Malaysians believe telcos most vulnerable to data breaches

 A survey shows that telecommunication companies need to take not only preventative measures, but also make those measures visible to build and retain public confidence.  Reuters file pic, July 29, 2015. A survey shows that telecommunication companies need to take not only preventative measures, but also make those measures visible to build and retain public confidence. – Reuters file pic, July 29, 2015.Latest research has revealed that Malaysians believe telecommunication companies (telcos) are most vulnerable to the breach of the consumer’s personal data over the next 12 months as compared to many other organisations.

The research was carried out by Unisys Corporation via Unisys Security Insights.

In Malaysia, it was conducted by independent research body, Lieberman Research Group which saw 503 adults being surveyed during April and May this year.




The survey asked consumers in 12 countries on the likelihood that their personal data could be accessed by an unauthorised person, accidentally or deliberately through seven types of organisations such as airlines, banking/finance, government, healthcare, retail, telco and utilities.

The research discovered that 59% of Malaysians expect a personal information data breach at a telco, followed by government (49%), healthcare providers (43%) utilities which includes power or water supplier (41%), airlines (36%), banking and finance (35%) and retailers (33%).

Unisys Asia Pacific Security Program director John Kendall said it was pivotal for the organisations to take preventative measures to protect consumers’ personal data and build trust.

“Telecommunication companies need to take not only preventative measures, but also make those measures visible to build and retain public confidence.

“Apart from that, even though retailers, banks and airlines are regarded as the most trusted among others, they also need to ensure maintaining this trust as they continue to obtain more information on their customers in a bid to provide personalised services and offers,” he said at the Unisys Security Insights and CyberSecurity Malaysia Media Briefing 2015 at Unisys Malaysia, Damansara Utama in Kuala Lumpur today.

Also present was CyberSecurity Malaysia chief exectuive officer Dr Amiruddin Abdul Wahab. – Bernama, July 29, 2015.

Article source: http://www.themalaysianinsider.com/malaysia/article/malaysians-believe-telcos-most-vulnerable-to-data-breaches

,

No Comments

Report: China-backed hacking group breaches United Airlines data

WASHINGTON — The Chinese-backed hackers who previously stole data at insurance giant Anthem and the U.S. Office of Personnel Management have hit another high-profile target: United Airlines.

The data breach happened in May or Early June, people familiar with the investigation told Bloomberg. The same sources say that the hackers are the same China-backed group that pulled off the earlier breaches.

One person familiar with the investigation told Bloomberg that the information includes manifests — meaning that the hackers have information on the movements of millions of Americans.

United is the world’s second-largest airline, and one of the biggest airline contractors with the U.S. government, meaning that the information could be used to tack government workers and other contractors. Bloomberg says that the combination of OPM, insurance and travel information could be used to blackmail Americans working in defense and intelligence.

A United spokesman had no comment for Bloomberg.

Zhu Haiquan, a spokesman for the Chinese embassy in Washington, said in a statement: “The Chinese government and the personnel in its institutions never engage in any form of cyberattack. We firmly oppose and combat any forms of cyberattacks.”

Follow @WTOP on Twitter and WTOP on Facebook.

© 2015 WTOP. All Rights Reserved.

Article source: http://wtop.com/travel/2015/07/report-china-backed-hacking-group-breaches-united-airlines-data/

,

No Comments

Data Breach – Could It Happen to You?

Posted by: jspuhler
in Recruiting Software Blog,
July 29, 2015

The short answer is yes.

A data breach involving more than four million federal employees was announced in early June.  The breach, involving the U.S. Office of Personnel Management (OPM), involved personnel records and security clearances.

During the breach, hackers gained access to the financial, health, and personnel files of members of the military, and others, who applied for government security clearances.  In addition, sensitive information belonging to millions of friends and family members of clearance applicants was siphoned off in the hack. The stolen data could be used to identify specialists, scientists, and others operating covertly in foreign countries.

Thefts of employee, financial, and healthcare data is, unfortunately, becoming more and more common. Earlier this year, investigators linked attacks on healthcare insurers Anthem, Premera Blue Cross, and CareFirst to Chinese hackers.  The Anthem attack alone is believed to affect close to 80 million consumers. Even Donald Trump is not immune.  Krebs on Security recently revealed that Trump Hotels suffered a data breach extending back months. And while the Target data breach of 2013 startled consumers and banks, the provision of free security monitoring to compromised consumers is now mainstream.

A serious breach of HR files could occur to any business, or enterprise.  What can you do about it?

Hot issues for HR cyberscecurity

Outstripped legacy systems and practices are not just a problem of the federal government.  Businesses of all size are vulnerable to internal and external intruders.  The vast security weaknesses evident in federal systems are mimicked each day in business, state, non-profit and other information technology (IT) systems.

The IT security challenges facing most business today include:

Lax security:  From hardware to software, vendors, employees, and soft security protocols, the majority of businesses do not have equipment, plans, or personnel in place to address IT security.

Specialized IT staff:  Practically in its infancy, the field of cybersecurity will explode in coming years.  While IT specialists are trained to assess, identify, and offer solutions to system problems, and data delivery, experienced security talent is relatively rare, and in high demand.  Although information and intellectual property are key assets, few businesses have trained teams to address or resolve vulnerabilities.  If you do not employ trained specialists, use an outside service or consultant.

