Archive for October, 2014

Data Breaches: Don’t Blame Security Teams, Blame Lack of Context

Post written by
Lior Div, CEO and cofounder, Cybereason

Lior Div is cofounder and CEO of Cybereason and an expert in hacking operations, forensics, cryptography and evasion.

Cyber security teams are now, more than ever, under great pressure due to an increased likelihood that their organization will be breached. It is not surprising that 57% of security experts expect their organizations to be compromised within the next year. As the news about cyber-attacks becomes the sad “who’s next?” water cooler discussion, it has become a well known reality that even the most extensively protected organizations will be victims of complex hacking operations.

Even though Enterprises spend millions of dollars on cybersecurity protection and detection solutions, the average breach goes undetected for 229 days. Moreover, once an incident is discovered, it usually takes another month for security to investigate the overall damage and magnitude of the cyber-attack. This significantly prolongs response time and has led to a devastating 3.5 million avg. breach cost for businesses in 2014.

The main reason why security fails to successfully battle complex hacking operations is not due to a lack of competency or negligence, as some may think. In reality, it is because security teams desperately lack context. The truth is, security teams are blinded by thousands of security alerts on a daily basis from their various security tools. Even the most sophisticated security teams are unable to comprehend an attack because most security solutions lack the capabilities to produce cohesive alerts.

When the Human Factor Fails

Because security tools produce a large amount of unwarranted alerts, security teams must manually investigate them: meticulously weed out false alerts and connect isolated malicious activities in order to reveal an attack. In an ideal world, where there is an abundance of highly skilled security experts, the need for manual investigation would be less detrimental. However, this security paradigm significantly weakens your defence for several reasons:

Isolated Alerting = Limited Remediation

Because traditional security systems alert on individual events, security teams will also remediate isolated issues, without taking historical evidence into consideration. For instance, IT will be alerted about a virus on a single endpoint and they will then clean that endpoint. However, they cannot tell if an employee accidentally brought the virus in from working at home or someone downloaded the virus from an email. Traditional tools cannot reveal if the alert was a localized event or a part of a far more dangerous hacking operation. The inability to see individual events as part of something larger, will make it very difficult for security teams to detect and remediate a cyber attack, giving hackers a serious time advantage.

Alert Blindness

Commonly, security solutions rely on indicators of compromise as triggers of an alert. These IOCs are based off of very rigid predefined rules. For example, an alert will be produced when there are multiple failed login attempts, but because security solutions do not have the capability to automatically judge alerts by examining other evidence, a large amount of alerts are produced, many of them are false. 56% of organizations reveal their concern and say that their security tools produce too many false positives. This challenge leaves security feeling rightfully uneasy, always unsure if they have fixed the problem, or if they have missed something along the way.

Article source: http://www.forbes.com/sites/frontline/2014/10/31/data-breaches-dont-blame-security-teams-blame-lack-of-context/

,

No Comments

Alabama credit unions report Home Depot data breach cost them nearly $1M



Home Depot logo*304

Alabama’s credit unions say they have incurred costs estimated at nearly $1 million as a result of the recent data breach at Home Depot, , according to the League of Southeastern Credit Unions Affiliates.









Antrenise Cole
Reporter- Birmingham Business Journal

Email
 | 
Twitter
 | 
Google+

Alabama’s credit unions say they have incurred costs estimated at nearly $1 million as a result of the recent data breach at Home Depot, , according to the League of Southeastern Credit Unions Affiliates.

LSCU, which cited a survey conducted by the Credit Union National Association, said credit unions in the state have seen 107,105 debit and 14,845 credit cards affected by the Home Depot breach, which was announced in September. And with the costs per affected card at $8.02, local credit unions have spent an estimated $978,039, so far, for reissuing new cards, fraud and all other costs, such as additional staffing, member notification and account monitoring.

“The costs to credit unions by data breaches – which seem to be occurring with increasing regularity – are rising, as the CUNA survey clearly demonstrates,” said LSCU Affiliates President and CEO Patrick La Pine. “The bottom line is that credit union member owners end up paying the costs despite the fact that the credit unions are not at fault in causing the breaches in the first place.”

Nationwide, the recent data breach at Home Depot has cost credit unions more than $57 million with 7.2 million debit and credit cards affected.

Earlier this year, Alabama’s credit unions reported that the impact of the data breach at Target Corp. was more than $400,000.

Antrenise Cole covers banking, finance, small business lending, venture capital, accounting and law for the Birmingham Business Journal. Click here to follow her on Twitter.



Article source: http://www.bizjournals.com/birmingham/blog/2014/10/alabama-credit-unions-report-home-depot-data.html

,

No Comments

California Attorney General Reports Data Breaches Up 600% in 2013

Attorney General Kamala Harris released her second annual California Data Breach Report on October 28, which revealed hacking penetration is up 600% since 2012. This year, the Attorney General issued 12 recommendations to companies in various industries, and to the legislature regarding ways to improve data security practices to improve California consumer protection.

The California Legislature has required (S.B. 24) that, beginning in 2012, all online businesses and government organizations submit copies of their breach notifications to the State Attorney General for all cases where a data breach affected more than 500 California residents. The Attorney General is then required to analyze the hacking incidents, publish statistic and make recommendations each year.

