When the retail shopping chain Target experienced a large-scale data breach in 2013, consumers and advocates alike flew into a near-panic mode. It was an eye-opening event, to be sure, and one that has been repeated with a number of other large retailers. While the end result was hundreds of millions of dollars in damage to the corporation, the plus side to it is consumers are more aware than ever about the potential for data breaches.

On the other hand, when the Anthem healthcare breach happened more recently, consumer outcry was far quieter even though healthcare data breaches stand to cause far more damage to citizens than a retail data breach. To understand why, you have to uncover what it is that cyber criminals get in a healthcare breach and what they can do with it. So many consumers are largely unfazed since their financial information isn’t accessed, but there is a much larger problem they may now face.

In the famous Target data breach, hackers accessed the credit card and debit card information for an estimated 70 million to 110 million customers. Some of those individuals also had their names, addresses, email addresses, and phone numbers accessed. The damage a hacker can do with that information is still very serious, but the thieves would typically rely on tactics like phishing email campaigns, selling the information to spammers, or other additional action ploys.

So what can a hacker gain during a healthcare data breach? Your name, address, Social Security number, family members’ names and Social Security numbers, employers’ name, bank account numbers, and more.

According to a study by Kaiser-Permanente, there were around 1,000 medical data breaches between 2010 and 2013; 29 million individual health records are believed to have been accessed by criminals in those breaches. Five states—California, Florida, Illinois, New York, and Texas—accounted for more than one-third of all the medical breaches in the country.

But consumers still seem to respond more proactively to retail data breaches than to medical data breaches. If you receive a letter informing you that your credit card number was accessed by a cybercriminal, what do you do? You get a new credit card from your account issuer, and the old account number is useless. But how do you go about getting a new Social Security number if hackers access your medical information? You don’t.

A financial data breach is serious and must be acted upon immediately, but it’s vital to remember that a healthcare data breach is potentially even more serious. A hacker can use your identity for years to come once he gains access to that level of personally identifiable information.

There are steps you can take to minimize the potential for problems in a healthcare data breach, and most of it comes down to what you choose to share with your health care provider. On the required forms in the doctor’s office, are you using your physical address, or a post office box if you have one? Are you listing your Social Security number, even though it’s not required for medical treatment and is legally not to be used as an identification number? Are you providing the doctor’s office with a check (which contains your bank account number), or paying by credit card and then paying that off immediately?

While certain pieces of information are going to be included in your health insurance profile, the trail you leave behind in the provider’s office is a good place to start with preventing identity theft. By adopting an air of caution when it comes to your information, you can work to minimize the effects of a medical data breach.

Cyber insurance for your business might be worth the cost. It deserves a good look because it educates on reducing risk, helps when a breach happens and can be a competitive advantage.

In 2015, data breach events are once again on the rise. How your organization, regardless of size, efficiently and compliantly manages a breach incident response can be the difference between being the next headline news story or going out of business. As business owners and executives look for new ways to protect their business risks and branding, cyber insurance is receiving more consideration as a way to help you manage and respond, whether your data breach is caused by outside hackers, your own employees, or vendor relationships ranging from malicious intent to accidental release of information.

The use of cyber insurance communicates to clients, prospects and vendors that your business is serious about managing a data breach event and your commitment to protecting customer and employee information.

Here are three tips to consider when reviewing the option of adding a cyber insurance policy:

  • Work with an insurance broker who understands cyber insurance. An insurance broker who understands cyber insurance can help educate your business on the different types of cyber insurance policies and validate the need for a cyber-insurance policy. A broker can also help you understand business interruption, legal liability, costs to investigate a data breach, notification to victims and defend/settle class-action lawsuits, including regulatory enforcement actions and fines.
  • Data breach assessment. Your business needs to evaluate its overall risk of experiencing a data breach and the type data you collect, store and transmit. Here are some questions to ask when considering cyber insurance: What type of industry are you in? What is the type and volume of data that your company collects, uses, stores, and transfers? What is the prominence of your brand? Are your technology and information security and governance best practices up to date? Are mobile devices an integral part of your business? What are the total number of vendors and third-party contractors with access to your company’s sensitive data?
  • Learn about cyber policy exclusions and endorsements. Not all cyber insurance policies are created equal. Ask about retroactive coverage for “prior, unknown data breaches.” Ask about coverage that includes “loss of data” versus only “theft of data.” If your business acts as a vendor or third party contractor for other businesses, ask about your cyber coverage that includes liability to cover your business clients.