Bring your own device:  Mobility offers unparalleled opportunity to increase productivity, facilitate communications, and share data.  Electronic devices of all kinds are vulnerable when an information system is breached.  Routine headlines speak to the frequency with which laptops containing unencrypted sensitive data—or access to data—are stolen.  Current methods to sequester data on mobile devices include sandboxing and virtualization:

  • Sandboxing: A sandbox is a defined, controlled space created for users of mobile devices.  Work on the device is contained within protected sectors called sandboxes.
  • Virtualization: Virtualization allows a user to work on a device without storing data there. Less stored data = less threat.

Training:  Employees pose an enormous risk to system security.  While some attacks are intentional, more damage occurs by mistake.  The potential to download a malicious program is enormous—even when employees, vendors, or clients are trained.  Personnel who use, access, or employ, your systems should receive prevention and detection training.  Because malicious programming and hacking methods evolve rapidly, ensure that developments in cybersecurity are frequently discussed within your organization.

The U.S. Computer Emergency Readiness Team (US CERT) provides protocols, tools, and training for businesses to initiate system assessment and readiness.  Steps identified by CERT toward readiness include:

  • Identify: Assess and understand risk
  • Protect: Training and best practices
  • Detect: Engage resources to detect and share situational awareness
  • Respond: Share situational resources, respond, and advise operators and business
  • Recover: US CERT offers Federal Emergency Management Agency (FEMA) planning exercises

US CERT also provides access to National Cyber Awareness products including current activity and alerts.

The breach at the OPM resulted in the theft of millions of sensitive HR files.  As security experts work to identify the extent of the damage, OPM managers struggle to explain why sensitive data was not encrypted.

Data breach incidents in the United States, and across the globe, are on the rise. Hackers of yesteryear were individuals aiming at revenge or damage.  Today, sophisticated hackers routinely test for IT vulnerabilities in companies of all sizes each day.

Could it happen to you?  The long answer is yes.

Tags: ,

Article source: https://www.brightmove.com/data-breach-could-it-happen-to-you/

,

No Comments

United Airlines data breached by China-backed hackers: Bloomberg

United Continental Holdings Inc has been the target of a data breach linked to a group of China-backed hackers, Bloomberg reported.

The company detected an attack into its computer systems in May or early June, Bloomberg reported, citing people familiar with the matter.

Among the data stolen are manifests, which include information on flights’ passengers and destinations, Bloomberg said.

United Airlines did not immediately respond for comment.

The China-backed hackers are the ones that were behind other data breaches including medical data from health insurer Anthem Inc and security clearance records from the US Office of Personnel Management, Bloomberg reported.

Article source: http://economictimes.indiatimes.com/tech/internet/united-airlines-data-breached-by-china-backed-hackers-bloomberg/articleshow/48266866.cms

,

No Comments

The 10 Biggest Data Breaches Of 2015 (So Far)

Featured IN

featuredimage2015 Emerging Vendors

This year’s edition of the CRN Emerging Vendors list features more than 180 companies demonstrating ground-breaking technology, visionary leadership, and a devotion to the channel.

 

Article source: http://www.crn.com/slide-shows/security/300077563/the-10-biggest-data-breaches-of-2015-so-far.htm

,

No Comments

State law roundup: legislatures across the U.S. revamp data breach …

As the number of highly publicized data breaches continues to skyrocket and proposals for a federal data breach notification law stagnate, state legislatures around the country have been busy amending their own breach notification statutes. So far, 2015 has been a banner year for state breach law makeovers, with nine states formalizing amendments to their laws, and several others poised to follow suit.

Since California took the lead by enacting the first data breach statute back in 2003, 46 other states (plus D.C., Puerto Rico, Guam, and the Virgin Islands) have passed their own security breach notification requirements. And California could be credited with having started another trend in 2013 when it expanded the definition of personal information in its breach notification law to include email addresses and passwords used to access an individual’s online account. California made further revisions to its law in 2014, and since then there has been a steady stream of state law changes, many of which have followed California’s example to some extent.

The past year has seen amendments to data breach notification laws in Connecticut, Montana, Nevada, New Hampshire, North Dakota, Oregon, Rhode Island, Washington, and Wyoming. Even Canada has joined the fray, enacting a federal breach notification law last month. In addition, several states have revisions to their data breach statutes on the table, including California and Illinois, which appear likely to pass amendments in the next few months. Below we provide overviews of the forthcoming changes to the state laws.

Rhode Island

On June 26, 2015, Rhode Island Governor Gina Raimondo signed the Rhode Island Identity Theft Protection Act of 2015 (“SB134”) into law. SB134 substantially revises the prior statute by expanding the definition of “personal information,” requiring notification to the Rhode Island Attorney General, and mandating a risk-based information security program. The law will take effect one year from its passage, on June 26, 2016.

  • Personal Information: SB134 amends the definition of personal information to include Social Security numbers; driver’s license numbers, Rhode Island identification card numbers, or tribal identification numbers; health insurance and medical information; and email addresses combined with any required security code, access code, or password that would permit access to an individual’s personal, medical, insurance, or financial accounts.
  • Security Breach: The law broadens the definition of a “breach of the security system” to include “unauthorized access or acquisition of unencrypted computerized data,” and it requires an entity to use a 128-bit or higher algorithmic encryption process in order to be considered “encrypted data” for purposes of breach notification under the law.
  • Notification: The law requires notification to the Rhode Island Attorney General for breaches involving 500 or more Rhode Island residents. The amendments also require Rhode Island consumers to be notified of a breach within 45 calendar days from confirmation of the breach. Each reckless violation of Rhode Island’s revised statute, including the failure to notify, can result in a penalty of $100 per record, while knowing and willful violations could reach $200 per record.
  • Risk-Based Information Security Program: SB134 requires entities to “implement a risk- based information security program which contains reasonable security procedures and practices appropriate to the size and scope of the organization, the nature of the information and the purpose for which the information was collected.” The use of “risk- based information security program” suggests that the Rhode Island legislature expects entities to adopt a risk management plan similar to that currently mandated under the Health Insurance Portability and Accountability Act (HIPAA).

