39000 patients may have been victim in Seton data breach

AUSTIN (KXAN) — Seton Family of Hospitals will provide free identity monitoring and protection services for patients who had their personal information leaked in a phishing attack targeting employee emails.

Approximately 39,000 patients received letters about the breach in which hackers accessed protected patient information, including demographic information, medical record numbers, insurance information and Social Security numbers. Seton was notified of the breach on Feb. 26.

“We value the privacy and security of protected information, and we are committed to protecting the confidentiality and privacy of our patients and employees,” said Jesús Garza, Seton Healthcare Family president and chief executive officer. “It is our priority to support those who have been affected.”

User names and passwords for the email accounts were immediately shut down and Seton launched a thorough investigation. Computer experts were able to conduct an analysis of information contained in the affected email accounts, determine the scope of the incident and identify all the individuals affected.

“The organization is taking all necessary and appropriate steps to prevent a recurrence,” Garza said.

He said Seton will continue to implement administrative, technical and physical safeguards against unauthorized access of protected information.

Affected individuals may call 1-888-687-9294, Monday through Friday, 8 am to 6 p.m. CDT with questions. Free credit reports can be obtained from each of these credit reporting bureaus:

Equifax: 800-525-6285, www.equifax.com
Experian: 888-397-3742, www.experian.com
TransUnion: 800-680-7289, www.transunion.com

Article source: http://kxan.com/2015/04/24/39000-affected-in-seton-phishing-attack-targeting-company-emails/

,

No Comments

Four Ways UK SMBs Can Mitigate Data Breach Risk

How can an SMB avoid compromising its data? Andrew Thomas from CSID says it boils down to four easily digestible tips

When you mention cyber-crime, data breach or identity theft to a small business (SMB) owner what reaction would you expect to get?

‘);}googletag.cmd.push(function(){googletag.display(“div-gpt-ad-DESKTOP_IN_ARTICLE-0″);});}})(jQuery);

Disturbing results from a recent survey by the government’s Cyber Streetwise campaign found that two thirds (66 percent) of SMB owners do not consider their businesses to be vulnerable.

Furthermore, three quarters (78 percent) of those surveyed believed in the common misconception that only companies that take payments online are at risk of cyber crime. The government’s Information Security Breaches Survey recently debunked these misconceptions with some eye opening findings.

Hacked

Almost half of all UK SMBs had a serious security breach in 2014 with 8-15 percent of annual turnover lost in the worst security breaches. The survey revealed that the average cost of the worst security breach is between £65,000 and £115,000, and can even result in a business being out of action for up to ten days. Even more worrying is that 60% of small businesses are reported to fail within six months of being hacked. The worst data security incidents reported were caused by malware (31 percent) and attack or unauthorised access by outsiders (23 percent).

The 5.2 million SMBs in the UK account for 49.8% of the economy, a fact that truly quantifies the debilitating impact a data breach can have.

SMBSMBs like the local hairdressers on a small high street make the perfect targets for criminals, largely because they don’t have the time or resources larger enterprises have to devote to cyber security. As John Allan, National Chairman of the Federation of Small Businesses (FSB) recently commented, “We know from our own research that in the future small businesses expect to become much more dependent on web based tools. We also know that, as firms’ reliance on tools like cloud computing increases, they also become more aware of the threats these services can pose.”

So what exactly can SMBs do to avoid data compromise? Realistically it boils down to awareness, education, monitoring and damage control.

Awareness – First and foremost, individuals who are interested in starting a business must be aware of security implications and costs when building a business plan. Security is typically not top of mind when an entrepreneur is ready to start a business. The security industry, government and entrepreneur start-up communities must work together to build awareness around new business security.

SMBEducation – As a business begins to expand, it is vital to educate employees on the importance of workplace security and choose vendors with superior security reputations. Businesses should build and enforce password, BYOD and social media policies from day one. The more well- educated the workforce is on the importance of security, the more likely they will be to employ better online habits at work as well as in their personal lives.

Monitoring - Take advantage of software solutions that can help monitor the security of your business. Anti-virus solutions can help protect against malicious malware and VPNs can help protect business data when conducting business outside of the company network. Businesses should also consider a monitoring service to keep track of your SMB’s overall health and mitigate the risk of breach. An SMB should monitor employee and customer credentials, its credit score and credit report to detect fraudulent activity.