The 2013 report states  thatthe Attorney General’s office received 167 data breach notifications in 2013, a 28% increase over the prior year. The reported data breaches involved 18.5 million records of California residents. Two large breaches of Target and LivingSocial each exposed about 7.5 million Californians’ personal data. 

But separating out the two mega-hacks of retailers, “the number of records affected would have been 3.5 million, a 35 percent increase over 2012.” The average number of affected records in a breach would have been only about 2,600 in each hack. The report noted on average that the types of data breaches and the data breaches by industry have remained “fairly consistent” over the past two years.

Data breaches in 2013 were classified into four categories: (1) malware and hacking, (2) physical theft and loss, (3) errors, and (4) misuse. More than half of all computer penetrations in 2013 were caused by hacks classified as malware and hacking. Physical theft and loss accounted for about a quarter; unintentional errors accounted for 18 percent of breaches; and misuse by insiders accounted for the balance. 

Almost half of all breaches in 2013 involved Social Security numbers, making it “the most frequently compromised data type.” According to the report, the average financial loss “to a consumer who falls victim to the fraudulent use of a credit card account is $63, debit card $170, checking account $222 and Social Security number $289.”

A quarter of the number of breaches was from retail and involved 15.4 million records, or 84% of the 2013 total. Healthcare also involved a similar number of breaches, but just 1.1 million records were involved. 

The Attorney General made twelve recommendations for upgrading systems to improve resistance to data exposure. The annual report seems to be an excellent example of non-partisan good government. The fact that a behemoth like Target with huge resources did not know that 70 million of its customers’ data had been vacuumed up for months by an organized crime ring is frightening to most consumers. Having California businesses and the Attorney General cooperating to improve consumer records security should be bad news for the growing number of digitally sophisticated criminal cartels. 

Chriss Street suggests that if you are interested in California, please click on Covered California Website Outage Hides Huge Premium Increases.

Article source: http://www.breitbart.com/Breitbart-California/2014/10/31/California-Attorney-Reports-Data-Breaches-Up-600-in-2013

,

No Comments

Home Depot breach costs doubled Target’s

Credit unions spent $60 million following the data security breach at Home Depot in September — twice as much as the recent Target data breach, according to a survey published Thursday.

Credit unions and banks had to reissue consumer cards that were breached, with current laws stipulating that they’re responsible to pick up the costs.

The Home Depot data breach impacted 7.2 million consumer cards at credit unions, according to the survey, released by the Credit Union National Association (CUNA).

On average, it costs $8.02 to reissue a consumer card, according to the survey.

Last year’s Target data breach cost credit unions $30 million, according to CUNA.

But credit union officials say the risk to reputations following a data breach is even more burdensome.

“The bottom line is that credit union members end up paying the costs – despite the fact that the credit unions they own had nothing to do with causing the breach in the first place,” said CUNA President and CEO Jim Nussle.

Consumers often are notified by their bank or credit union that they need to have their cards reissued following a breach at a retailer, which bankers say puts them at a disadvantage with consumers who might blame them and not the retailer.

The retail industry pressed back against the credit unions’ criticisms.

In a letter to CUNA and the National Association of Federal Credit Unions (NAFCU) sent later Thursday, leaders of the top retail industry groups said that retailers do have to shoulder some of the costs from data breaches.

“Even after absorbing substantial fraud losses, merchants are subject to massive fines by Visa and MasterCard networks and hundreds of millions of dollars in restitution through private litigation for cybersecurity breaches,” they wrote in a letter signed by the Retail Industry Leaders Association (RILA) and the National Retail Federation (NRF).

Other groups signing the letter included the Food Marketing Institute, the National Association of Convenience Stores, the National Grocers Association, and the Merchant Advisory Group. 

The retailers noted that many in the financial services industry have formed a partnership, led by RILA and the Financial Services Roundtable, to establish a private-public partnership with businesses to share data threat information.

“Unfortunately, while retailers, restaurants, convenience stores, hotels, national banks, card networks and community banks have joined the Partnership, one constituency has still not seen fit to participate: credit unions,” they wrote in the letter. “It is past time we started working together for the greater good of America’s consumers.”

Other top retailers and financial firms — including Nieman Marcus and JP MorganChase — have also reported major data security breaches.

President Obama and the administration have called for more stringent security technology to be used in credit and consumer cards. The financial services industry has also been working closely with the administration to encourage threat information sharing to protect consumers.

However, Congress has been slow to take up cyber security legislation. Most Republicans and Democrats support implementing a national data notification standard that would require retailers to notify consumers when their information had been breached.

Republicans want a standard that would allow for the industry to evolve with rapidly changing consumer technology. Democrats want a more stringent standard that they say would better protect consumers from the patchwork of lenient standards in the states.

This story was updated at 4:14 p.m.

Article source: http://thehill.com/policy/finance/222340-home-depot-breach-costs-doubled-targets

,

No Comments

Data breach suspected at Sheriff’s Office

Was investigation disseminated?