Connecticut

As we previously reported, this year Connecticut became the first state in the nation to require free identity theft protection for Connecticut residents affected by a data security breach. Signed into law by Connecticut Governor Dannel P. Malloy on June 30, 2015, Public Act No. 15-142 will take effect October 1, 2015, except for provisions relating to state contractors, which took effect July 1, 2015.

  • Free Identity Theft Services: The law requires companies and entities that fall victim to a data breach involving the compromise of the Social Security numbers of Connecticut residents to provide at least one year of free identity theft prevention services and, if applicable, identity theft mitigation services, to affected Connecticut residents. It also requires entities to provide information to Connecticut residents about how to place a credit freeze on their credit file.
  • Notification: Under the new law, entities must give notice to affected Connecticut residents no later than 90 days after discovery of a breach. Notice must also be given to the Connecticut Attorney General not later than the time notice is provided to Connecticut residents.
  • Personal Information: The new law defines information to include protected health information; taxpayer identification numbers; alien registration numbers; government passport numbers; demand deposit account numbers; savings account numbers; credit card numbers; debit card numbers; and unique biometric data, “such as a fingerprint, a voice print, a retina or an iris image, or other unique physical representations and biometric information.”
  • Mandated Data-Security and Information Security Programs for State Contractors and Health Insurers: The law also includes new requirements for state contractors and health insurers, HMOs, and related entities to implement comprehensive data-security and information security programs. The provisions relating to state contractors became effective July 1, 2015. The provisions relating to health insurers become effective October 1, 2015.

New Hampshire

As we reported earlier this month, on June 12, 2015, New Hampshire Governor Maggie Hassan signed into law House Bill 322, which requires the New Hampshire Department of Education to implement additional procedures to protect student and teacher data from security breaches, and to notify affected individuals of any such breach. The law goes into effect August 11, 2015.

Oregon

On June 10, 2015, Oregon Governor Kate Brown signed Senate Bill 601, which makes a number of amendments to the state’s data breach notification statute. The new law will take effect January 1, 2016.

  • Personal Information: The law expands the existing definition of personal information to include:

    • Biometric information used for authentication purposes (i.e., “[d]ata from automatic measurements of a consumer’s physical characteristics, such as an image of a fingerprint, retina or iris, that are used to authenticate the consumer’s identity in the course of a financial transaction or other transaction”);
    • A consumer’s health insurance policy number or health insurance subscriber identification number (if in combination with any other unique identifier that a health insurer uses to identify the consumer); and
    • “Any information about a consumer’s medical history or mental or physical condition or about a health care professional’s medical diagnosis or treatment of the consumer.”
  • Notification: The amendments require notification to the Oregon Attorney General whenever a data breach affects more than 250 Oregon residents. The new Oregon law also requires entities to provide consumer reporting agencies with the police report number assigned to a breach – a unique requirement that has not been a part of any other state breach notification law to date.

Nevada

On May 13, 2015, Nevada Governor Brian Sandoval signed Assembly Bill 179, amending the definition of what constitutes personal information under Nevada’s existing data breach notification law. Although the law officially became effective on July 1, 2015, it contains a provision that exempts “a data collector, as that term is defined in NRS 603A.030, or a business” from complying with the new provisions until July 1, 2016.

  • Personal Information: Under the new law, personal information now includes driver authorization card numbers; medical identification or health insurance identification numbers; and user names, unique identifiers, or email address when combined with passwords, access codes, or security questions and answers that would permit access to an online account.

Washington

Signed into law on April 23, 2015 by Washington Governor Jay Inslee, Washington House Bill 1078 revises the state’s data breach notification law to impose an Attorney General notification requirement, a notification timing requirement, and certain content requirements for the notification letter, among other changes. The law took effect on July 24, 2015.

  • Persons Covered: The breach notification law now applies to any person, business, or agency that conducts business in Washington that owns, licenses, and/or maintains any data (computerized or hard copy) that includes personal information of Washington residents.
  • Notice to the Attorney General: The Washington Attorney General must be notified when a single breach affects more than 500 Washington residents.
  • Notification Timing Requirement: Notice of a breach must be provided to consumers (and to the Washington Attorney General, when applicable) no more than 45 calendar days after discovery of the breach.
  • Safe Harbors and Exemptions: The amendments create a safe harbor for encrypted data and exempt covered entities that are subject to the HIPAA/HITECH breach notification requirements or to the Interagency Guidance issued pursuant to the Gramm-Leach-Bliley Act.
  • Content of Breach Notification: Breach notices to consumers must be written in plain language and include the name and contact information of the reporting person or business; a list of the types of personal information that were or are reasonably believed to have been the subject of a breach; and the toll-free telephone numbers and addresses of the major credit reporting agencies if the breach exposed personal information.
  • Technical Breach of Security System: The amendments clarify language regarding disclosure of a breach caused by a technical breach of a security system, stating that a covered entity shall not be required to disclose a technical breach that does not seem “reasonably likely to subject customers to a risk of harm.”

North Dakota

On April 13, 2015, North Dakota Governor Jack Dalrymple signed Senate Bill 2214 into law, which expanded the reach of the state’s notification requirements and the range of businesses subject to those requirements. The law takes effect August 1, 2015.