Damage control – Be sure to have a breach preparedness plan. While a damage control plan may not reduce the cost of repairing the data breach, it certainly helps keep your customer relationships intact and reduces business reputation damage.

Take our security quiz here!

This is a contributed article written by Andrew Thomas, Managing Director, Europe, CSID

Article source: http://www.techweekeurope.co.uk/security/smb-avoid-data-breach-risk-166989

,

No Comments

Community Mercy alerting patients to data breach

Community Mercy Health Partners, operator of the Springfield Regional Medical Center, has alerted patients to a data breach that occurred in February.

Invoices for about 2,000 patients containing names, addresses, billing codes such as diagnosis and procedural codes, service dates and locations, and account balances were inadvertently sent to incorrect people.

Six individuals may have received invoices intended for another entity such as a health care provider, CMHP spokesman Dave Lamb said.

No social security numbers or other personal financial information were exposed, he said, and the company is contacting each affected patient individually.

There is no indication that the information on the invoices has been misused in any way.

CMHP became aware of the error Feb. 26 and launched an extensive investigation.

“We take seriously the privacy and confidentiality of our patients’ and employees’ information,” Lamb said. “Upon learning of this incident, we immediately conducted a full investigation to determine what happened, who was affected and what we can do to prevent it from occurring in the future.​”

The company determined the breach occurred because of an inadvertent change to name and address information on some patients’ bills during data entry.

“To help prevent this from recurring, CMHP has provided additional education to its data entry staff and is working with its information technology team to enhance technical safeguards for documentation in the guarantor field for patient accounts,” Lamb said.

The company is sending letters to all affected patients and has established a dedicated call center to answer patient questions.

The call center number is 1-844-830-3284.

Article source: http://www.springfieldnewssun.com/news/news/local/community-mercy-alerting-patients-to-data-breach/nk3MK/

,

No Comments

The hotly disputed black magic of data breach cost estimates

A few weeks ago Fortune visited a law firm where one partner lamented the quality of cost estimates for big companies suffering data breaches—a vital consideration for businesses seeking to manage their risk and score reasonably priced insurance policies. (Who and where are unimportant for the purposes of the story.) Prompted by a recent analysis of 10-k filings which concluded that the impact of breaches to corporate bottom lines is trivial, the conversation stirred the lawyer’s excitement—and vexation. There are no good estimates, the lawyer rued.

“It’s black magic,” the partner told Fortune. “No one actually knows the costs.”

Nowhere is this fact more apparent than in the latest data breach investigations report compiled by Verizon


VZ



, a touchstone annual study for the cyber security industry. Now in its eighth year, Verizon’s report ventures for the first time to determine the cost of a stolen record—the amount of money a company loses for each pilfered payment, personal, or medical record (see pages 27-30). (“Better eight than never,” right? the researchers write.)

“One of the questions we get a lot is, ‘Do you have any impact information?’ We’ve always had to say, ‘Unfortunately we don’t,’” says Marc Spitler, senior analyst and co-author of the report, during a briefing call. He notes that producing a reliable estimate is no easy feat.

The reason, as Verizon data scientist Jay Jacobs later clarifies when sitting down with Fortune at the RSA Conference this week, is that whenever the company’s forensics team would go back and ask companies about the financial impact, they would tell them that their engagement was done. Sharing over. As a result, Verizon—and many others in the industry—have struggled to get quality follow-up data. Add to that the fact that the quantity of data isn’t very good either, he says. “It’s not just bad data,” he adds. “It’s lack of data.”

Yet in order for executives to make reasonably informed decisions about security investments, they need to be able to understand the costs and benefits. So estimates have been drummed up. The reigning schema, aka the “cost-per-record” model, determines data breach costs by dividing the sum of estimated losses by total records lost, a straightforward formula that yields $201 for 2014 and $188 for the year prior to that. It’s a linear relationship. These figures, which have known limitations (primarily, underestimating the cost of small breaches and overestimating the cost of large breaches), are the result of annual surveys and field observations conducted by The Ponemon Institute, a digital security research center. According to the Verizon report, there has never been a better model available—until now.

