"This report describes eight frequently-arising computer security issues in an online environment that relate to data protection, together with a summary of good practice for how to guard
against each issue. In many ICO data breach cases, the measures which could have prevented the breach or reduced the level of harm to individuals would have been simple to implement."
"In the end, we identified nine patterns that together describe 94% of the confirmed data breaches we collected in 2013. But (using our best infomercial voice) that’s not all! When we apply
the same method to the last three years of breaches, 95% can be described by those same nine patterns. But wait — there’s more! Act now, and we’ll throw in all security incidents — not just breaches —
from all partners and the VERIS Community Database (VCDB) over the last ten years — for free! Yes, all for the same price of nine patterns, you can describe 92% of 100K+ security incidents! Remember that
promise from last year — ‘We may be able to reduce the majority of attacks by focusing on a handful of attack patterns?’ Consider it fulfilled. To us, this approach shows extreme promise as a way to
drastically simplify the seemingly endless array of threats we must deal with to protect information assets."
"The continued loss of unique data, which should never be used for simple authentication purposes, threatens to erode confidence in the ecommerce system. As the realization dawns that not only
are users not adequately protected by corporate security systems, but they are also at increasing risk of serious identity theft, there is the potential for backlash. Ecommerce enterprises that recognize
the need to minimize the amount of truly unique personal data being held, and that work to improve the methods by which they authenticate users, could be in a position of advantage. Regardless, it is
inevitable that enterprises wishing to continue to do business online will eventually be forced to change the way they enroll users to their services and subsequently authenticate them."
"In this Opinion, the Article 29 Working Party provides guidance to controllers in order to help them to decide whether to notify data subjects in case of a “personal data breach”. Although
this opinion considers the existing obligation of providers of electronic communications regarding Directive 2002/58/EC, it provides examples from multiple sectors, in the context of the draft data
protection regulation, and presents good practices for all controllers."
"In the wake of one data breach after another, millions of Americans each year are offered credit monitoring services that promise to shield them from identity thieves. Although these services
can help true victims step out from beneath the shadow of ID theft, the sad truth is that most services offer little in the way of real preventative protection against the fastest-growing crime in
"Democratic and Republican senators have been busy drafting legislation that would establish national requirements for data security and breach notice. The following bills have been
introduced over the last year: Data Security and Breach Notification Act, Toomey (R-PA); Personal Data Privacy and Security Act, Leahy (D-VT); Data Security Act, Carper (D-DE) and Blunt (R-MO); Data
Security and Breach Notification Act, Rockefeller (D-WV); and Personal Data Protection and Breach Accountability Act, Blumenthal (D-CT). This post provides a side-by-side comparison of these five data-
breach bills, which would impose varying standards and penalties. The comparison focuses on the breach-notification requirements of each bill; it does not discuss the standards that some bills would
establish for internal security protocols to safeguard stored data."
"This thesis scrutinizes the proportionality and describes the subsidiarity of proposals for security breach notification laws (hereafter: SBNLs) in the European Union. […] The laws that have
been assessed are Article 31 of the proposed Data Protection Regulation (hereafter: PDPR) and Article 14 of the proposed Cybersecurity Directive (hereafter: PCD). Article 31 PDPR concerns a single
uniform personal data breach notification obligation. A personal data breach entails the unauthorized access to and/or theft of personal data. Article 14 PCD concerns the harmonization of national
(significant) loss of integrity breach notification obligations. […] This thesis challenges the aforementioned assumption that determination of causality is straightforward. This is done by a more
substantive assessment of the proportionality test. This thesis contributes an empirical study from a security economics perspective, in order to substantively review (the complexity of) effects of SBNLs.
Do the (expected) effects of SBNLs match the aims it should attain according to the European proposals? And are these effects desirable?"