The reality is, the challenges of a data breach event can include complex federal and state breach notification laws, and most small businesses lack the financial and human resources to respond. Cyber insurance can support your risk-management objectives.

Mark’s Most Important: Take a look at cyber insurance before your business is a data breach victim.

Mark Pribish is vice president and ID-theft practice leader at Merchants Information Solutions Inc., an ID theft-background screening company based in Phoenix. Contact him at markpribish@merchantsinfo.com.

This article was originally published on AZcentral.com and republished with the author’s permission.

Merchants Information Solutions is a proud sponsors and provides financial support to the ITRC. For more information on the ITRC’s financial support relationships please see our sponsorship policy.

Those of us in the identity theft, information security and related fields, are always interested in the latest trends in data breaches. One such source of information is Verizon’s annual Data Breach Investigations Report (DBIR).

This report, otherwise known as the DBIR, gathers information from 70 different organizations who report on data breaches, including the Identity Theft Resource Center.  The report then examines the data breaches which have occurred throughout the past year and determines trends in the field.  Of course, the most important part of reading the report and learning about breaches of all sizes and types, is the fact we can use this information to better help consumers and businesses protect themselves. This year’s DBIR held many findings which will help define who needs to be the most concerned about data breaches and how they can protect themselves. 

Here a few of those findings:

  • It is estimated that the financial loss from data breaches covered in the DBIR was $400 million. You read that right and, yes, it is a lot of money. It is large numbers like this that are prompting companies who have long avoided creating a data breach incident plan to do so.  Companies, even small local businesses, are now being forced to look at how they are protecting the personal identifying information (PII) of their clients. In addition, consumers themselves are realizing how much of a pain, and potential expense, it can be if they are not careful about who they are letting have control of their own PII.
  • The ratio of internal to external threats remains relatively static. The DBIR shows that in the past five years of the study, internal threats and external threats only varied around 5%, with more than 80% of threats being external rather than internal. This information can show two things to those interested in how to protect from a data breach. First, you have a much higher risk from external threats than from internal threats.  However, many entities are completely unprepared for an internal threat, which leaves them at risk for an attack from an employee who may be disgruntled or being paid for their intrusion. Businesses must look at both risks to ensure they are protected.
  • One hour is all it took for nearly 50% of the recipients to open an email and click on phishing links.  In a test performed with their partner security firms, Verizon set up an experiment to see how quickly a phishing attack would spread and, therefore, how long a company or individual has to respond to this type of attack.  The fact that almost half of the phishing emails were opened within an hour of them being sent is bad news.  That means a faster spread rate and a larger breach.  There is a reason the name virus was given to this type of malware and that is because it spreads from one victim to the next making an exponential mess for anyone trying to stop it. The DBIR does note though that the best way to stop phishing attacks and protect against the is education and awareness, which can be easily undertaken.

The DBIR continues to remind us that data breaches are something everyone must be concerned about.  The constant adaptation of criminals to surpass security or adapt to new technology will ensure that businesses and consumers will not soon be free of the fear of data breaches.  Click here for full report

The cybersecurity and data protection industries are still reeling from the shell-shock that was 2014. With the highest number of data breaches in a single year, last year was an eye-opener for business leaders and consumers alike. While the industry still sorts through how these record-setting events happened and what we can do to prevent 2015 from playing out the same way, there are a few key takeaways that we can already identify.

One of the chief causes of data breaches is what’s known as internal data breaches, and those events fall into two categories: accidental and intentional. Internal data breaches, as the name implies, occur when a company employee opens the business up for a hacking event or data leak. The categories indicate that these events can be intentional or purely accidental.

In an intentional internal data breach, an employee, vendor, or third-party contractor purposefully accesses customer or employee data with the intent to use it. This could be checking out their co-workers’ Social Security numbers and birth dates, accessing client credit card numbers, or any number of other scenarios that lead to the theft of personally identifiable information. Typically, a thief in this instance either uses the information personally to open financial accounts or commit tax refund fraud, or sells the list of information to a thief who will pay good money for it.