This year Verizon teamed up with the cyber risk assessment firm NetDiligence, which has data about cyber liability insurance claims. By analyzing nearly 200 cyber insurance payouts, the researchers were able to get tangible data linking breaches to damages, the report says. What they found should surprise anyone who follows the information security industry. In Verizon’s analysis, the average cost-per-record is radically lower than the prevailing estimate: it’s $0.58, stupendously less than the Ponemon figure. How could that be?

“I think that this impact section is going to be the most talked about section,” Spitler says, anticipating its significance. “It’s probably the one that’s going to get a lot of buzz and questions back to us going forward.” He’s right.

Verizon’s cost-per-record coup

Once the embargo on Verizon’s report lifted last week, Fortune phoned Larry Ponemon, founder and chairman of the eponymous institute, to hear how he might account for the jarringly conflicting estimates. When informed of Verizon’s figure, Ponemon reacted as though he had been blindsided. He had not known of the result, he says, until Fortune brought it to his attention. “It’s very disturbing,” he says, mentioning that, were it not so early in the morning, he could use a glass of wine. “As you can tell from my voice, I’m very upset about this.”

Ponemon’s distress is understandable. His eponymous institute spends 10 months per year putting together its annual “cost of a data breach” study, which analyzes more than 1,600 companies in a dozen countries. It’s no small task. (Verizon’s report—which is, by all means, one of the papers of record for the cyber intrusion business—encompasses, in total, research into more than 2,000 data breaches in more than 60 countries.) Despite the Ponemon Institute having produced a cost report every year for the past decade, Verizon chose not to contact nor consult with him, Ponemon says. And, he adds, he feels snubbed. (Verizon, by the way is a sponsoring company of the institute, he says.)

“We contemplated reaching out to Ponemon on this and talking through it,” Jacobs later tells Fortune at the aforementioned security conference, ” but we really didn’t get anything from him. We just simply took his published material referenced it, cited it. We’ve got links to his reports on one of these pages.” [Editor’s note: see page 30 of the report.] “There was nothing we had a question about,” he adds. “There wasn’t any sort of question or ambiguity about what he had done that we needed input on.”

“We’re not trying to be an adversary to Ponemon,” Spitler earlier tells Fortune during the briefing call. “We were just able to get really excellent, tangible data and to use it in such a way that we were able to build something that will improve upon the cost-per-record model.”

So the two sides—Verizon and Ponemon—seem to have gotten off on the wrong footing. But questions of collaboration aside: whose model is right? Or at the very least more accurate? How could these two organizations—both of which have taken great pains to assess the damages inflicted on corporations at the hands of keyboard-clacking hackers—arrive at such glaringly different conclusions? What gives?

Why the difference

The issue has partly to due with how each team collects its data and calculates its numbers. First off, Ponemon’s model excludes breaches of a certain size. It does not take into account companies that have lost more than 100,000 records—above a certain point the damages don’t quite scale, despite more records being lost. Consider the case of Target, for example. Take the number of payment card records (as in credit and debit card numbers) the retailer lost—about 40 million—and multiply that by the roughly $200 Ponemon cost-per-record number. The result? $8 billion. Now compare that to reality…

Target certainly did not wind up spending $8 billion to cover its breach related expenses. For a company with revenues at around $70 billion, that would be roughly 10% of its top line! A crippling blow for any business. In fact, after insurance compensation and tax deductions, the retailer’s damages actually come out to something more on the order of $100 million. That’s about 0.1% of total sales—a much more manageable hit. (Omitting insurance and deductions, Target got nailed with around $250 million in breach related expenses so far.) Plugging in Verizon’s roughly $0.50 cost-per record figure, on the other hand, yields $20 million—far too low.

By the same token, the couple hundred insurance claims analyzed by Verizon have caps, too. Since the NetDiligence data is based on insurance payouts—and since all insurance policies have limits (and sub-limits and exclusions), as a blog post on the Ponemon Institute’s website explains—it is highly likely that NetDiligence’s numbers do not represent the full costs companies incur. Jacobs acknowledges this when sitting down with Fortune, and he stresses that the point has more to do with data collection than data analysis. In the report and in person, he strongly advocates for better data collection, but stands by his team’s analysis.