  • Covered Entities: The amendments now apply to any person or business that owns or licenses computerized data that includes personal information about a North Dakota resident (as opposed to any person or business that conducts business in North Dakota).
  • Personal Information: The law narrows the definition of personal information with regard to employer data notification numbers, specifying that the term includes only such numbers in combination with a required security code, access code, or password.
  • Notice to North Dakota Attorney General: In addition to providing notice to consumers in “the most expedient time possible and without unreasonable delay,” covered entities must now provide notice to the North Dakota Attorney General when a data breach affects more than 250 North Dakota residents.

Wyoming

As we reported earlier this year, on March 2, 2015, Wyoming Governor Matt Mead signed bills expanding the definition of “personally identifiable information” and requiring additional minimum content requirements for notifications to affected individuals. Both laws went into effect on July 1, 2015.

Going forward, notices to affected Wyoming residents must be “be clear and conspicuous” and include, at a minimum:

  • The types of PII reasonably believed affected;
  • A general description of the breach;
  • The approximate date of the breach;
  • The remedial actions taken by the entity to prevent further breaches;
  • Advice directing affected persons to remain vigilant by reviewing account statements and credit monitoring reports; and
  • Whether a law enforcement investigation delayed breach notification.

In addition, the definition of personally identifiable information now includes data containing the first name or first initial and last name of a person in combination with one or more of the following data elements:

  • Address;
  • Telephone number;
  • Social Security number;
  • Driver’s license number;
  • Government-issued identification card;
  • Tribal identification card;
  • Bank account number or credit or debit card number in combination with any security code that would allow access to a financial account;
  • Shared secrets or security tokens that are known to be used for data-based authentication;
  • User name or email address in combination with a password or security questions and answer;
  • Birth or marriage certificate;
  • Medical information, defined as a person’s medical history, mental or physical condition, or medical treatment or diagnosis by a healthcare professional;
  • Health insurance information, defined as a person’s health insurance policy number or subscriber identification number, any unique identifier used by a health insurer to identify the person or information related to a person’s application, and claims history;
  • Unique biometric data used for authentication purposes; or
  • An individual taxpayer identification number.

Montana

On February 27, 2015, Montana Governor Steve Bullock signed House Bill 74, which amends Montana’s existing data breach notification statute to broaden the definition of personal information and require that entities notify the Montana Attorney General. The amendments go into effect October 1, 2015.

PENDING BILLS

California

Introduced to the California Senate on February 26, 2015, Senate Bill 570 would amend California’s existing data breach notification law to clarify and require specific content of breach notifications to consumers. The bill passed the California Senate on May 28, 2015, and is currently being considered before the California Assembly Appropriations Committee.

  • Breach Notification Content: The amendments would require notices to convey information under the following specified headings (the amendments would also provide a sample one-page format for the notice listing this information):

    • What Happened?
    • What Information Was Involved?
    • What We Are Doing.
    • What You Can Do.
    • For More Information.
  • Conspicuous Posting: The amendments would clarify the “conspicuous posting” requirement to require companies or individuals who have suffered a breach to post a conspicuous notice on the home page or “first significant page” after entering the company or individual’s website for a minimum of 30 days.

Illinois

Introduced to the Illinois Senate on February 20, 2015, Senate Bill 1833 would amend the Illinois Personal Information Act. The bill is currently before Illinois Governor Bruce Rauner for signature and could be partially vetoed. The bill would amend the following:

  • Personal Information: The bill would make Illinois the first state to include geolocation data and third-party consumer marketing information in the definition of personal information.
  • Notification to Attorney General: The bill would require data breach notification to the Illinois Attorney General within 30 days of the discovery of a breach affecting 250 or more Illinois residents.
  • Security Measures: The bill would create a new requirement for “data collectors” that use but do not own personal information of Illinois residents to implement and maintain reasonable security measures to protect those records from unauthorized access.
  • Conspicuous Posting of Privacy Policy: The bill would require operators of websites that collect personal information to conspicuously post privacy policies that can easily be found by consumers. Currently, California is the only other state with a law of this nature on the books.

Article source: http://www.lexology.com/library/detail.aspx?g=8ec48af1-5e32-4740-a0b5-4b4fcce2a0a2

,

No Comments

State Law Roundup: Legislatures Across the U.S. Revamp Data Breach …

As the number of highly publicized data breaches continues to skyrocket and proposals for a federal data breach notification law stagnate, state legislatures around the country have been busy amending their own breach notification statutes. So far, 2015 has been a banner year for state breach law makeovers, with nine states formalizing amendments to their laws, and several others poised to follow suit.

Since California took the lead by enacting the first data breach statute back in 2003, 46 other states (plus D.C., Puerto Rico, Guam, and the Virgin Islands) have passed their own security breach notification requirements. And California could be credited with having started another trend in 2013 when it expanded the definition of personal information in its breach notification law to include email addresses and passwords used to access an individual’s online account. California made further revisions to its law in 2014, and since then there has been a steady stream of state law changes, many of which have followed California’s example to some extent.

The past year has seen amendments to data breach notification laws in Connecticut, Montana, Nevada, New Hampshire, North Dakota, Oregon, Rhode Island, Washington, and Wyoming. Even Canada has joined the fray, enacting a federal breach notification law last month. In addition, several states have revisions to their data breach statutes on the table, including California and Illinois, which appear likely to pass amendments in the next few months. Below we provide overviews of the forthcoming changes to the state laws.

Rhode Island

On June 26, 2015, Rhode Island Governor Gina Raimondo signed the Rhode Island Identity Theft Protection Act of 2015 (“SB134”) into law. SB134 substantially revises the prior statute by expanding the definition of “personal information,” requiring notification to the Rhode Island Attorney General, and mandating a risk-based information security program. The law will take effect one year from its passage, on June 26, 2016.