There have been a lot of these cases in recent months. Every type of thief, from elementary school cafeteria workers to a fraud ring that targeted deployed soldiers and impoverished children, has been guilty of this type of crime. Unfortunately, it’s a crime of convenience, especially in any field that gathers and stores lots of excess information on individuals.

An equally detrimental though somewhat less malicious type of data breach is the accidental breach. While it still involves an employee of a company who makes access to large stores of personal information available to a criminal, at least in this case the bad guy may only be guilty of poor judgment or failure to follow company policy. An accidental breach occurs when an employee does something that results in exposing information to a hacker, such as clicking on a malicious link in a phishing email, downloading harmful software to the network by mistake, losing a company laptop or flash drive that contained sensitive information, or more.

Unfortunately, whether the employee intended to expose the company to thieves or not is irrelevant, as the outcome can be the same. The infamous Target data breach that affected over 100 million consumers has been traced back to a third-party contractor whose employee clicked on a phishing email, thereby downloading harmful software that infiltrated Target’s POS system. That employee certainly didn’t mean to cause one of the largest data breaches to date, but that is what happened.

So what can you do about this type of data breach, especially when you consider that one involves someone who is determined to nab personal information and the other involves someone who seemingly doesn’t care enough to protect it?

There are a number of steps businesses can take, including ensuring that employees don’t have unrestricted access to information. You can also ensure that your business (or companies you patronize, if you’re a consumer) doesn’t gather more information than needed, then store that information on unsecured technology or networks. Employers can present their staff with clear policies for computer and technology use, as well as present and enforce the consequences for violating those policies.

 

Consumers beware: you have more medical-related issues to be worried about, but a trip to the doctor or ER won’t cure them as the healthcare industry continues to be plagued by information security breaches.

Anthem Healthcare reported last week that approximately 80 million customer and employee records were stolen.

Last April I referenced the increase in medical ID theft and expressed concern about this lucrative cyber criminal business.

Here we are less than a year later and things are even worse as healthcare has become a most valuable target for cyber criminals due to the wealth of exploitable information in our medical records.

Since that column, there have been 79 additional healthcare related data breach events according to the Privacy Rights Clearinghouse; approximately 1.5 healthcare data breaches each week on average!

Anthem — provider of health insurance to nearly 10 percent of all Americans — reported that 80 million records were taken including names, birthdays, medical identification numbers, Social Security Numbers, street addresses, e-mail addresses, employment, and income information.

Now consider the financial value of these medical records and you’ll see the motivation. Stolen medical and healthcare records are the “Rolls Royce” with a black market value of approximately $200 per record as evidenced in hacker forums. As a comparison, our credit card records have become essentially a commodity and sell for about $1 per record.

ID theft criminals fraudulently use our stolen information for financial gain or to attain services at hospitals, emergency rooms, doctors’ offices, and pharmacies resulting in fraudulent charges and potentially deadly negative impacts to our medical records.

To make matters worse “phishers and phone fraudsters are capitalizing on the public concern over the Anthem data breach,” explained Brian Krebs, a nationally recognized security expert.

Krebs reported that, “the flood of phishing scams was unleashed just hours after Anthem announced publicly their data breach.”

Anthem said “all impacted members will receive notice via mail which will advise them of the protections being offered to them as well as any next steps, phishers took that as an invitation to blast out variations of phishing scams which spoofs Anthem and offers recipients a free year’s worth of credit monitoring services for those who click the embedded link.”

I encourage the healthcare industry to take a hard look at their information security and governance best practices. The Identity Theft Resource Center reported 42 percent of data breaches were related to healthcare last year and the Ponemon Institute found that data breaches in healthcare are costing $5.6 billion annually.

I also encourage all of you — whether you are an Anthem customer or not to review all of your medical bills, Medicare summary notices, explanation of benefits statements, and regularly review your credit reports (by going to www.annualcreditreport.com) to help protect yourselves from medical identity theft.

