendor that UCSF works with in order to help them in identifying potential donors for financial contributions.

“UCSF had shared information on its patients with a vendor, Target America Inc., which mines electronic databases amassing information about a nonprofit’s potential or existing donors….the breach was discovered, said UCSF officials, when the hospital was alerted that a patient’s name had been queried on the Internet “and it was listed in association with UCSF.”

The delay in notifying individuals that their personal information has been exposed in a data breach can be very damaging to the reputation of an organization. A recently published study the Ponemon Institute titled “Consumers’ Report Card on Data Breach Notification” notes the implications on such individuals that have been involved in a data breach.

A key conclusion from this report is that timeliness in notifying individuals that they are victims of a data breach is critical to maintaining goodwill and an on-going customer relationship.

“More than 55% of respondents state that the notification about the data breach occurred more than one month after the incident, and more than 50% of respondents rated the timeliness, clarity, and quality of the notification as either fair or poor.”

Based on these types of inadequate notification practices, organizations tend on average to have around a third of their customers terminate their business relationship as noted in the conclusions of this Ponemon report.

Posted in Data Breach News | No Comments »

Data Breaches of Medical Records on the Rise

by Doug Pollack

An article published by the Wall Street Journal titled “Are Your Medical Records at Risk; Amid Spate of Security Lapses, Health-Care Industry Weighs Privacy Against Quality Care” discusses the growing incidents of data breaches and contributing factors within the health care world.

The article highlights the extent of this problem as follows:

“In a spate of recent security lapses at hospitals, health insurers and the federal government, private information on hundreds of thousands of patients, ranging from Social Security numbers to fertility-treatment and cancer records, has been compromised. The incidents have included the theft of an unencrypted laptop from an employee of the National Institutes of Health and the inadvertent posting of personal data unsecured on the Web from insurers WellCare Health Plans Inc. and WellPoint Inc.”

The premace here is that the health care industry is inclined to have greater incidence of data breaches due to the broader access to private patient information by employees and health care workers. This was illustrated in recent weeks by the highly publicized access to medical records of Britney Spears by works at the UCLA medical center.

“Health care isn’t the only industry whose slip-ups can upset consumers or expose them to identity theft. But hospitals are notable for the sheer number and types of employees — including billing staff, nurses, doctors, researchers and lab technicians — who have quick access to individuals’ private information.”

But there seem to be structural requirements for patient record access, dictated by the need to ensure high quality and emergency medical care, that will make it difficult to reduce the risks of data intrusion and breach.

“Many hospitals are reluctant to control access to data too tightly for fear that it will create red tape in emergency situations. “We have to be able to take care of patients, too,” says Wendy Mangin, president of the American Health Information Management Association and director of medical records and privacy officer at Good Samaritan Hospital, in Vincennes, Ind., which audits clinical staff’s access to medical data but doesn’t block it. ”

Unfortunately, it would appear that we will be seeing more rather than fewer data breaches within the health care industry for the foreseeable future.

Posted in Data Breach News | No Comments »

A chronology of data breaches since 2005

Only a true data breach geek would be excited for this resource - a chronology of data breaches since 2005. The overall number they’re reporting as being the total number of records containing sensitive material being compromised in a data breach since January 2005 is 223,685,799. That’s right: over two hundred twenty million records.

The scary thing is the person that maintains the list has to update it twice a week. Wow.

Posted in Data Breach Resources | No Comments »

Data Breach Alert - Okemo Mountain Resort

Company - Okemo Mountain Resort in Ludlow, Vermont

Assessment - data of 28,168 credit card transactions could have been accessed by hackers in February

Type of Information Breached - credit card numbers, expiration names & names

More info can be found here.

Posted in Data Breach Alerts | No Comments »