Freeborn County administration is investigating a suspected data breach within law enforcement, according to Administrator John Kluever.

John KlueverJohn Kluever

He said he and other information technology staff are looking into the possibility that someone was unnecessarily viewing open investigation files and disseminating parts of those files in the public.

He declined to comment on how the suspected breach was discovered and whether it has any connection to the upcoming election in the Freeborn County Sheriff’s Office.

“If you access something for a nongovernmental purpose, that would be a data breach,” Kluever said.

He hopes to have more answers by the end of next week.

Kluever said if a data breach is found, state statute requires officials to contact anyone who might have been affected.

The Freeborn County Sheriff’s Office has been rife with controversy and even an anonymously defamatory website, which also is under investigation. It’s unclear whether the data breach is related.

Look to the Tribune for more information as it becomes available.

Article source: http://www.albertleatribune.com/2014/10/data-breach-suspected-at-sheriffs-office/

,

No Comments

Google Working on Tool to Gather Stats While Preserving Privacy

Google is working on a new system that enables the company to collect randomized information about the way that users are affected by unwanted software on their machines, without gathering identifying data about the users.

The system is known as RAPPOR (Randomized Aggregatable Privacy-Preserving Ordinal Response) and Google currently is testing it in Chrome. The company’s engineers are hoping to use RAPPOR to aggregate data on the problems affecting users while still preserving the privacy of each individual.

“To understand RAPPOR, consider the following example. Let’s say you wanted to count how many of your online friends were dogs, while respecting the maxim that, on the Internet, nobody should know you’re a dog. To do this, you could ask each friend to answer the question ‘Are you a dog?’ in the following way. Each friend should flip a coin in secret, and answer the question truthfully if the coin came up heads; but, if the coin came up tails, that friend should always say ‘Yes’ regardless,” Úlfar Erlingsson, tech lead manager in security research at Google, wrote in a blog post explaining the new system.

“Then you could get a good estimate of the true count from the greater-than-half fraction of your friends that answered “Yes”. However, you still wouldn’t know which of your friends was a dog: each answer ‘Yes’ would most likely be due to that friend’s coin flip coming up tails.”

Software vendors routinely collect data from users’ machines, typically in the form of crash reports or telemetry from thing such as security products or browsers. Users typically need to opt into sending that kind of information, and there are some privacy concerns around sending it. Google’s system is designed to address some of these issues.

“In short, RAPPORs allow the forest of client data to be studied, without permitting the possibility of looking at individual trees. By applying randomized response in a novel manner, RAPPOR provides the mechanisms for such collection as well as for efficient, high-utility analysis of the collected data. In particular, RAPPOR permits statistics to be collected on the population of client-side strings with strong privacy guarantees for each client, and without linkability of their reports,” the Google authors wrote in an abstract for a paper submitted to the ACM Conference on Computer and Communications Security. 

Google has made RAPPOR available on GitHub as an open source project.

“Building on the concept of randomized response, RAPPOR enables learning statistics about the behavior of users’ software while guaranteeing client privacy. The guarantees of differential privacy, which are widely accepted as being the strongest form of privacy, have almost never been used in practice despite intense research in academia. RAPPOR introduces a practical method to achieve those guarantees,” Erlingsson wrote.

Article source: http://threatpost.com/google-working-on-tool-to-gather-stats-while-preserving-privacy/109119

No Comments

Facebook Creates .Onion Site; Now Accessible Via Tor Network

Article source: http://threatpost.com/facebook-creates-onion-site-now-accessible-via-tor-network/109121

No Comments

Sheheen, in Rock Hill, hammers Haley over SC data breach, DSS deaths

Local News

Scam using IRS name dupes Charlotte minister

Article source: http://www.heraldonline.com/2014/10/29/6472740/sheheen-continues-to-hammer-haley.html

,

No Comments

California Attorney General Releases 2014 Data Breach Report and …

Editor’s Note: The author thanks Jaysen Borja for his
contributions to this post.

On October 28, 2014, Attorney General Kamala Harris released the
second annual California Data Breach Report.  The report
detailed the nature and scope of data breach notifications that her
office received in 2013.  Her office has been analyzing
notifications of data breaches since 2012, when S.B. 24 amended the
state’s data breach notification law to require organizations
to submit copies of their breach notifications to the Attorney
General in any case in which the breach affects more than 500
California residents.  Notably, two of the five
recommendations made by the Attorney General in last year’s
report have already been signed into law. This year the Attorney
General issued 12 recommendations to companies in various
industries, and to the legislature, as to how to improve data
security practices and better protect California consumers.

The following is a summary of the report’s key findings and
the Attorney General’s recommendations based on those
findings.

Findings

Number of Data Breaches

The report notes that the Attorney General’s office received
167 data breach notifications in 2013, a 28 percent increase from
2012. The reported data breaches involved 18.5 million records of
California residents, a 600 percent increase in the number of
Californians whose records were affected.  However, the report
points out that a large portion of this increase is due to two
massive retailer breaches, including the Target breach –
which by itself affected 41 million customers, including 7.5
million Californians.