Mark’s Most Important:

Stay informed about your healthcare records and all related documents to avoid having to cure a big medical ID theft problem.

 

Mark Pribish is vice president and ID-theft practice leader at Merchants Information Solutions Inc., a national ID-theft and background-screening provider based in Phoenix. Reach him at markpribish@merchantsinfo.com

 

This article was originally published on AZcentral.com and republished with the author’s permission.

When it comes to keeping up with your digital information, you have options besides just taking up precious space on your computer with old files. Whether you’re storing precious family photos, videos of your kids, or more important documents like business files or tax information or scanned copies of your will, you want your data to be safe and secure but still easily accessible.

Two of the most common forms of storing individual user content are an external hard drive and a cloud-based storage subscription. You might have heard of terms like “backup drive” or storing your photos “in the cloud,” and these are the same concept.

An external hard drive is a device that plugs into your computer (typically via a USB cable) and acts just like a file cabinet for your computer. Just like you would transfer a document or a picture from one folder to another on your computer, you would transfer those same pieces of content to this other drive for safe keeping.

One of the best things about an external hard drive is the fact that you can disconnect the drive with a simple click of the mouse then pulling the plug on the cable. If a hacker was to dig around in your computer via a remote connection, trojan, malware, or virus, your sensitive content would be safely tucked away in this hard drive and not accessible as long as the cable wasn’t connected. This is especially handy if you use a laptop computer, for two reasons: first, you’re not filling up your laptop’s limited memory with old pictures, and second, you’re not carrying around all of your personal content every time you take your laptop somewhere. It would be a shame if your digitized wedding video disappeared because your laptop was lost or stolen.

Unfortunately, external hard drives are just as vulnerable to physical threats as any other form of technology. If the drive is stolen during a break-in, permanently damaged by heat or water due to a house fire or flood, or any other of a number of scenarios, then your content is gone.

This is why cloud-based storage is growing in popularity. In a cloud storage situation, you would contract with a company that offers this storage solution and pay a monthly fee to use their secure servers. You would upload your content to your own personal, private account, just like you would if you were transferring it to an external hard drive. Besides the benefit of knowing your content is secure in a location far from home—keeping it away from burglars and house fires—you can access it anywhere from your laptop or portable device by logging in over an internet connection. You don’t have to worry that you left an important document at home in your hard drive because you can simply connect and call it up.

However, there have been widespread, justified fears about the security of cloud-based storage, especially in light of the growing numbers of data breaches and hacking events. So which solution is right for you?

That depends on what you’re storing. If you need constant, on-the-go access to your content, then a cloud-based server option may be better for you. If you’re simply storing photos, mementos, and your old tax returns, you might be better off with an external hard drive; you can even secure the hard drive in a fire safe in your home when you’re not using it, just to give it a little extra security from theft or damage. Do remember that the lower-end monthly costs associated with a storage subscription for approximately four years can be about the same as purchasing a top-of-the-line hard drive outright, so don’t let the price tag make this decision for you.

2014 was a record year for data breaches, but not in a good way. There were more reports of internal and external data breaches affecting everything from major corporations to small mom-and-pop operations. Of course, it wasn’t only businesses that were affected, as consumers reported high numbers of identity thefts as well.

This month’s Twitter chat (#IDTheftChat) will go into greater detail about what went wrong, and how it affects both businesses and consumers. Co-hosted by @IDT911, we’ll hear from experts who will weigh in on how we can all work to reverse these numbers in the coming year.

Join us on Thursday, February 5th, at 2pm ET for this chat by following the #IDTheftChat hashtag on Twitter. Simply log into your account and search for the hashtag to read the updates, and be sure to add the hashtag to your own tweets in order to participate.

Some of the questions that we’ll be addressing during the chat include:

  1. What is a data breach? Do you think all breaches are the same?
  2. What is the difference between a data breach and identity theft?
  3. After receiving a data breach notification letter, what should consumers do?
  4. Data breaches have occurred with such regularity that we’re becoming desensitized. Should we still be concerned?
  5. How can you protect yourself from identity theft if data has been compromised in a breach?
  6. How many types of ID theft can you name?
  7. Have you been a victim of a breach? If so, what did you do?
  8. Do you think companies are adequately protecting private info?
  9. What should companies communicate to consumers to assure them their info is kept private?
  10. Are you scared of a cyber-attack, similar to the Sony hack?

