According to the study, on page 4, companies that notify victims too quickly may [in] (sic) fact incur higher costs. The most heated and public criticism levied against breaching organizations has always been the “why did you wait so long?” argument. The victims (typically consumers, that is, individuals) tend to get very upset with a breaching organization, claiming it took far too long to notify victims.

But the new report found that about 36 percent of participating organizations notified victims within one month, which was considered fast, and yet experienced a 12 percent rise in overall data breach cost. According to the study, “moving too quickly through the data breach process — especially during the detection, escalation and notification phases — may cause inefficiencies that raise total costs.”

Perhaps this goes to show that you can’t make everybody happy all the time. By taking the proper time to discover the details of a breach and respond carefully, organizations draw lots of fire from commentators near and far. But by acting too quickly, they raise their breach costs.

This also leads back to last week’s Tip, highlighting the significant value of key leadership during a data breach. No doubt that leadership and the response timetable go hand in hand.

The Independent Florida Alligator reports (and thanks to lyger on DataLossDB for the tip).

According the article, the laptop “held information about patients referred to the gastroenterology clinical services department over the last three years.” An employee had loaded the data onto a personal laptop for work-related purposes, but then, as Murphy would have it, that laptop was stolen.

The information included names, addresses, medical record numbers and about 650 Social Security Numbers.

Thankfully, Shands leaders “have launched system-wide encryption to prevent similar crime.”

The days of “a lump of coal in the stocking” are certainly over.

The HITECH Act of 2009, one intent of which was to add more teeth to data security requirements for healthcare information, included a provision in section 13402(e)(4) requiring the Secretary of the U.S. Department of Health and Human Services to post a list of data breaches of unsecured protected health information affecting 500 or more individuals.

We might call these the “mega-breaches” or, that is, at least the serious breaches that affect many people.

A couple of important details are worth noting, about the HITECH Act of 2009. First, if a breach affects fewer than 500 people in one state, a breaching organization does not have to contact the media (though one of the victims certainly might). The organization does have to contact each breached individual, however, to notify of the breach. Second, the rules apply to unencrypted PHI. Encrypting the data, as always, is mitigation of the risk and turns a “breach” into a “non-event.”

Encrypting data, such as with MyLaptopGPS’ FIPS-certified strong encryption for data-at-rest, is the key difference between a major PR disaster (and regulatory nightmare), and a sigh of relief.

And now for The Bad List (click to view at HHS’ website).

According to the report, the leadership of a CISO or equivalent position substantially reduces the overall cost of data breaches (page 4). The study indicates that companies who have an experienced “point person” to manage the response to a data breach experienced an astounding 50 percent reduction in data breach cost.

Who you have on your team could make a difference of millions of dollars in a single breach incident. Leadership in high-pressure or at least high-stakes circumstances is priceless. Just ask any major pro sports team.

Consider ahead of time what your business will do in the unfortunate event that you find yourself saddled with a data breach. Who will be in charge? What authority will he have? What experience in dealing with such cases does she have? What resources can he command?

Just as we continually beat the drum of “preparedness” from a technology standpoint, to avoid a breach altogether, we also must trumpet the tune of “preparedness” for a data breach response. And that begins with key leadership in that time of need.

Do you have it?

Interesting sound bytes:

• In fiscal year 2008, inventories of lost, stolen, and damaged equipment show that Immigration and Customs Enforcement (ICE) and Customs and Border Protection (CBP) combined to lose no fewer than 985 computers.
• Meanwhile, the lost, stolen and damaged report for ICE shows 13 vehicles classified as “lost” or “not found during physical inventory.”
• CBP’s total inventory (immediately below) of lost stolen and damaged equipment tallies 1,975 pieces at a total valuation of $7.5 million.
• CBP’s inventory also shows 235 night vision scopes classified as lost.
• Three computer switchers worth $92,354 each were lost.
• An “international harvester vehicle truck” valued at $116,349 apparently could not be located during physical inventory.

Be sure to read the full report.

That is, do you notify an employee that he is being let go, and then allow him to return to his desk?

If so, is he allowed to be there unsupervised? For how long?