Further, Ponemon’s model purports to include so-called soft costs, which are indirect. These might include business partners deciding to take their business to more secure partners in the wake of a breach. They also might comprise customers losing trust in a brand and choosing to shop at a competitor instead. It makes sense then that Ponemon’s numbers are higher; Verizon’s analysis, in contrast, does not factor in intangible costs. Still, is that enough justify the huge—$0.58 versus $201—disparity?

Here’s the rub: Verizon’s report readily admits that its $0.58 cost-per-record estimate is no good. But neither is the $201, the report says. “Both the $0.58 and $201 cost-per-record models,” asserts the study, “create very poor estimators.”

On the briefing call, Spitler says much the same. “That $0.58 cent model is not good way to go about it either,” he tells Fortune, pointing to the report’s ensuing discussion as containing the better model. That’s why Verizon’s report scraps the linear cost-per-record model promoted by Ponemon, and proposes a new logarithmic regression model as a better predictor of real-world impacts. Indeed, the entire reason Verizon presents a $0.58 estimate is to debunk the traditional engine of estimation. While Ponemon’s researchers rely on simpler metrics—cost (Y) per record (X)—Verizon’s researchers use parametric statistics to plot the relationship between records lost and estimated data breach cost.

Spitler qualifies: “We built a better model, but it is far from perfect.”

The middle road

Figure 23 from Verizon's 2015 data breach investigations report tabulates a range data breach cost estimates based on the number of records lost by a company.Figure 23 from Verizon’s 2015 data breach investigations report tabulates a range data breach cost estimates based on the number of records lost by a company.

Looking at this table with its wide ranges, there is definitely some opportunity for improving the estimate of loss from breaches. But at least we have improved on the oversimplified cost-per-record approach, and we’ve discovered that technical efforts should focus on preventing or minimizing compromised records.

Though it lacks a concise or catchy name, the above—figure 23 in the Verizon report—represents the company’s alternative to the conventional cost-per-record model.

For all the apparent dispute between the institute and Verizon, their models agree on certain points. “It is ironic that after all the criticism, our estimate of a total cost of data breach falls within DBIR’s confidence interval shown in Figure 23 of the report,” Ponemon writes, referencing the common acronym of the data breach investigations report, in his post titled “Why Ponemon Institute’s Cost of Data Breach Methodology Is Sound and Endures.” He continues, “DBIR’s own prediction model for a data breach involving between 10,000 and 100,000 records fits our global total cost of data breach.”

Given that kernel of accord buried beneath the surface-level strife, it seems that Ponemon’s consternation arises more so from the way Verizon presents its findings than the findings themselves. “Apparently their single-minded goal was to ‘bust the myth’ of our annual cost of data breach research,” he writes on the institute’s blog.

“We stand by our results,” Ponemon tells Fortune. “We work very hard to be accurate. We are not simpletons. We work to provide meaningful data.” Of course, Ponemon also owns up to the limitations of the institute’s model. “I’m the first to say it’s not perfect—it has possible errors,” he says. “But to the best of my knowledge, there’s no better way to collect the kind of data we collect.”

Jacobs does not dispute that, per se: “I don’t think Ponemon’s data collection methodology is bad, but I think there’s an opportunity in analysis to do that better.” And both Spitler and Jacobs believe there is still a lot of room for improvement in Verizon’s newly proposed model, too. They draw attention to the new logarithmic regression model’s wide margins of uncertainty as evidence. (See that grey ballpark range between “upper” and “lower” described in the chart above.) Collecting more and better data should narrow that gap, they say.

“This is the Holy Grail in security,” Jacobs says. “People can talk about that there’s vulnerabilities, or that, hey, this has been exploited, but really the question is, So what? How much does it matter to me? How much does this affect my bottom line?”

Corporate data breaches are no doubt high stakes matters. And understanding their impact has shot to the top of mind for c-suites spanning the Fortune 500 and beyond. Though the jury is still out when it comes to confidently and accurately estimating data breach costs, the recommendations for businesses could not be more clear: Defend and protect your data. That’s the best way for corporate stewards to curtail the consequences of a potential compromise.