  • Personal Information: SB134 amends the definition of personal information to include Social Security numbers; driver’s license numbers, Rhode Island identification card numbers, or tribal identification numbers; health insurance and medical information; and email addresses combined with any required security code, access code, or password that would permit access to an individual’s personal, medical, insurance, or financial accounts.
  • Security Breach: The law broadens the definition of a “breach of the security system” to include “unauthorized access or acquisition of unencrypted computerized data,” and it requires an entity to use a 128-bit or higher algorithmic encryption process in order to be considered “encrypted data” for purposes of breach notification under the law.
  • Notification: The law requires notification to the Rhode Island Attorney General for breaches involving 500 or more Rhode Island residents. The amendments also require Rhode Island consumers to be notified of a breach within 45 calendar days from confirmation of the breach. Each reckless violation of Rhode Island’s revised statute, including the failure to notify, can result in a penalty of $100 per record, while knowing and willful violations could reach $200 per record.
  • Risk-Based Information Security Program: SB134 requires entities to “implement a risk- based information security program which contains reasonable security procedures and practices appropriate to the size and scope of the organization, the nature of the information and the purpose for which the information was collected.” The use of “risk- based information security program” suggests that the Rhode Island legislature expects entities to adopt a risk management plan similar to that currently mandated under the Health Insurance Portability and Accountability Act (HIPAA).

Connecticut

As we previously reported, this year Connecticut became the first state in the nation to require free identity theft protection for Connecticut residents affected by a data security breach. Signed into law by Connecticut Governor Dannel P. Malloy on June 30, 2015, Public Act No. 15-142 will take effect October 1, 2015, except for provisions relating to state contractors, which took effect July 1, 2015.

  • Free Identity Theft Services: The law requires companies and entities that fall victim to a data breach involving the compromise of the Social Security numbers of Connecticut residents to provide at least one year of free identity theft prevention services and, if applicable, identity theft mitigation services, to affected Connecticut residents. It also requires entities to provide information to Connecticut residents about how to place a credit freeze on their credit file.
  • Notification: Under the new law, entities must give notice to affected Connecticut residents no later than 90 days after discovery of a breach. Notice must also be given to the Connecticut Attorney General not later than the time notice is provided to Connecticut residents.
  • Personal Information: The new law defines information to include protected health information; taxpayer identification numbers; alien registration numbers; government passport numbers; demand deposit account numbers; savings account numbers; credit card numbers; debit card numbers; and unique biometric data, “such as a fingerprint, a voice print, a retina or an iris image, or other unique physical representations and biometric information.”
  • Mandated Data-Security and Information Security Programs for State Contractors and Health Insurers: The law also includes new requirements for state contractors and health insurers, HMOs, and related entities to implement comprehensive data-security and information security programs. The provisions relating to state contractors became effective July 1, 2015. The provisions relating to health insurers become effective October 1, 2015.

New Hampshire

As we reported earlier this month, on June 12, 2015, New Hampshire Governor Maggie Hassan signed into law House Bill 322, which requires the New Hampshire Department of Education to implement additional procedures to protect student and teacher data from security breaches, and to notify affected individuals of any such breach. The law goes into effect August 11, 2015.

Oregon

On June 10, 2015, Oregon Governor Kate Brown signed Senate Bill 601, which makes a number of amendments to the state’s data breach notification statute. The new law will take effect January 1, 2016.

  • Personal Information: The law expands the existing definition of personal information to include:

    • Biometric information used for authentication purposes (i.e., “[d]ata from automatic measurements of a consumer’s physical characteristics, such as an image of a fingerprint, retina or iris, that are used to authenticate the consumer’s identity in the course of a financial transaction or other transaction”);
    • A consumer’s health insurance policy number or health insurance subscriber identification number (if in combination with any other unique identifier that a health insurer uses to identify the consumer); and
    • “Any information about a consumer’s medical history or mental or physical condition or about a health care professional’s medical diagnosis or treatment of the consumer.”
  • Notification: The amendments require notification to the Oregon Attorney General whenever a data breach affects more than 250 Oregon residents. The new Oregon law also requires entities to provide consumer reporting agencies with the police report number assigned to a breach – a unique requirement that has not been a part of any other state breach notification law to date.

Nevada

On May 13, 2015, Nevada Governor Brian Sandoval signed Assembly Bill 179, amending the definition of what constitutes personal information under Nevada’s existing data breach notification law. Although the law officially became effective on July 1, 2015, it contains a provision that exempts “a data collector, as that term is defined in NRS 603A.030, or a business” from complying with the new provisions until July 1, 2016.

  • Personal Information: Under the new law, personal information now includes driver authorization card numbers; medical identification or health insurance identification numbers; and user names, unique identifiers, or email address when combined with passwords, access codes, or security questions and answers that would permit access to an online account.

Washington

Signed into law on April 23, 2015 by Washington Governor Jay Inslee, Washington House Bill 1078 revises the state’s data breach notification law to impose an Attorney General notification requirement, a notification timing requirement, and certain content requirements for the notification letter, among other changes. The law took effect on July 24, 2015.

