Monday, May 14, 2012

Data Breach Warning of Lawsuits


Last Monday an article by Jay Singleton published in the Connecticut Law Tribune cast some very ominous warnings for every medical or financial organization across the country. Trial lawyers are setting their sights on you for the data you have and how well you protect it.

With medical organizations pressing to put patient records into electronic format, all it takes is one lost laptop or a single data security lapse and you become to focus of a number of law firms. One loss of personal information and any of the people whose information you held could take legal action against you. According to the federal Department of Health and Human Services, the personal medical data for more than 11 million people may have been exposed during the past two years.

Financial institutions already have similar problems. Attorney Michael A. Stratton, of New Haven’s Stratton Faxon, is involved in two class actions filed in New Haven seeking damages from banks accused of mishandling personal information of customers. One case involves the Bank of New York Mellon, which lost data tapes containing personal information for about 4.5 million people, including 500,000 customers of People’s United Bank of Bridgeport.

While these lawsuits are in their early stages and there is no clear examples of loss or damages to be presented. There are plaintiffs lawyers who concede that valuation of these cases is still a big unknown. This does not mean that they will not search until they find it.

The health-related privacy cases as class actions is still untested territory, attorneys believe new law will be made in the next few years. That means attorneys and the courts will be addressing these issues in the not too distant future. It would be best if your company or organization is not the test case for this type of new action.

IRS and TIGTA Testify on Identity Theft before Congress

Last week J. Russell George, the Treasury Inspector General for Tax Administration and IRS Deputy Commissioner Steven Miller appeared before Congress to report on the issue of Identity Theft and tax fraud. From Georges testimony a laundry list of issues were presented to the oversight Committee.

Issues included had to do with timely resolution, IRS and Victim communications, process steps for victims returns are not a priority, guidelines for identity theft cases are inconsistent and incomplete. The biggest failing appears to be that the IRS does not use the data from identity theft cases to identify trends.

The issues that US Citizens face, when dealing with an identity theft tax problem, are formidable to say the least.  I have for many years studied these problems from a variety angles, seeking the best way to guide the victim through what is for them a nightmare. The best path is still not always clear because of the different parties involved in resolving the problem. For the victim they have the burden of proving that they are a victim. The IRS employee has the task of evaluating the statements and documents of the victim, trying find the truth from the fiction that maybe assumed facts, erroneous conclusions and just plain confusion on the part of the victim. It is all too easy for someone jump to a wrong conclusion when trying to unravel the different elements of the case, which leads to mistakes by both the victim and the Government.

For more than ten years I worked with victims trying to create a path through the maze of issues that would put the victim and the Government on the same side. That has not come to pass yet. There are a number of ways to address the issues and then format the steps so that they work for both the victims and the IRS, but that will require both groups working together. For the past five years, I have wanted, to sit down with the policy makers from the IRS, to create a program that will help the victim of identity theft, and not be able to be gamed by the perpetrators.

To J. Russell George, the Treasury Inspector General for Tax Administration and IRS Deputy Commissioner Steven Miller, I have been hoping to work with the IRS so you would not have to go before Congress and report the ugly state of the problem. The issue of identity theft will not be going away anytime soon. From the stories in the press about the thieves playing the system is only the surface of what is really going on. There is no time like now to put an end to it.

Wednesday, May 2, 2012

Data In-Security in the Healthcare Industry


I am seeing more and more stories about the breaches in the healthcare industry. What I am not seeing is a strategic push to fix the problem. 

From the Verizon breach report we get to see that most of the breaches are due to the human element.  The hactivists seemed to be responsible for about 58% of the documented attacks.  Just 4% were attributed to insiders which means that 1/3 of the breaches were due to the acts of cybercriminals.  The report states that 97% of the breaches could have been avoided by simple “basic or intermediate” security controls.  Or the fact that 69% of the attacks used malware for access. More than a little sad was the stat of 92% of the breaches were discovered by a third party. There is the stat of 94% involved compromised servers. When you couple that with the stat of 85% took more than two weeks to be discovered.

With the additional information from the breach report it paints a clear picture that most of the businesses have not started to make data security priority it needs to be.  You need to look at what the data is and how you need to use it.  Then you design the system to protect it and you. Once the system is built and running, you test it and then retest it to make sure it works for what you need it to do. Then you monitor the system on a daily basis looking for the clues that someone is trying to attack you. 

It is not as hard as you might think and I firmly believe it will more cost effective to do than say paying for a breach of data.