The reality is that the financial impacts of data breaches depend on a variety of factors, at least half of which remain unknown, according to the Verizon report, yet the most important of which is indeed number of records stolen. As such, Verizon’s framework still rests upon the cost-per-record foundation, though it ditches the notion that it is a strictly linear relationship. Perhaps the best option for predicting impact then would be a combination of the two approaches, utilizing the data collection methodology of Ponemon and the statistical analysis employed by Verizon. The best of both worlds.

Spitler and Jacobs, for their part, urge companies to begin collecting more data around data breaches. That’s the only way, they say, that the current models will improve. “Who wants a weak model that spits out a number that is all but guaranteed to be wrong?” the Verizon researchers ask in the report, before supplying a tongue-in-cheek rejoinder. “For that, you can just use a pair of D20 risk dice.”

Instruments of fantasy role-playing board games aside, there is still much black magic to the art of data breach cost estimation. As the actuarial wizards continue to hone their models, executives (and underwriters) will have to satisfy themselves with some combination of the aforementioned approaches. “I think the most important thing is that this is hopefully a step in what will hopefully someday be a long history on the impact of data breaches,” Jacobs says, projecting iterations of improved models to come. “There’s a whole lot of opportunity here.”

In the meantime, let’s not leave these numbers up to the imagination of a dungeon master.

Article source: https://fortune.com/2015/04/24/data-breach-cost-estimate-dispute/

,

No Comments

Anthem offering identity protection for those caught in data breach

ST. LOUIS (KPLR) – Medical insurance giant Anthem, Inc. is offering identity protection services to its members.  It’s an unprecedented response to a data breach.  At least a million people in Missouri are potential victims.  And they like almost 80 million nationwide can begin to feel more secure as a result of the offer.

Letters announcing the service are being mailed out. Susan Doerge and her husband are Anthem members. She received her letter in late March. Doerge like many others assumed they were automatically enrolled for the credit monitoring service. But after reading the letter again Doerge realized she`d have to enroll with ALLClear ID.   Doerge says she wants to stay ahead of the bad guys.   ‘I wanted to be as proactive as possible. I didn`t want to have to be calling ALLClear ID after a problem comes up.   So I did enroll in that plan.’

Anthem Incorporated has arranged three services for its members. First, in the event you suffer losses because your personal information has been used by someone else Identity repair assistance guarantees investigators will work to recover financial losses, restore credit, and return identity to member.

Second, Credit monitoring alerts members if there is an attempt to use their identity to open new credit accounts. This includes a one million dollar identity theft insurance policy.

And third, child identity protection searches thousands of databases for information that could point to acts of fraud against the children of Anthem members. The alerts are available free of charge for two years. And there was other useful information contained in the letter according to Doerge. ‘One thing they did point out is not to accept any emails that say they`re from Anthem because most likely that will be a scam. They were only notifying people by US Mail. ‘

Anthem, Inc. reports hackers got names, birthdays, medical ids, social security numbers, street addresses, e-mail addresses and employee’s income data.   Doerge who also suffered Income tax fraud this year can`t say for sure the Anthem breach opened the door for the fraudulent return filed in her name.   She`s accepted the fact that identity theft is the new normal. ‘Unfortunately it`s a problem that thousands and thousands of people if not millions have been effected by it. ‘

Remember, current or former members going back ten years could be impacted by the data breach. So, these services are for you.   Below is a link to Anthem’s website and a phone number for information about enrolling in the identity protection program.   And if you have a consumer issue, call our Call for Action hotline. The number is 800-782-2222. The line is open Monday through Thursday between 11 am and 1 pm.

Those without Internet access can call 877-263-7995.

Article source: http://kplr11.com/2015/04/22/anthem-offering-identity-protection-for-those-caught-in-data-breach/

,

No Comments

Woman sues Marshall Health for data breach

HUNTINGTON – A woman is suing Marshall Health after she claims an unauthorized employee accessed her daughter’s medical record multiple times.

MedicalRecordsKristi Dunlap, an employee of Marshall Health, and Michael J. McCarthy, the chief information officer of Marshall Health, also were named in Felesha Dickess’ complaint.