If these two massive retailer breaches are separated from the
rest of the data, the report notes that “the number of records
affected would have been [only] 3.5 million, a 35 percent increase
over 2012.”  These retailer breaches also account for the
significant disparity between the average number of affected
records in a breach and the noticeably lower median, 211,946 and
2,600, respectively.

Removing the two massive retailer breaches, the report notes
that the types of data breaches and the data breaches by industry
have remained “fairly consistent” over the past two
years.

Types of Data Breaches

The 167 reported data breaches in 2013 were classified into four
types: (1) Malware and Hacking, (2) Physical Theft and Loss, (3)
Errors, and (4) Misuse.  Slightly more than half of all
breaches in 2013 were caused by computer intrusions classified as
malware and hacking.  Physical Theft and Loss accounted for 26
percent of all breaches; Unintentional Errors accounted for 18
percent of breaches; and Misuse by insiders accounted for four
percent of breaches.  Although the California data breach
notification law only requires notification when “computerized
data” is at issue, 24 reported breaches involved paper
records, which accounted for eight percent of all breaches. The
distribution of breaches was roughly similar to the distribution of
breaches in 2012.

Social security numbers were involved in almost half of all data
breaches in 2013, making it “the most frequently compromised
data type.”  Given the relative value of Social Security
numbers to criminals, the relative frequency is not
surprising.  According to the report, the average
out-of-pocket costs “to a consumer who falls victim to the
fraudulent use of a credit card account is $63, debit card $170,
checking account $222 and Social Security number $289.”

Data Breaches by Industry

Data breaches by industry are divided into those reported by
sector: retail, finance and insurance, healthcare, professional
services; government, hospitality, education, and all others.

The retail industry reported 43 breaches, the largest number of
breaches with 26 percent of the total. These breaches involved 15.4
million records, or 84 percent of the total in 2013. However, the
two outlier retail breaches account for a substantial portion of
these figures. The report also noted that 84 percent of retail
industry breaches resulted from malware and hacking in 2012-2013,
whereas, for all other sectors, malware and hacking resulted in
only 36 percent of the breaches in 2012-2013.

Breaches in the healthcare industry represented only 25 breaches
in 2013, but these breaches involved 1.1 million records or six
percent of the total records breached in 2013. The majority of the
healthcare industry’s breaches, 70 percent, were attributable
to “lost or stolen hardware or portable media containing
encrypted data,” whereas this type of data breach accounted
for just 19 percent of total breaches in other sectors.

Readability of Notices

The report included a readability analysis that used the
Flesch-Kinkaid Grade-Level index in Microsoft Word to analyze 70
randomly selected notices. The readability analysis yielded average
reading levels of 14 in 2012 and 13 in 2013. The college-level
readability of these notices may pose potential problems as the
report also noted that the average reading level in the U.S. is
equivalent to an eighth-grade level.

Recommendations

Past Recommendations

Two of the Attorney General’s recommendations from last
year’s report have already been signed into law. S.B. 46,
effective as of January 2014, added online account credentials to
the type of personal information that could trigger notice
requirements in the event of a security breach. A.B. 1710, which
will become effective in January 2015, includes provisions
regarding provision of identity theft prevention and mitigation
services in the event of certain kinds of security breaches (we
previously discussed A.B. 1710 and its potential
implications 
here
).

Current Recommendations

This year the Attorney General made 12 recommendations (the
first six are for the retail sector, one is for the healthcare
sector, three are for all other industry sectors, and last two are
for the legislature).

Recommendations on Retail Sector Breaches and Payment Card
Data Protection

Recommendation 1 – Update point-of-sale terminals to
be chip-enabled and install software needed to operate this
technology.

The report explains that a chip-embedded card interacts with the
retailers’ terminal to authenticate the card, and can send
unique, one-time messages that change with each transaction. This
added layer of security makes chip-embedded cards less desirable
for thieves looking to make counterfeit cards. Chip technology is
used in more than 80 countries worldwide, including Canada, Mexico,
and Brazil, as well as countries in Europe and Asia. However, the
U.S. still utilizes an older magnetic stripe technology, which the
report finds is “static” because it merely stores account
number and information and cannot verify the authenticity of the
card being used.

Despite the U.S.’s reliance on the relatively antiquated and
unsafe magnetic stripe technology, the report notes that,
“[a]s of October 2015, the payment card networks (American
Express, Discover, MasterCard and Visa) will impose a liability
shift on retailers, so that if a chip card is used at a terminal
that is not chip-enabled, the retailer will be liable if the
resulting transaction is determined to have been counterfeit
fraud.” Though this shift to chip-enabled technology
represents a relatively safer and more secure move, it may also
pose problems for smaller retailers and users who do not have the
financial capacity to upgrade to these new systems.

Recommendation 2 – Utilize encryption, including
encrypting data from the point of capture until completion of
transaction authorization.

The report notes that encryption can be used to decrease a
retailer’s exposure from the time the data is captured until
the authorization of the transaction authorization is
completed.  The encryption process involves transforming a
card’s account data from a plain-text format into a
non-readable format.  Decryption into a readable format is
only made possible by a cryptographic key generated by an
algorithm.