  • Persons Covered: The breach notification law now applies to any person, business, or agency that conducts business in Washington that owns, licenses, and/or maintains any data (computerized or hard copy) that includes personal information of Washington residents.
  • Notice to the Attorney General: The Washington Attorney General must be notified when a single breach affects more than 500 Washington residents.
  • Notification Timing Requirement: Notice of a breach must be provided to consumers (and to the Washington Attorney General, when applicable) no more than 45 calendar days after discovery of the breach.
  • Safe Harbors and Exemptions: The amendments create a safe harbor for encrypted data and exempt covered entities that are subject to the HIPAA/HITECH breach notification requirements or to the Interagency Guidance issued pursuant to the Gramm-Leach-Bliley Act.
  • Content of Breach Notification: Breach notices to consumers must be written in plain language and include the name and contact information of the reporting person or business; a list of the types of personal information that were or are reasonably believed to have been the subject of a breach; and the toll-free telephone numbers and addresses of the major credit reporting agencies if the breach exposed personal information.
  • Technical Breach of Security System: The amendments clarify language regarding disclosure of a breach caused by a technical breach of a security system, stating that a covered entity shall not be required to disclose a technical breach that does not seem “reasonably likely to subject customers to a risk of harm.”

North Dakota

On April 13, 2015, North Dakota Governor Jack Dalrymple signed Senate Bill 2214 into law, which expanded the reach of the state’s notification requirements and the range of businesses subject to those requirements. The law takes effect August 1, 2015.

  • Covered Entities: The amendments now apply to any person or business that owns or licenses computerized data that includes personal information about a North Dakota resident (as opposed to any person or business that conducts business in North Dakota).
  • Personal Information: The law narrows the definition of personal information with regard to employer data notification numbers, specifying that the term includes only such numbers in combination with a required security code, access code, or password.
  • Notice to North Dakota Attorney General: In addition to providing notice to consumers in “the most expedient time possible and without unreasonable delay,” covered entities must now provide notice to the North Dakota Attorney General when a data breach affects more than 250 North Dakota residents.

Wyoming

As we reported earlier this year, on March 2, 2015, Wyoming Governor Matt Mead signed bills expanding the definition of “personally identifiable information” and requiring additional minimum content requirements for notifications to affected individuals. Both laws went into effect on July 1, 2015.

Going forward, notices to affected Wyoming residents must be “be clear and conspicuous” and include, at a minimum:

  • The types of PII reasonably believed affected;
  • A general description of the breach;
  • The approximate date of the breach;
  • The remedial actions taken by the entity to prevent further breaches;
  • Advice directing affected persons to remain vigilant by reviewing account statements and credit monitoring reports; and
  • Whether a law enforcement investigation delayed breach notification.

In addition, the definition of personally identifiable information now includes data containing the first name or first initial and last name of a person in combination with one or more of the following data elements:

  • Address;
  • Telephone number;
  • Social Security number;
  • Driver’s license number;
  • Government-issued identification card;
  • Tribal identification card;
  • Bank account number or credit or debit card number in combination with any security code that would allow access to a financial account;
  • Shared secrets or security tokens that are known to be used for data-based authentication;
  • User name or email address in combination with a password or security questions and answer;
  • Birth or marriage certificate;
  • Medical information, defined as a person’s medical history, mental or physical condition, or medical treatment or diagnosis by a healthcare professional;
  • Health insurance information, defined as a person’s health insurance policy number or subscriber identification number, any unique identifier used by a health insurer to identify the person or information related to a person’s application, and claims history;
  • Unique biometric data used for authentication purposes; or
  • An individual taxpayer identification number.

Montana

On February 27, 2015, Montana Governor Steve Bullock signed House Bill 74, which amends Montana’s existing data breach notification statute to broaden the definition of personal information and require that entities notify the Montana Attorney General. The amendments go into effect October 1, 2015.

PENDING BILLS

California

Introduced to the California Senate on February 26, 2015, Senate Bill 570 would amend California’s existing data breach notification law to clarify and require specific content of breach notifications to consumers. The bill passed the California Senate on May 28, 2015, and is currently being considered before the California Assembly Appropriations Committee.

  • Breach Notification Content: The amendments would require notices to convey information under the following specified headings (the amendments would also provide a sample one-page format for the notice listing this information):

    • What Happened?
    • What Information Was Involved?
    • What We Are Doing.
    • What You Can Do.
    • For More Information.
  • Conspicuous Posting: The amendments would clarify the “conspicuous posting” requirement to require companies or individuals who have suffered a breach to post a conspicuous notice on the home page or “first significant page” after entering the company or individual’s website for a minimum of 30 days.

Illinois

Introduced to the Illinois Senate on February 20, 2015, Senate Bill 1833 would amend the Illinois Personal Information Act. The bill is currently before Illinois Governor Bruce Rauner for signature and could be partially vetoed. The bill would amend the following:

  • Personal Information: The bill would make Illinois the first state to include geolocation data and third-party consumer marketing information in the definition of personal information.
  • Notification to Attorney General: The bill would require data breach notification to the Illinois Attorney General within 30 days of the discovery of a breach affecting 250 or more Illinois residents.
  • Security Measures: The bill would create a new requirement for “data collectors” that use but do not own personal information of Illinois residents to implement and maintain reasonable security measures to protect those records from unauthorized access.
  • Conspicuous Posting of Privacy Policy: The bill would require operators of websites that collect personal information to conspicuously post privacy policies that can easily be found by consumers. Currently, California is the only other state with a law of this nature on the books.

To help navigate the continuing developments in state breach notification law requirements, BakerHostetler has assembled a state-by-state survey that is updated regularly to reflect newly enacted legislation.

Article source: http://www.jdsupra.com/legalnews/state-law-roundup-legislatures-across-18716/

,

No Comments

Data Breach May Affect Thousands Of Kansans

Thousands of Kansans soon will be receiving letters notifying them that their electronic health records may have been compromised.