In January 2013, Kyndrix L. Blake began receiving health and medical care from Marshall Health and on June 21, 2013, Dunlap, who was in a relationship with Blake’s father, improperly accessed Blake’s confidential and private information through Marshall Health’s computer system, according to a complaint filed March 16 in Cabell Circuit Court.

Dunlap continued to access Blake’s private and confidential medical information on numerous and repeated occasions in the course and scope of her employment over the next year and three months until Sept. 29.

On Sept. 12, Dickess sent Marshall Health an e-mail explaining that she would like to speak with someone regarding her daughter’s medical record because information had been changed and she was worried Dunlap was accessing her daughter’s records, according to the suit.

Dickess claims she spoke with McCarthy regarding the data breach and was assured McCarthy would address the breach of privacy immediately.

At no time between June 21, 2013, and Sept. 12, did Marshall Health attempt to learn or otherwise notify Dickess that at least one of its employees had been repeatedly accessing Blake’s private and confidential medical information for more than one year during her employment, according to the suit.

Dickess claims it was only after she contacted Marshall Health that they were able to determine that someone was accessing the medical information.

On Oct. 27, Marshall Health finally responded by letter to Dickess and confirmed the unauthorized access to her child’s health information, according to the suit.

Dickess claims the defendants owed a duty to protect the private patient information and failed to do so.

Dickess is seeking compensatory and punitive damages with pre- and post-judgment interest. She is being represented by Hoyt Glazer, Ben Sheridan and Mitchell L. Klein of Klein, Sheridan Glazer LC.

The case is assigned to Circuit Judge F. Jane Hustead.

Cabell Circuit Court case number: 15-C-184

Article source: http://wvrecord.com/news/273986-woman-sues-marshall-health-for-data-breach

,

No Comments

Banks Seek to Block Target’s Deal With MasterCard Over Data Breach

A group of small banks and credit unions suing Target Corp over its massive data breach in 2013 are moving to block the retailer’s proposed $19 million settlement with MasterCard Inc, calling it a “sweetheart deal” aimed at undercutting their own claims for losses.

Lawyers for plaintiffs in the lawsuit, which seeks class-action status, filed an emergency motion late Tuesday asking a federal judge in St. Paul, Minnesota, for a preliminary injunction that would prevent the settlement announced on March 19 from going through.

The lawyers want the court to throw out terms of the deal, which they contend were “surreptitiously” aimed at barring financial institutions from being part of the lawsuit.

“The agreement between Target and MasterCard is nothing more than an attempt by Target to avoid fully reimbursing financial institutions for losses they suffered due to one of the largest data breaches in U.S. history,” said a statement on Wednesday from Charles Zimmerman of Zimmerman Reed PLLP and Karl Cambronne of Chestnut Cambronne PA, co-lead plaintiffs’ attorneys in the lawsuit.

“It provides paltry restitution for the substantial losses suffered,” the statement added. “This sweetheart deal for Target was negotiated without involvement of the court or the legal representatives of the impacted financial institutions.”

Lawyers for Target did not return calls seeking comment on the motion, which could prevent it from getting a release from claims in the class-action.

The motion is due to be heard in federal court Monday.

Target has said the amount under its settlement with MasterCard covers costs that banks incurred to reissue credit cards and debit cards to customers as a result of the data breach.

In 2013, Target said at least 40 million credit cards were compromised by the breach during the winter holiday shopping season, and the attack might have resulted in the theft of personal information, such as email addresses and telephone numbers, from as many as 110 million people.

Target is still in negotiations with Visa Inc over fallout from the breach.

Payments under the settlement were to be made by the end of the second quarter and it was conditioned on issuers of at least 90 percent of eligible account holders accepting the offer by May 20, Target said.

© Thomson Reuters 2015

Article source: http://gadgets.ndtv.com/internet/news/banks-seek-to-block-targets-deal-with-mastercard-over-data-breach-684654

,

No Comments

NLRB Accuses USPS Of Failing To Bargain Data Breach Response

The National Labor Relations Board recently issued a complaint against the United States Postal
Service alleging that USPS failed to furnish information and
bargain over its response to a data breach that compromised
sensitive employee information. This case raises the novel question
of whether and under what circumstances an employer must bargain
over its response to a data breach that affects unionized employee
informationand potentially adds one more legal challenge
that employers may face in the event of data breaches.