Recommendation 3 –Utilize tokenization in online and
mobile transactions.

As the report explains, tokenization involves replacing account
data with “a surrogate value, called a token, that is used
like a reference number and that has no exploitable meaning or
value.” This method differs from encryption in that
“tokens are generated randomly rather than [as in the case of
encryption] through a mathematically reversible algorithm.”
Because tokens are used as replacement for the original account
information during a “transaction post-authorization,”
this allows retailers to store tokens in its payment system, rather
than sensitive account information. Tokenization “dramatically
decreas[es] the [account information’s] exposure throughout the
processing system,” by limiting the amount of cardholders’
account information that is stored in a retailer’s payment
system. The American National Standards Institute, the Payment Card
Industry Security Standards Council and EMVCO are working to
develop tokenization standards.

Recommendation 4 – Give prompt notice of data breaches
to affected individuals without unreasonable delay.

Retailers should have a plan that allows them to detect and
respond to breaches of their system, and provide notification, as
required by law. The Attorney General reiterated that it takes the
issue of prompt notice takes very seriously, citing to recent
enforcement action based on issues related to allegedly delayed
notification.

Recommendation 5 – Improve use of substitute
notice. 

When payment card data breaches occur, retailers may be
permitted to use substitute notice.  “Substitute notice
is a permitted when a breach affects more than 500,000 persons,
individual notices would cost more than $250,000 or the breached
entity does not have sufficient contact information to send
individual notices.” Substitute notice under California law
requires: (1) “conspicuously posting a notice on the
business’s website,” (2) “notifying major statewide
media” and (3) “providing notice by
email where the business has an email address.” The report
advises that retailers and other users could take the following
measures to make substitute notice more effective:

  1. Making links to the notice conspicuous by putting them on the
    homepage of websites in a prominent location on the page and with a
    font size and color that contrasts with the background;
  2. Allowing the link and the notice page to remain up for a period
    of at least 30 days;
  3. Putting notices up “in the most expedient time
    possible” after discovering a breach and updating information
    as it becomes available. Updated information should include the
    time frame and the specific locations that exposed consumers to
    risk;
  4. Disclosing to affected consumers steps they can take to protect
    themselves from fraud, such as a credit-monitoring services or
    security freezes in the event of breaches involving Social Security
    numbers.

Recommendation 6 –Cooperate with financial
institutions to protect debit cardholders.

Although debit cardholders may not be found liable for
fraudulent or unauthorized debt card transactions, the report finds
that they may not regain monies used from their accounts until
after the bank completes an investigation. Therefore, resolution of
the consumer’s claims is often based in part on the speed with
which the issuing bank acts. In its report, the Attorney General
recommends that “retailers acknowledge the particular impact
of a breach on debit cardholders and alert consumers to it in their
breach notice, letting them know that cancelling the card is the
safest thing to do.”

Recommendations for the Health Care Sector

Recommendation 7 – Use strong encryption on laptops,
portable devices, and even desktop computers.

In healthcare, 66 percent of breaches reported in 2012 and 2013
were attributable to stolen or lost hardware or digital media. In
nearly half of these breaches desktops and laptops were stolen
“not from employee’s homes or cars, but from the
workplace.” The report recommends “full disk strong
encryption, to the standard set by the National Institute of
Standards and Technology,” which the report finds is “an
affordable solution.”

Recommendations for All Industry Sectors

Recommendation 8 – Conduct annual risk assessments and
update privacy and security practices.

The report recommends privacy risk assessments, conducted on an
annual basis if not more frequently, to help prevent data breaches
by employees who handle consumers’ personal information. 
The report notes that “[n]early one fifth of the data breaches
reported resulted from employees or service providers
unintentionally doing the wrong thing: mailing documents with
Social Security numbers exposed, publicly posting sensitive
information online, sending mail or email to the wrong
place.”

Recommendation 9 – Protect personal information in
transit with strong encryption.

The report echoes a recommendation from last year’s report
– specifically, amending current California law to require
the use of encryption to protect personal information on portable
devices and media and in email. The report also recommends using
FIPS 197, developed by the National Institute of Standards for
Technology, which it refers to as “an appropriate encryption
standard” and approved for U.S. government organizations in
order to protect “higher risk information.”

Recommendation 10 – Improve the readability of breach
notices.

The report also reiterates another recommendation made in last
year’s report – to improve the readability of breach
notices. As previously noted, the average reading levels of
notifications in 2012 and 2013 were at college levels beyond the
average American’s reading level. The report recommends that
all industry sectors work with communication professionals to make
the language of notices more accessible and less legalistic, and
that notices use “shorter sentences, familiar words and
phrases, the active voice and a layout that support
clarity.”

Legislative Recommendations

Recommendation 11 – Consider legislation to amend the
breach notice law to strengthen the substitute notice procedure,
clarify the roles and responsibilities of data owners and data
maintainers and require a final breach report to the Attorney
General.

In addition to the substitute notice recommendations discussed
above, the Attorney General issued additional recommendations for
potential legislative changes.