The letters are from a Fort Wayne, Ind., company that provides an online patient portal called NoMoreClipboard used by 18 Kansas hospitals and at least half a dozen clinics. Most are small-town hospitals in western and southeastern Kansas. The largest is in Hutchinson.

“We have 3,815 patients that have signed up to use the patient portal,” said Amelia Boyd, vice president of business development at Hutchinson Regional Health Care System. “The only information that is involved in our portal is demographic. There’s no financial information or clinical information involved for our system.”

Others may not be so fortunate, however. In a security notice dated July 23 https://www.nomoreclipboard.com/notice , the company, Medical Informatics Engineering, said it’s possible that hackers may have obtained patients’ Social Security numbers, passwords and diagnoses, as well as a wide range of other information. Affected hospitals, physicians and other health facilities are listed at the bottom of the online security notice post.

“While investigations into this incident are ongoing, we determined the security of some personal and protected health information contained on Medical Informatics Engineering’s network has been affected,” the company said in a news release.

Hackers first got into the system May 7, but the cyberattack apparently went undetected for almost three weeks. Medical Informatics Engineering said it discovered “suspicious activity” on a server on May 26, when it launched an investigation and notified law enforcement, including the Federal Bureau of Investigation’s Cyber Squad.

“We have been working with a team of third-party experts to investigate the attack and enhance data security and protection,” the company said in the release. “Law enforcement is actively investigating this matter, and we are cooperating fully with law enforcement’s investigation.”

Officials with some of the affected Kansas hospitals said they have not been getting many calls about the incident so far. That may be because letters advising patients to be on the lookout for signs of identity theft are still in the mail.

The letters also urge patients to monitor their credit reports. Citing “an abundance of caution,” the company is offering affected individuals free access to two years of credit monitoring and identity protection services.

The company established a hotline for patients, who can call (866) 328-1987 from 8 a.m. to 8 p.m. weekdays.

The release said affected data for individuals who used a NoMoreClipboard portal/personal health record may include an individuals’ name, home address, Social Security number, username, hashed password, spousal information (name and potentially date of birth), security question and answer, email address, date of birth, health information, and health insurance policy information.

Eric Jones, the co-founder and chief operating officer of Medical Informatics Engineering, was unavailable for comment.

Bryan Thompson is a reporter for KHI News Service in Topeka, a partner in the Heartland Health Monitor team.

Article source: http://kcur.org/post/data-breach-may-affect-thousands-kansans-0

,

No Comments

Federal Data Breach Bill Stalled In Congress

Terms Conditions and Privacy Statement

Mondaq.com (the Website) is owned and managed by Mondaq Ltd and as a user you
are granted a non-exclusive, revocable license to access the Website under its
terms and conditions of use. Your use of the Website constitutes your agreement
to the following terms and conditions of use. Mondaq Ltd may terminate your use
of the Website if you are in breach of these terms and conditions or if Mondaq
Ltd decides to terminate your license of use for whatever reason.

Use of www.mondaq.com

You may use the Website but are required to register as a user if you wish to
read the full text of the content and articles available (the Content). You may
not modify, publish, transmit, transfer or sell, reproduce, create derivative
works from, distribute, perform, link, display, or in any way exploit any of the
Content, in whole or in part, except as expressly permitted in these terms
conditions or with the prior written consent of Mondaq Ltd. You may not use
electronic or other means to extract details or information about Mondaq.coms
content, users or contributors in order to offer them any services or products
which compete directly or indirectly with Mondaq Ltds services and products.

Disclaimer

Mondaq Ltd and/or its respective suppliers make no representations about the
suitability of the information contained in the documents and related graphics
published on this server for any purpose. All such documents and related
graphics are provided “as is” without warranty of any kind. Mondaq Ltd and/or
its respective suppliers hereby disclaim all warranties and conditions with
regard to this information, including all implied warranties and conditions of
merchantability, fitness for a particular purpose, title and non-infringement.
In no event shall Mondaq Ltd and/or its respective suppliers be liable for any
special, indirect or consequential damages or any damages whatsoever resulting
from loss of use, data or profits, whether in an action of contract, negligence
or other tortious action, arising out of or in connection with the use or
performance of information available from this server.

The documents and related graphics published on this server could include
technical inaccuracies or typographical errors. Changes are periodically added
to the information herein. Mondaq Ltd and/or its respective suppliers may make
improvements and/or changes in the product(s) and/or the program(s) described
herein at any time.

Registration

Mondaq Ltd requires you to register and provide information that personally
identifies you, including what sort of information you are interested in, for
three primary purposes:

  • To allow you to personalize the Mondaq websites you are visiting.
  • To enable features such as password reminder, newsletter alerts, email a
    colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our information providers who provide
    information free for your use.

Mondaq (and its affiliate sites) do not sell or provide your details to third
parties other than information providers. The reason we provide our information
providers with this information is so that they can measure the response their
articles are receiving and provide you with information about their products and
services.

If you do not want us to provide your name and email address you may opt out
by clicking here .

If you do not wish to receive any future announcements of products and
services offered by Mondaq by clicking here .

Information Collection and Use

We require site users to register with Mondaq (and its affiliate sites) to
view the free information on the site. We also collect information from our
users at several different points on the websites: this is so that we can
customise the sites according to individual usage, provide ‘session-aware’
functionality, and ensure that content is acquired and developed appropriately.
This gives us an overall picture of our user profiles, which in turn shows to
our Editorial Contributors the type of person they are reaching by posting
articles on Mondaq (and its affiliate sites) meaning more free content for
registered users.