On November 10, 2014, USPS announced that it had experienced a
cyber breach potentially compromising some 800,000 employee
recordsincluding names, addresses, dates of birth, and
Social Security numbers. USPS offered all affected employees, some
of whom were union members, free credit monitoring and fraud
insurance services for one year. The American Postal Workers Union
filed two charges against USPS in November and December
2014, alleging that USPS “did not give the Union advance
notice that would enable it to negotiate over the impacts and
effects of the data breach on employees.”

In its complaint, the NLRB alleges that USPS failed to bargain
collectively and in good faith in violation of sections 8(a)(1) and
(5) of the National Labor Relations Act because it failed to
furnish certain information that the union requested after the data
breach, and it offered unionized employees credit monitoring and
fraud insurance services without affording the union an opportunity
to bargain regarding those items. As a remedy, citing USPS’s
“extensive history” of unfair labor practices, the NLRB
asks the Board to order USPS to bargain with the union over the
effects of a cyber security breach on bargaining unit members,
submit progress reports on the bargaining to the region, and pay
union negotiators who are also USPS employees for their time spent
bargaining over these issues. Notably, however, the complaint does
not appear to ask USPS to rescind the credit monitoring and fraud
insurance services that USPS provided to protect its
employees.

The key issue in this case will be whether USPS had an obligation
to bargain with the union over its response to the data breach, at
least to the extent that the breach response affected unionized
employees. The NLRB alleges that USPS had an obligation to bargain
over the “effects of a cyber security breach on the unit”
as well as USPS’s response in providing no-cost credit
monitoring services and fraud insurance to employees. The NLRB
alleges that these matters “relate[] to the wages, hours, and
other terms and conditions of employment” and are therefore
“mandatory subject[s] for the purposes of collective
bargaining.” The Board’s complaint does not further
elaborate on its theory. The case is currently scheduled for a
trial on May 11, 2015.

This case has significant implications for unionized employers,
given the time-sensitive nature of addressing data breaches. While
this case is still developing, employers should be cognizant that
their actions following a data breach may now implicate the NLRA,
in addition to other laws, and consider the impact of the NLRA in
their data breach response planning. Moreover, because data breach
responses must generally be swift to be effective, employers with
existing unions should consider obtaining sufficient discretion in
advance, so that they can act with the speed that breach responses
typically require without running the risk of a successful unfair
labor practice complaint.

With respect to the first point, each employer should review the
types of employee information that it collects and how that
information is stored. Electronic systems should have the requisite
protections and safety precautions in place to protect against data
breaches, as well as technology that detects cyber breaches.
Because many general liability insurance policies do not cover
cyber events, companies may want to consider other types of
insurance to limit risk, including but not limited to cyber breach
insurance, third-party/liability coverage, remediation coverage, or
risk management coverage. An employer should also develop a
response plan to enable it to react to a breach quickly,
efficiently, and without significant disturbances to its business.
Companies may consider what steps need to be taken for each type of
stored data, from confidential employee information to intellectual
property.

As to the second point, while it is yet to be seen whether an
employer must bargain with a union over any remedial action after a
data breach, employers with open contracts, or who are
renegotiating contracts soon, should negotiate language that gives
them the broadest possible discretion in responding to a data
breach affecting employee information, including the right to delay
notification of employees at the request of law enforcement. Such
language may include certain specific remedies, such as free credit
monitoring services, that the employer will agree to provide in the
event of a breach, without having to engage in bargaining with the
union before implementing the agreed-upon remedy. If the collective
bargaining agreement incorporates company policies, the employer
should consider adding a data breach protocol to its policies and
discussing the policy with the union before a data breach occurs.
Employers should also consider how and when they will notify the
unions representing their employees of any actions to be taken in
response to a breach affecting union members, in order to minimize
claims that they failed to provide appropriate information to the
unions.