The point here isn’t to bog down in the minutiae, but to consider what such a “former employee” might do when he was a “current employee” only moments earlier. If he’s logged into his computer, and into your servers or applications, perhaps he will inflict a tremendous amount of damage before leaving.

Most people aren’t that bold, or lack the “guts” to do it. Or, perhaps, they aren’t that vengeful.

But some are.

Furthermore, many employees who have been let go see no reason whatsoever not to take data with them, quite subtly. They may not trash your system on the way out, but they will gladly steal it.

In fact, The Ponemon Institute’s 2009 report “Jobs at Risk = Data at Risk” found that 61% of respondents who felt negatively about their employers took data while only 26% of those with a favorable view did. But of the 945 individuals surveyed, who were laid off, fired or quite their jobs in the past 12 months, 59% admitted to stealing company data and 67% used their former company’s confidential information to leverage a new job.

Company policies certainly vary, and depending upon the employee’s role and level of access, it can be quite difficult to sever ties. But be careful not to assume that the employee won’t take you for a ride on his way out.

It’s a good idea to supervise the employee as he cleans out his desk, then walk him to the parking lot. And if you have remote access into your company via the network, that must be handled before the employee even reaches the parking lot (such as while he’s cleaning out his desk or even while he’s in the meeting being let go).

It’s an ugly business, but must be handled prudently lest it turn worse for both the employer and the former employee later.

The Queens Chronicle reports that the information also included administrative decisions, medical evidence, and internal agency documents, along with the names and SSNs.

The administration is offering three years of credit protection to all the victims.

Often the question is “how?”

Yet, as today’s Tip highlights, many businesses just don’t get around to putting any controls in place at all.

security curmudgeon over at DataLossDB gives a handy reference to an article at the Las Vegas Sun, detailing rampant identity theft via stolen credit card numbers. Now we’ve all heard about these for years, but the article is very interesting as it details some of the methods used to swipe (pun intended) the numbers, including skimmers.

But notice the introductory case: when salespeople at a high-end fashion retailer weren’t ringing up customers, they were surfing the web–apparently right on the POS device! This happens all day long across America, and owners/supervisors galore are familiar with the irritation. But in this case an employee, who was, no doubt, checking her Facebook page (or maybe MyLaptopGPS’ new Facebook page?) and tootling around the web, managed to download a virus that included a keylogger.

The rest is history.

Employee behavior is perhaps one of the most dangerous threats a business faces–it’s the gateway to most actual threats. Take it seriously now, or take it seriously later, but rest assured you’ll have to take it seriously whether you’d like to or not.

The Gainesville Sun reports (thanks to kirniki at DataLoss DB for the tip) that 208,000 current and former subscribers of AvMed Health Plans are at risk due to the theft of a pair of laptop computers. The laptops contained names, addresses, phone numbers, Social Security Numbers, and protected health information of the subscribers and their dependents.

That’s nearly a quarter of a million people at risk of even more acute identity theft, including medical identity theft, and some of the victims may not even have been customers of AvMed (neither currently nor formerly).

AvMed is providing credit monitoring for the victims–for two years, not just one. It’s nice to see that.

Credit monitoring service providers continue to flourish as the breaches continue.

We’ve looked so far at data backup, the automation thereof, and the recoverability that’s essential. This week, consider a quick, broader look at infrastructure. If the lights went out, how would you operate? Folks in the Northeast are thinking about this, and even in the Midwest we’re all too familiar with ice storms and their power grid impacts.

It’s handy that just the other day, at an i2E event near us in Tulsa, Oklahoma, I met a pair of entrepreneurs from a “bunker” style vault data center, Titan Private Security Vault. They already have stories of millions of dollars saved when their clients–rather large enterprises in the region–were able to shift operations on a moment’s notice to a secondary location (TPSV) when the grid went dark. In one case, it was due to a major disruption in downtown Tulsa. In another case, it was a massive ice storm that made headlines across the nation.

Point is, these businesses had a plan in place that included secondary, leased workstations and infrastructure, allowing them to get payroll completed and handle other mission critical functions even when the rest of the city was dark.

It may be that this level of redundancy is beyond your budget. It may not be. Either way, thinking ahead to how you would keep a heartbeat going if the whole state lost electricity is a key part of a disaster recovery plan, or at least a “disaster aversion plan.”