Data owners and licensees must notify potentially affected
individuals in the event of a breach, in “the most expedient
time possible and without unreasonable delay.” An organization
that merely maintains data must notify the data owner
“immediately upon discovery of a breach of the data
maintainer’s system.” However, the law does not provide
definitions to help clarify which organizations fall into which
categories. The report also notes that “the data owner … is
responsible for notifying data subjects, although the cost and
logistics of making the notification is often contractually imposed
by the owner on a maintainer, such as a service provider.” The
report predicts that in some cases the differences in obligations
between data owners and data maintainers may result in delayed
notification to consumers, as the two parties fight over each
other’s respective obligations. The report acknowledges that,
“clarifying the roles by defining the two terms in the law
would lead to more timely notification in such
circumstances.”

The report also recommends that legislation should be amended to
require companies to provide the Attorney General with “a
final investigative report upon completion of their internal
investigation, including corrective actions taken,” which
would enable the Attorney General’s office to better comprehend
the nature of a user’s system vulnerabilities and the potential
for breaches, ultimately allowing the Attorney General’s office
to make better recommendations.

Recommendation 12 – Consider legislation to provide
funding to support system upgrades for small California
retailers.

The report notes that large retailers are well positioned to
upgrade their point-of-sale terminals and software to read
chip-embedded cards before October 2015, when payment card networks
are set to shift liability for fraudulent transactions to
retailers. However, this shift could be cost-prohibitive for
smaller business. Therefore, the report recommends that small
businesses receive financial assistance and support to upgrade
their systems to read chip-embedded cards and better protect not
only consumers, but their livelihood as well.

Conclusion

Organizations should evaluate the recommendations of the
Attorney General regarding implementing appropriate technological
controls, including encryption, to help prevent future data
security breaches, particularly in the retail and health care
sectors.

The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.

Article source: http://www.mondaq.com/unitedstates/x/350900/data+protection/California+Attorney+General+Releases+2014+Data+Breach+Report+and+Recommendations+Finding+More+of+the+Same

,

No Comments

California Attorney General Releases 2014 Data Breach Report and …

Editor’s Note: The author thanks Jaysen Borja for his
contributions to this post.

On October 28, 2014, Attorney General Kamala Harris released the
second annual California Data Breach Report.  The report
detailed the nature and scope of data breach notifications that her
office received in 2013.  Her office has been analyzing
notifications of data breaches since 2012, when S.B. 24 amended the
state’s data breach notification law to require organizations
to submit copies of their breach notifications to the Attorney
General in any case in which the breach affects more than 500
California residents.  Notably, two of the five
recommendations made by the Attorney General in last year’s
report have already been signed into law. This year the Attorney
General issued 12 recommendations to companies in various
industries, and to the legislature, as to how to improve data
security practices and better protect California consumers.

The following is a summary of the report’s key findings and
the Attorney General’s recommendations based on those
findings.

Findings

Number of Data Breaches

The report notes that the Attorney General’s office received
167 data breach notifications in 2013, a 28 percent increase from
2012. The reported data breaches involved 18.5 million records of
California residents, a 600 percent increase in the number of
Californians whose records were affected.  However, the report
points out that a large portion of this increase is due to two
massive retailer breaches, including the Target breach –
which by itself affected 41 million customers, including 7.5
million Californians.

If these two massive retailer breaches are separated from the
rest of the data, the report notes that “the number of records
affected would have been [only] 3.5 million, a 35 percent increase
over 2012.”  These retailer breaches also account for the
significant disparity between the average number of affected
records in a breach and the noticeably lower median, 211,946 and
2,600, respectively.

Removing the two massive retailer breaches, the report notes
that the types of data breaches and the data breaches by industry
have remained “fairly consistent” over the past two
years.

Types of Data Breaches

The 167 reported data breaches in 2013 were classified into four
types: (1) Malware and Hacking, (2) Physical Theft and Loss, (3)
Errors, and (4) Misuse.  Slightly more than half of all
breaches in 2013 were caused by computer intrusions classified as
malware and hacking.  Physical Theft and Loss accounted for 26
percent of all breaches; Unintentional Errors accounted for 18
percent of breaches; and Misuse by insiders accounted for four
percent of breaches.  Although the California data breach
notification law only requires notification when “computerized
data” is at issue, 24 reported breaches involved paper
records, which accounted for eight percent of all breaches. The
distribution of breaches was roughly similar to the distribution of
breaches in 2012.

Social security numbers were involved in almost half of all data
breaches in 2013, making it “the most frequently compromised
data type.”  Given the relative value of Social Security
numbers to criminals, the relative frequency is not
surprising.  According to the report, the average
out-of-pocket costs “to a consumer who falls victim to the
fraudulent use of a credit card account is $63, debit card $170,
checking account $222 and Social Security number $289.”

Data Breaches by Industry

Data breaches by industry are divided into those reported by
sector: retail, finance and insurance, healthcare, professional
services; government, hospitality, education, and all others.

The retail industry reported 43 breaches, the largest number of
breaches with 26 percent of the total. These breaches involved 15.4
million records, or 84 percent of the total in 2013. However, the
two outlier retail breaches account for a substantial portion of
these figures. The report also noted that 84 percent of retail
industry breaches resulted from malware and hacking in 2012-2013,
whereas, for all other sectors, malware and hacking resulted in
only 36 percent of the breaches in 2012-2013.