Both employers and unions alike will be paying careful attention
to how this case is resolved, but employers can expect that this
case will make unions more attuned to the potential issues that
arise when a data breach occurs and more likely to use the NLRB as
one potential avenue for legal action in the event of a breach.

The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.

Article source: http://www.mondaq.com/unitedstates/x/391828/employee+rights+labour+relations/NLRB+Accuses+USPS+of+Failing+to+Bargain+Data+Breach+Response

,

No Comments

Effective data breach response plans hinge on prepared people

Human error contributes to breach-response mistakes

The panelists said that some of the most common mistakes they see in data breach response management involve human error motivated by fear, inexperience and uncertainty.

For example, Bryan Sartin — director of the Research, Investigations, Solutions, Knowledge (RISK) Team, which handles Verizon’s data breach response and forensics services — said the most common failures his team sees involve an inability to maintain the integrity of potential crime scenes, inadvertently covering the tracks of the crooks.

“Probably an even bigger issue than that is the ‘CYA’ that victims play, trying to hide the fact they did things they weren’t supposed to do once they found out about the incident,” Sartin said. “And that’s all the things that happen from the time they realized they had a problem until an investigator shows up to do what they do best.”

In addition, Sartin said, key stakeholders often underestimate how complex and overwhelming it can be to manage all the ancillary people and groups who must play a role in mitigating a major breach incident, including internal and external attorneys, internal and external investigators, law enforcement, regulators, insurers and many others. 

Mossberg said the data breach response plan should detail the roles of all those groups. This includes not only how issues related to the incident itself are handled, but also what tasks those individuals will have related to business continuity during the investigation and how to continue business processes or make changes on-the-fly to get the organization back on track after the incident.

Article source: http://searchsecurity.techtarget.com/news/4500244903/Effective-data-breach-response-plans-hinge-on-prepared-people

,

No Comments

House data-breach bill has some holes

The following editorial appeared in the Los Angeles Times:

“Hackers steal personal information about millions of Americans” has become a distressingly familiar headline in the 21st century, as online thieves have repeatedly siphoned off customer data from retailers, financial services firms and other corporations. Now, a bipartisan group of House members is advancing a bill to set national standards for how companies should defend themselves against intrusions and how they should respond to data breaches.

Unfortunately, the current version’s proposed standards would eliminate some important protections for consumers that other state and federal laws provide.

There have been more than 4,000 notable data breaches in the last decade, by the House Energy and Commerce Committee’s count, and about 40 failed attempts in Congress to craft a legislative solution.

Over roughly the same period, 14 states have passed laws requiring companies that collect sensitive personal information to meet minimum standards for deterring theft, and 47 states have enacted laws requiring companies to notify customers when their information is stolen. The Federal Trade Commission has also sued companies that failed to take “reasonable and appropriate” steps to protect customers’ data.

The House bill by Reps. Marsha Blackburn, R-Tenn., and Peter Welch, D-Vt., that the Energy and Commerce Committee approved last week would confirm the FTC’s enforcement authority, which has been under attack, and allow state attorneys general to bring their own claims against companies that don’t adopt “reasonable and appropriate” data security measures. That’s good. But it would also pre-empt the various state notification requirements in favor of a national one that would apply only to breaches that could lead to identity theft or economic loss.

This narrower standard could leave consumers in the dark when personal but non-financial information is stolen, such as when health-related information is taken from a fitness chain or log-ins and passwords are taken from an email service. It also would wipe out the Federal Communications Commission’s authority to set and enforce rules protecting the personal information collected by phone, cable TV and Internet services.

Considering how previous data security bills have fared, Blackburn and company may be trying not to doom their latest proposal by overreaching.

But there’s no point in a federal bill if it doesn’t make consumers better off than they are under state law. If Congress is going to make the FTC the main enforcer of data security, it should give the agency the authority to adopt rules to guide companies and adapt to new threats, rather than confining it to bringing enforcement actions. And if it’s going to take states

out of the picture, its notification requirements should apply as broadly as the state laws do. Otherwise, the law will serve the interests only of the companies whose servers are raided by hackers, not the consumers whose data the hackers are stealing.

Article source: http://www.timesunion.com/tuplus-opinion/article/House-data-breach-bill-has-some-holes-6217487.php

,

No Comments