 

In order to participate in this informative event on February 5th, you may join the #IDTheftChat TweetChat room by going to http://tweetchat.com/room/IDTheftChat after signing into your Twitter account. Be sure to type “#IDTheftChat” at the end of each of your tweets so that others may see your comments and questions, and search for that hashtag to read all of the information on the topic of data breaches.

Be sure to also follow the Identity Theft Resource Center (@ITRCSD) and IDT911 (@IDT911) for great information that will help you protect yourself and your loved ones throughout the year.

We all have important documents that we need to have handy, but that we really need a thief not to find. This leads people to question the need for a safe deposit box through a bank, or to choose to purchase an in-home safe. But there are pros and cons to both fire safes for your home and safe deposit boxes offered through your bank.

  • Fire Safe: A fire safe is a one-time expense, often comparable to the cost of only one year of safe deposit box rental. It can be mounted to the floor to make it harder for a burglar to make off with, and can easily be locked by a key or combination, depending on the model you choose. These boxes can protect the contents from theft, fire, and water, but are not completely secured against those threats.

 

  • Safe Deposit Box: A bank’s safe deposit box is secured in a bank vault under double lock, and access usually requires a photo ID. The box itself is under certain legal protections, such as preventing others from accessing it upon your death. The vault itself offers a stronger measure of protection than a portable box in your home, but requires you to go to the bank to retrieve your contents.

There are some things to remember about both options. A fire safe is fire and water resistant, not proof, unless you purchase models made specifically to withstand those elements. Extreme heat from an extensive house fire can melt contents inside the safe, especially digital contents that you store on a USB drive or other media. Water from putting out the fire can also soak the contents inside, unless you opt for a more expensive, fully waterproof model. Remember, if you choose to use a home safe, be sure to store it on the first floor of your home since it can be very dangerous to the firefighters below if the floor that supports it is damaged.

Safe deposit boxes tend to be less convenient since they can only be accessed during bank hours. Upon the box holder’s death, the contents are inaccessible unless the will states who is to have access, and even then that access is only available once the will is probated. One other factor that people often overlook is natural disaster; if your town is affected by a hurricane, flood, tornado, or other widespread damaging event, the bank may be just as vulnerable as your home and your contents can be impacted.

Some sources recommend considering both options, instead of either-or. A small fire safe in your home can offer a layer of protection for the documents and valuables you need to access routinely, such as a will, jewelry that you plan to wear from time to time, Social Security cards, and insurance papers. A safe deposit box would be ideal for items you don’t need to access on a regular basis but that you need to protect, such as your car title, your diploma, your life insurance papers, your marriage certificate, and digital copies of special mementos like a wedding photo, some baby pictures, or more. If you have valuable jewelry that you don’t plan to wear, it might be better to store it for safe keeping in a place off-site.

For documentation, you might also consider scanning the documents and uploading them to a cloud-based storage option. That way, your originals can be stored in either a fire safe or a safe deposit box, while you can access copies of them from a computer.

However you plan to secure your valuables and documents, the most important thing is building the habit of protecting them. If you leave your Social Security card lying in a drawer where a burglar can find it because you didn’t have time to take it to your bank, or you leave the key to your home safe hanging on a bulletin board in your kitchen, that could lead to bigger problems than just the loss of some household items. Decide how you’re going to protect yourself by understanding how you’re most likely to practice these security measures.

Every business or organization, large and small, has a responsibility to protect employee and customer information, and the centerpiece of that protection should be an information governance plan.

Businesses that have not yet developed their 2015 governance plan are taking a big risk because without an effective plan that has specified policies, protocols and processes, the business is almost inviting identity theft and data-breach exposures.

Your business creates, collects and stores new information every day. E-mail is one example, and the content of your e-mail is a big target for hackers and identity theft criminals.

The risk of your personal or business e-mail accounts being hacked is high, but the risk of all your data — such as employee, bank-account or health-care information — being stolen is even higher.

Information security and governance are problems that continue to challenge every size of business, as evidenced by data breaches making headlines.