Breaches in the healthcare industry represented only 25 breaches
in 2013, but these breaches involved 1.1 million records or six
percent of the total records breached in 2013. The majority of the
healthcare industry’s breaches, 70 percent, were attributable
to “lost or stolen hardware or portable media containing
encrypted data,” whereas this type of data breach accounted
for just 19 percent of total breaches in other sectors.

Readability of Notices

The report included a readability analysis that used the
Flesch-Kinkaid Grade-Level index in Microsoft Word to analyze 70
randomly selected notices. The readability analysis yielded average
reading levels of 14 in 2012 and 13 in 2013. The college-level
readability of these notices may pose potential problems as the
report also noted that the average reading level in the U.S. is
equivalent to an eighth-grade level.

Recommendations

Past Recommendations

Two of the Attorney General’s recommendations from last
year’s report have already been signed into law. S.B. 46,
effective as of January 2014, added online account credentials to
the type of personal information that could trigger notice
requirements in the event of a security breach. A.B. 1710, which
will become effective in January 2015, includes provisions
regarding provision of identity theft prevention and mitigation
services in the event of certain kinds of security breaches (we
previously discussed A.B. 1710 and its potential
implications 
here
).

Current Recommendations

This year the Attorney General made 12 recommendations (the
first six are for the retail sector, one is for the healthcare
sector, three are for all other industry sectors, and last two are
for the legislature).

Recommendations on Retail Sector Breaches and Payment Card
Data Protection

Recommendation 1 – Update point-of-sale terminals to
be chip-enabled and install software needed to operate this
technology.

The report explains that a chip-embedded card interacts with the
retailers’ terminal to authenticate the card, and can send
unique, one-time messages that change with each transaction. This
added layer of security makes chip-embedded cards less desirable
for thieves looking to make counterfeit cards. Chip technology is
used in more than 80 countries worldwide, including Canada, Mexico,
and Brazil, as well as countries in Europe and Asia. However, the
U.S. still utilizes an older magnetic stripe technology, which the
report finds is “static” because it merely stores account
number and information and cannot verify the authenticity of the
card being used.

Despite the U.S.’s reliance on the relatively antiquated and
unsafe magnetic stripe technology, the report notes that,
“[a]s of October 2015, the payment card networks (American
Express, Discover, MasterCard and Visa) will impose a liability
shift on retailers, so that if a chip card is used at a terminal
that is not chip-enabled, the retailer will be liable if the
resulting transaction is determined to have been counterfeit
fraud.” Though this shift to chip-enabled technology
represents a relatively safer and more secure move, it may also
pose problems for smaller retailers and users who do not have the
financial capacity to upgrade to these new systems.

Recommendation 2 – Utilize encryption, including
encrypting data from the point of capture until completion of
transaction authorization.

The report notes that encryption can be used to decrease a
retailer’s exposure from the time the data is captured until
the authorization of the transaction authorization is
completed.  The encryption process involves transforming a
card’s account data from a plain-text format into a
non-readable format.  Decryption into a readable format is
only made possible by a cryptographic key generated by an
algorithm.

Recommendation 3 –Utilize tokenization in online and
mobile transactions.

As the report explains, tokenization involves replacing account
data with “a surrogate value, called a token, that is used
like a reference number and that has no exploitable meaning or
value.” This method differs from encryption in that
“tokens are generated randomly rather than [as in the case of
encryption] through a mathematically reversible algorithm.”
Because tokens are used as replacement for the original account
information during a “transaction post-authorization,”
this allows retailers to store tokens in its payment system, rather
than sensitive account information. Tokenization “dramatically
decreas[es] the [account information’s] exposure throughout the
processing system,” by limiting the amount of cardholders’
account information that is stored in a retailer’s payment
system. The American National Standards Institute, the Payment Card
Industry Security Standards Council and EMVCO are working to
develop tokenization standards.

Recommendation 4 – Give prompt notice of data breaches
to affected individuals without unreasonable delay.

Retailers should have a plan that allows them to detect and
respond to breaches of their system, and provide notification, as
required by law. The Attorney General reiterated that it takes the
issue of prompt notice takes very seriously, citing to recent
enforcement action based on issues related to allegedly delayed
notification.

Recommendation 5 – Improve use of substitute
notice. 

When payment card data breaches occur, retailers may be
permitted to use substitute notice.  “Substitute notice
is a permitted when a breach affects more than 500,000 persons,
individual notices would cost more than $250,000 or the breached
entity does not have sufficient contact information to send
individual notices.” Substitute notice under California law
requires: (1) “conspicuously posting a notice on the
business’s website,” (2) “notifying major statewide
media” and (3) “providing notice by
email where the business has an email address.” The report
advises that retailers and other users could take the following
measures to make substitute notice more effective:

  1. Making links to the notice conspicuous by putting them on the
    homepage of websites in a prominent location on the page and with a
    font size and color that contrasts with the background;
  2. Allowing the link and the notice page to remain up for a period
    of at least 30 days;
  3. Putting notices up “in the most expedient time
    possible” after discovering a breach and updating information
    as it becomes available. Updated information should include the
    time frame and the specific locations that exposed consumers to
    risk;
  4. Disclosing to affected consumers steps they can take to protect
    themselves from fraud, such as a credit-monitoring services or
    security freezes in the event of breaches involving Social Security
    numbers.

