According to a news report, BlueCross BlueShield of Tennessee admitted on January 25th that it has spent more than $7 million to address an October theft of 57 computer hard drives. The company said that it may have to spend millions more to assess what was on the missing computer records and to provide identity protection for affected customers. According to its website, the company has notified 220,000 BCBS customers in Tennessee and other states where persons covered by BCBS of TN plans may work. Further, determining what was on the stolen hard drives as required by the HITECH Act and state notification requirements has required the hiring of more than 700 contract and BlueCross workers.
If we are to accept the Ponemon Institute’s most recent Cost of Breach report, this breach will ultimately cost BCBS of TN over $44 million. Given that 67% of the $204 per record cost consists of lost customers and other indirect costs, it looks like BCBS of TN has another $7.8 million to go on its notification, credit monitoring, forensics and other direct expenses.
This breach is a stark reminder that even though the lawsuits are being won by breach defendants, costs incurred prior to the first lawsuit can be very significant. Having a post-breach gameplan in place to address these costs has certainly become absolutely crucial during the past few years. After all, nothing hurts a bottom line as quickly as a significant unfunded expense.
Update: March 14, 2012
BCBS of TN agrees to pay HHS $1.5 million under the HITECH Act’s breach notification settlement. When coupled with the $17 million in first-party expenses already paid, this incident remains a stark reminder as to the benefits of a network security and privacy insurance policy.
The facts are starting to surface regarding the recent attacks against Google, Yahoo! and Microsoft – all of which have been linked to Chinese interests. According to one recent report, the attackers selected employees with access to proprietary data, determined their social networking friends and then hacked into those accounts. Once in control of the friends’ accounts, the attackers (posing as friends) sent their actual targets instant messages with links to sites that installed spying software on their computers.
This sort of criminal strategy could be applied to any company – large or small. In fact, it is much easier to assume that the president of a large middle market firm has more valuable intelligence on his computer than a strategic employee at a larger company. Having knowledge of this sort of attack is important given the overall number of attacks against business has been increasing. According to a recent CSO Survey, 37% of businesses polled have seen an increase in attacks during the past 12 months.
One sure way to reduce the risk of a corporate attack is to limit social networking access to those individuals in marketing or sales who have a corporate reason to go to those sites. Even those individuals should have proper training so that they would know, for example, not to click on links that have strange URLs or link to content that does not serve a distinct corporate purpose. Also, try hard to avoid clicking on an image. It may be hard to do. Our propensity to click on whatever online content we see is a habit not easily kicked.
According to the latest Ponemon COB report, data breach attacks have doubled this past year while the average cost of a data breach has increased to $204 per compromised record. The Ponemon Institute looked at several variables when determining this $204 number, including: lost business; legal fees; disclosure expenses; consulting help, including forensics; and remediation expenses such as improved technology and training. Page 16 of the report indicates that lost business is the most significant component of this number – representing $135 of the $204 amount. In other words, those firms disclosing to the Ponemon Institute information regarding their breach have had a signficant documented loss of business. In addition to providing this valuable insight regarding brand damage caused by a breach, the report is also instructive given it offers information regarding the causes of 2009 breaches.
According to this Ponemon Insitute report, data breaches generally have three primary causes: third party negligence; malicious attacks such as coordinated botnet attacks; and negligent insider behavior. In fact, the Ponemon Institute points out that 42 percent of all cases in the study involved third-party negligence. Although this overall number (as well information in the report) is based on information provided by only 45 businesses willing to speak in detail with the Ponemon Institute, the number should not be taken lightly – especially since it is not that far off from numerous other studies and surveys done over the years.
The two lessons here – breaches lead to lost business and third-party negligence is a signficant cause of breaches – actually have more to do with marketing then with risk management. In a prolonged down economy, small and middle market companies need to differentiate by showcasing their network security and privacy strengths. Instead of shying away from the efforts needed to improve your network risk profile, embrace the endeavor by realizing it will only be a matter of time before you are required to do what you are voluntarily doing now. As with most corporate best practices, being one step ahead of your competition when it comes to network security and privacy can turn into a significant marketing advantage. Depending on your business goals and what you do to generate revenue, this advantage can easily turn into a sustained competitive edge.
According to this article, Facebook founder Mark Zuckerberg recently said that “privacy was no longer a ‘social norm”’. This convenient point of view comes less than a month after Facebook changed the way it organizes user information. Under the old system, people had the option of being placed into regional networks like “North Jersey”, while the new system removes this distinction so that your information can be visible to any Facebook user and not just those in your network.
As well, the new “Everyone” setting doesn’t just limit your page to Facebook users – it allows access to everyone on the Internet, including Google , Yahoo! and any other search engine spiders. In other words, if you use the Facebook default settings – which many new users do – you will end up posting to anyone with online access and you may now also end up on a search engine results page. LinkedIn has been doing this for years now. This increase in exposure is obviously the goal behind the recent Facebook changes. In other words, Facebook will be able to grow it’s user base beyond its already staggering 350 million users.
There is obviously a simple solution: Limit your visability to those who are friends and curtail what you post on your page that is made visible to non-friends. Go to this site for detailed information on how to set your Facebook privacy settings. Privacy is not dead – unless you choose to let it die.
On January 28, 2010, the United States, Canada, and 27 EU countries will celebrate the second annual Data Privacy Day. If you go to the Data Privacy Day website, you will see links to some helpful privacy resources.
It is with no small bit of irony that Data Privacy Day will also approximately mark the one-year anniversary of the Heartland Payment Systems data breach, the largest privacy data loss in history – potentially impacting over 100 million credit card transactions. Heartland recently negotiated a $60 million Visa settlement fund that will be used to reimburse Visa’s issuing banks.
In 2009, there were 498 reported breaches involving over 222 million records. And, of these 498 incidents, only six firms reported that they had deployed encryption or another strong security to protect the exposed data. This is not surprising given that most notification laws provide a safe harbor for encrypted data. In other words, there would not have been a need to report.
As well, of the reported records impacted by the breaches, 59% could be attributed to the conduct of independent contractors. Last year, over 45% of all breached records – 16 million – were compromised by the actions of independent contractors. In fact, the Ponemon Institute reports that 29% of all breaches are caused by third-party negligence. As the year progresses and budgets continue to be squeezed, the due diligence that was once used to vet vendors will unfortunately slip a bit. And, when vendor engagements start favoring pricing over controls, the resulting increase in vendor data loss may prove staggering.
Improving independent contractor due diligence by employing only those small business vendors with sound data protection practices in place will go a long way in improving your risk profile. Moreover, in addition to being a sound way to better protect sensitive data, encryption deployment has the added benefit of protecting you from notification laws and resulting lawsuits. The public notices speak for themselves.
With unemployment now stretching past 10%, the Ponemon Institute “Data Loss Risks During Downsizing” survey conducted last year is more relevant than ever. This survey found that 59% of employees who leave or are asked to leave a company are stealing proprietary or sensitive corporate data. Moreover, 79% of these respondents admit that their former employer did not permit them to leave with company data. Not surprisingly, 67% of respondents used their former company’s proprietary information to leverage a new job.