We are only able to provide the material on the Mondaq (and its affiliate
sites) site free to site visitors because we can pass on information about the
pages that users are viewing and the personal information users provide to us
(e.g. email addresses) to reputable contributing firms such as law firms who
author those pages. We do not sell or rent information to anyone else other than
the authors of those pages, who may change from time to time. Should you wish us
not to disclose your details to any of these parties, please tick the box above
or tick the box marked “Opt out of Registration Information Disclosure” on the
Your Profile page. We and our author organisations may only contact you via
email or other means if you allow us to do so. Users can opt out of contact when
they register on the site, or send an email to [email protected] with no
disclosure in the subject heading

Mondaq News Alerts

In order to receive Mondaq News Alerts, users have to complete a separate
registration form. This is a personalised service where users choose regions and
topics of interest and we send it only to those users who have requested it.
Users can stop receiving these Alerts by going to the Mondaq News Alerts page
and deselecting all interest areas. In the same way users can amend their
personal preferences to add or remove subject areas.

Cookies

A cookie is a small text file written to a users hard drive that contains an
identifying user number. The cookies do not contain any personal information
about users. We use the cookie so users do not have to log in every time they
use the service and the cookie will automatically expire if you do not visit the
Mondaq website (or its affiliate sites) for 12 months. We also use the cookie to
personalise a user’s experience of the site (for example to show information
specific to a user’s region). As the Mondaq sites are fully personalised and
cookies are essential to its core technology the site will function
unpredictably with browsers that do not support cookies – or where cookies are
disabled (in these circumstances we advise you to attempt to locate the
information you require elsewhere on the web). However if you are concerned
about the presence of a Mondaq cookie on your machine you can also choose to
expire the cookie immediately (remove it) by selecting the ‘Log Off’ menu option
as the last thing you do when you use the site.

Some of our business partners may use cookies on our site (for example,
advertisers). However, we have no access to or control over these cookies and we
are not aware of any at present that do so.

Log Files

We use IP addresses to analyse trends, administer the site, track movement,
and gather broad demographic information for aggregate use. IP addresses are not
linked to personally identifiable information.

Links

This web site contains links to other sites. Please be aware that Mondaq (or
its affiliate sites) are not responsible for the privacy practices of such other
sites. We encourage our users to be aware when they leave our site and to read
the privacy statements of these third party sites. This privacy statement
applies solely to information collected by this Web site.

Surveys Contests

From time-to-time our site requests information from users via surveys or
contests. Participation in these surveys or contests is completely voluntary and
the user therefore has a choice whether or not to disclose any information
requested. Information requested may include contact information (such as name
and delivery address), and demographic information (such as postcode, age
level). Contact information will be used to notify the winners and award prizes.
Survey information will be used for purposes of monitoring or improving the
functionality of the site.

Mail-A-Friend

If a user elects to use our referral service for informing a friend about our
site, we ask them for the friends name and email address. Mondaq stores this
information and may contact the friend to invite them to register with Mondaq,
but they will not be contacted more than once. The friend may contact Mondaq to
request the removal of this information from our database.

Security

This website takes every reasonable precaution to protect our users
information. When users submit sensitive information via the website, your
information is protected using firewalls and other security technology. If you
have any questions about the security at our website, you can send an email to
[email protected]

Correcting/Updating Personal Information

If a users personally identifiable information changes (such as postcode),
or if a user no longer desires our service, we will endeavour to provide a way
to correct, update or remove that users personal data provided to us. This can
usually be done at the Your Profile page or by sending an email to [email protected]

Notification of Changes

If we decide to change our Terms Conditions or Privacy Policy, we will
post those changes on our site so our users are always aware of what information
we collect, how we use it, and under what circumstances, if any, we disclose it.
If at any point we decide to use personally identifiable information in a manner
different from that stated at the time it was collected, we will notify users by
way of an email. Users will have a choice as to whether or not we use their
information in this different manner. We will use information in accordance with
the privacy policy under which the information was collected.

How to contact Mondaq

You can contact us with comments or queries at [email protected]

If for some reason you believe Mondaq Ltd. has not adhered to these
principles, please notify us by e-mail at [email protected] and we will use
commercially reasonable efforts to determine and correct the problem promptly.

Article source: http://www.mondaq.com/unitedstates/x/415906/data+protection/Federal+Data+Breach+Bill+Stalled+In+Congress

,

No Comments

Data breach tops 2 million disclosures

  • News Home
  • More from Isle of Man News

Tuesday, July 28th 2015 13:32

ODRP: Treasury breached protection rules

An investigation into a data breach by the government’s income tax division says there were almost 2.3 million disclosures of personal data.

The Treasury has contacted those whose email addresses were revealed when it sent them a marketing message earlier this year.

It’s after an investigation by the Office of the Data Protection Registrar following the breach, blamed at the time on human error.

The ODPR, however, says Treasury did breach data protection regulations – and has asked the income tax division to make sure it doesn’t happen again.

In its email, Treasury admits it didn’t ask for permission to use email addresses for direct marketing, nor did it tell people their information might be used that way.

There was also no way to unsubscribe from the bulk email, and data protection bosses say the Twitter feed promoted isn’t a “similar product or service” which could have been offered under the rules.

The Treasury says it estimates more than two million personal disclosures were made – but that doesn’t include further breaches when it tried to recall the emails.

However, it says it’s agreed to make changes and so no further action will be taken by the data protection supervisor at this time.

More from Isle of Man News

Article source: http://www.manxradio.com/news/isle-of-man-news/2-3-million-disclosures-in-data-error/

,

No Comments