"One hot area of data privacy litigation over the past several years has been data breach class actions brought under the California Confidentiality of Medical Information Act (CMIA), which
provides that a person may recover $1,000 ‘nominal’ damages against a healthcare provider who has negligently ‘released’ the person’s medical information. Until recently, no California appellate court had
directly analyzed what constitutes a ‘release’ of medical information under the CMIA. The court in The University of California v. Superior Court (Platter) addressed this question for the first time in
2013 and held that the mere loss of possession of computer equipment containing medical information was not sufficient to constitute a release of the information itself. Instead, the court held, a
plaintiff must be able to plead, and ultimately prove, that an unauthorized person actually accessed the plaintiff’s medical information. The Platter decision will protect defendants from CMIA liability
in instances in which a computer or other device is lost or stolen and never recovered but where there is no evidence to suggest that anyone ever looked at the information contained on the device after
the loss or theft."
"Late one evening in December 2010, an employee of a commercial blood bank left his office with four backup tapes to drive them to the company’s corporate headquarters, just 13 miles away.
According to reports, he temporarily parked his car and locked its doors, leaving the tapes inside. Shortly thereafter, he returned to find the car’s window broken and various items missing, including the
backup tapes, a company laptop, and an external hard drive. The unencrypted backup tapes contained customer names, contact information, Social Security numbers, credit card numbers, and checking account
numbers. The laptop and external hard drive, also unencrypted, contained passwords and other information that could facilitate an intruder’s access to the company’s network. The employee immediately filed
a police report. This was just the beginning of the company’s data breach saga."
"The term ‘data breach’ generally refers to the unauthorized or unintentional exposure, disclosure, or loss of sensitive information. A data breach can leave individuals vulnerable to identity theft or other fraudulent activity. Although federal agencies have taken steps to protect PII, breaches continue to occur on a regular basis. In fiscal year 2012, agencies reported 22,156 data breaches - an increase of 111 percent from incidents reported in 2009. GAO was asked to review issues related to PII data breaches. The report’s objectives are to (1) determine the extent to which selected agencies have developed and implemented policies and procedures for responding to breaches involving PII and (2) assess the role of DHS in collecting information on breaches involving PII and providing assistance to agencies."
"I recently noted a privacy breach at Northern Inyo Hospital in California. It was one of those ‘small breaches’ (i.e., less than 500 affected) that don’t get reported on HHS’s public-facing breach tool, but it really created distress for its victim. In discussing the breach, I noted my surprise at a statement the patient made that she might have to move to another community as she no longer had trust in the hospital and was worried about how information about her accessed by the employee might be used against her. […] The patient […] kindly reached out to me to discuss the case and her decision to move away."
"Perkins Coie’s Privacy & Security practice maintains a comprehensive chart that summarizes state laws regarding security breach notification. The chart is for informational purposes only and is intended as an aid in understanding each state’s sometimes unique security breach notification requirements."
"For this study, we asked insurance underwriters about data breaches and the claim losses they sustained. We looked at the type of data exposed, the cause of loss and the business sector in which the incident occurred. For the first time, this year we also looked at the size of the affected organization. We then looked at the costs associated with Crisis Services (forensics, notification, credit monitoring, and legal counsel), Legal (defense and settlement), and Fines (PCI & regulatory). This report summarizes our findings for a sampling of 145 data breach insurance claims, 140 of which involved the exposure of sensitive data in a variety of sectors, including government, healthcare, hospitality, financial services, professional services, retail and many more."
"This long briefing provides an overview of the definition of security incidents and breaches and an analysis of their scale and trends. We summarise the current EU-level efforts to address network and information security, review some of the provisions of the Commission’s 2013 proposals for a Network and Information Security Directive and offer recommendations. We have some potentially major concerns including the relationship of incident notification achieving the outcomes of the directive, potential for overlapping regulation and definitions of covered entities. We also suggest that it would be helpful to clarify what kind of incidents the Directive is aimed to address."
"All in all, 2012 reminded us that breaches are a multi-faceted problem, and any one-dimensional attempt to describe them fails to adequately capture their complexity. The 2013 Data Breach Investigations Report (DBIR) corroborates this and brings to bear the perspective of 19 global organizations on studying and combating data breaches in the modern world."