So, what’s the answer? All of your data needs to be managed, and it needs to be secure. And it needs to be managed and secured by every employee and vendor that has access to your business information.

This can be done by “creating and implementing an annual information governance plan that establishes policies and procedures to ensure a company’s proprietary and sensitive information are protected from both cyber and physical loss,” according to Michael O’Shaughnessy, president of Guardian Pro, a Phoenix-based data governance company.

According to O’Shaughnessy, every small business should consider the following six components in their information governance plan:

— Cyber and physical security.

— Employee and contractor training.

— Procedural policy.

— Equipment and technology policy.

— Human-resource policy.

— Marketplace threat level.

Your written information governance plan should be reviewed and signed on an annual basis by every company employee (regardless of the size of the organization) to document and support your information security and governance best practices.

In talking with many small-business owners at speaking engagements or one-on-one, I see a significant gap on how small businesses protect their employee and customer data vs. the actions they take such as the creation and implementation of an information governance plan.

The costs of cybercrime and data breachs are doing serious damage to both the public and private sectors. Small businesses need to know and understand how to respond to state and federal breach notification laws and how to communicate with affected individuals, including its employees and customers.

Your information governance plan will help your business accomplish this while minimizing the potential for identity theft to your employees and customers.

Approximately 19.6 million Americans are employed by companies with fewer than 20 employees, and small businesses are at a greater risk of experiencing a data breach.

 

Mark’s most important: Your small business needs to complete and implement an information governance plan with a focus on employee education to ensure the enduring success of your business.

Mark Pribish is vice president and ID-theft practice leader at Merchants Information Solutions Inc., a national ID-theft and background-screening provider based in Phoenix. Reach him at markpribish@merchantsinfo.com.

This article was originally published on AZcentral.com and republished with the author’s permission.

Since the Identity Theft Resource Center first began tracking reports of data breaches, there have been more than 5,000 – and a record-high number of breaches, 784, occurred in 2014 alone. Of these events, the highest percentage at 42.5% were medical and healthcare breaches.

In 2014, 33% of data breaches occurred in the business sector, 11.7% of breaches involved the government or military, educational institution breaches accounted for 7.3%, and the financial industry accounted for 5.5% of breaches.

The overwhelming majority of these data breaches were accomplished through hacking, in which criminals were able to access sensitive content through networks from outside the server. A concept known as “data on the move,” which refers to sensitive information stored on portable technology like flash drives, laptops, and even smartphones, accounted for the second highest number of breaches when that technology was lost or allowed to be compromised. Internal breaches, when an employee or third-party contractor accessed sensitive data without permission, were the third highest cause of leaks.

“The ubiquitous nature of data breaches has left some consumers and businesses in a state of fatigue and denial about the serious nature of this issue,” said Eva Velasquez, president and CEO of the ITRC. “While not all breaches will result in identity theft or other crimes, the fact that information is consistently being compromised increases the odds that individuals will have to deal with the fall out.  The ITRC data breach reports are a necessary educational tool for businesses, government and advocates alike in our communication efforts.”

“It is important to note that the 5,000 breach milestone only encompasses those reported – many breaches fly under the radar each day because there are many institutions that prefer to avoid the financial dislocation, liability and loss of goodwill that comes with disclosure and notification,” said Adam Levin, founder and chairman of IDT911. “Additionally, not all businesses are required to report they’ve had a breach for a variety of reasons, which means the number of breaches and records affected is realistically much higher.”

The Identity Theft Resource Center uses this information to work towards better consumer protection, and to raise public awareness on the need for better personal data security. With a clearer picture of the cybercrime landscape, the ITRC can continue its mission of offering free assistance to consumers who’ve been affected by a data breach of some kind, as well as keep law enforcement and the IT sector up to date on the latest activities and vulnerabilities related to this type of crime.

The year-end report was unveiled at nearly the same that the Obama administration announced its plan for cybersecurity legislation that would alleviate some of the liability following an attack from companies who had voluntarily cooperated with the government’s cybersecurity information sharing initiatives.

To look back at ITRC records from 2005 to 2014, see the Data Breach section of the ITRC website, supported by IDT911.