Recommendation 6 –Cooperate with financial
institutions to protect debit cardholders.

Although debit cardholders may not be found liable for
fraudulent or unauthorized debt card transactions, the report finds
that they may not regain monies used from their accounts until
after the bank completes an investigation. Therefore, resolution of
the consumer’s claims is often based in part on the speed with
which the issuing bank acts. In its report, the Attorney General
recommends that “retailers acknowledge the particular impact
of a breach on debit cardholders and alert consumers to it in their
breach notice, letting them know that cancelling the card is the
safest thing to do.”

Recommendations for the Health Care Sector

Recommendation 7 – Use strong encryption on laptops,
portable devices, and even desktop computers.

In healthcare, 66 percent of breaches reported in 2012 and 2013
were attributable to stolen or lost hardware or digital media. In
nearly half of these breaches desktops and laptops were stolen
“not from employee’s homes or cars, but from the
workplace.” The report recommends “full disk strong
encryption, to the standard set by the National Institute of
Standards and Technology,” which the report finds is “an
affordable solution.”

Recommendations for All Industry Sectors

Recommendation 8 – Conduct annual risk assessments and
update privacy and security practices.

The report recommends privacy risk assessments, conducted on an
annual basis if not more frequently, to help prevent data breaches
by employees who handle consumers’ personal information. 
The report notes that “[n]early one fifth of the data breaches
reported resulted from employees or service providers
unintentionally doing the wrong thing: mailing documents with
Social Security numbers exposed, publicly posting sensitive
information online, sending mail or email to the wrong
place.”

Recommendation 9 – Protect personal information in
transit with strong encryption.

The report echoes a recommendation from last year’s report
– specifically, amending current California law to require
the use of encryption to protect personal information on portable
devices and media and in email. The report also recommends using
FIPS 197, developed by the National Institute of Standards for
Technology, which it refers to as “an appropriate encryption
standard” and approved for U.S. government organizations in
order to protect “higher risk information.”

Recommendation 10 – Improve the readability of breach
notices.

The report also reiterates another recommendation made in last
year’s report – to improve the readability of breach
notices. As previously noted, the average reading levels of
notifications in 2012 and 2013 were at college levels beyond the
average American’s reading level. The report recommends that
all industry sectors work with communication professionals to make
the language of notices more accessible and less legalistic, and
that notices use “shorter sentences, familiar words and
phrases, the active voice and a layout that support
clarity.”

Legislative Recommendations

Recommendation 11 – Consider legislation to amend the
breach notice law to strengthen the substitute notice procedure,
clarify the roles and responsibilities of data owners and data
maintainers and require a final breach report to the Attorney
General.

In addition to the substitute notice recommendations discussed
above, the Attorney General issued additional recommendations for
potential legislative changes.

Data owners and licensees must notify potentially affected
individuals in the event of a breach, in “the most expedient
time possible and without unreasonable delay.” An organization
that merely maintains data must notify the data owner
“immediately upon discovery of a breach of the data
maintainer’s system.” However, the law does not provide
definitions to help clarify which organizations fall into which
categories. The report also notes that “the data owner … is
responsible for notifying data subjects, although the cost and
logistics of making the notification is often contractually imposed
by the owner on a maintainer, such as a service provider.” The
report predicts that in some cases the differences in obligations
between data owners and data maintainers may result in delayed
notification to consumers, as the two parties fight over each
other’s respective obligations. The report acknowledges that,
“clarifying the roles by defining the two terms in the law
would lead to more timely notification in such
circumstances.”

The report also recommends that legislation should be amended to
require companies to provide the Attorney General with “a
final investigative report upon completion of their internal
investigation, including corrective actions taken,” which
would enable the Attorney General’s office to better comprehend
the nature of a user’s system vulnerabilities and the potential
for breaches, ultimately allowing the Attorney General’s office
to make better recommendations.

Recommendation 12 – Consider legislation to provide
funding to support system upgrades for small California
retailers.

The report notes that large retailers are well positioned to
upgrade their point-of-sale terminals and software to read
chip-embedded cards before October 2015, when payment card networks
are set to shift liability for fraudulent transactions to
retailers. However, this shift could be cost-prohibitive for
smaller business. Therefore, the report recommends that small
businesses receive financial assistance and support to upgrade
their systems to read chip-embedded cards and better protect not
only consumers, but their livelihood as well.

Conclusion

Organizations should evaluate the recommendations of the
Attorney General regarding implementing appropriate technological
controls, including encryption, to help prevent future data
security breaches, particularly in the retail and health care
sectors.

The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.

Article source: http://www.mondaq.com/unitedstates/x/350900/data+protection/California+Attorney+General+Releases+2014+Data+Breach+Report+and+Recommendations+Finding+More+of+the+Same

,

No Comments