ka-CHING! Cyber crime notification costs a lot

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.portlanddailysun.me/index.php/businessx/local-business/12352-ka-ching-cyber-crime-notification-costs-a-lot

"Forty-seven states, the District of Columbia,Guam, Puerto Rico and the
Virgin Islands have enacted legislation requiring private or government
entities to notify individuals of security breaches of information
involving personally identifiable information," according to the National
Conference of State Legislatures. Those states include Maine and New
Hampshire. ka-CHING!

What is your company obligated to do in the event of an actual or suspected
breach? What is your company's liability for an unauthorized release of
information? Does insurance cover the cost of complying with the law and
managing your reputation? Welcome to cyber insurance.

What is a "breach?" According to Maine statute, "'Breach of the security of
the system' or 'security breach' means unauthorized acquisition, release or
use of an individual's computerized data that includes personal information
that compromises the security, confidentiality or integrity of personal
information of the individual maintained by a person." New Hampshire's
definitions are substantially the same. The law further defines personal
information as first name or initial and last name plus any one or more of
the following:

Social security number
Driver's license or state identification card
Account, credit card or debit card number that could be used without
additional identifying information, access codes or passwords
Account passwords or personal identification numbers of other access codes
Any information that would allow unauthorized people to assume another's
identity

In Maine, the law requiring notification pertains to two kinds of data
users; 1) third parties who store or broker data and 2) "any other person
who maintains computerized data that includes personal information." If you
or your company fall into one or the other category, these are the
highlights of Maine law requiring you to act as soon as you are aware of a
breach of personal information:

An investigation must be conducted to determine if the information has or
possibly could be used by an unauthorized person. (Ka-CHING!)
Any individual who is a Maine resident whose data has or may be compromised
must receive notice of the actual or possible misuse of their information.
(Ka-CHING!)
Notice must be given within 7 business days unless providing notice will
compromise a criminal investigation. (Ka-CHING!)
If the data in one breach involves more than 1,000 persons, you must notify
"consumer reporting agencies that compile and maintain files on consumers
on a nationwide basis." (e.g. credit reporting organizations). (Ka-CHING!)
The Maine Department of Professional and Financial Regulation and/or the
attorney general must also be notified. (Ka-CHING!)

The law uses terms such as "reasonably believed", "reasonably possible",
which means there is a lot of room for interpretation which means potential
for lengthy and expensive disputes. In addition to the cost of notification
and crisis management services (Ka-CHING!), the State of New Hampshire
allows equitable relief for actual damages paid to successful plaintiffs.
If the act is found to be intentional, relief must be no less than twice
but no more than three times the actual damages. (Ka-CHING)

In Maine, if timely notice is not provided to those affected, a fine of not
more than $500 per violation, up to a maximum of $2,500 for each day the
person is in violation may be imposed by the state (Ka-CHING!). When added
to the cost of compliance and settlements, the person or company that lost
their data can be looking at significant costs.

Industry analysts estimate that the cost associated with notifying
consumers can average $194 per record. So, having 10,000 records of current
and past customers would cost $1.94 million just for notification. The
probability of having a data breach is low though the numbers are growing.
As long as there is a market for data, thieves and hackers will be
motivated to steal it and not just from the big guys. The data breach at
Target, for example, originated with the hacking of a regional maintenance
vendor.

Here are five things to do now to avoid exposing your business to a data
breach and the loss of reputation that occurs with a breach:

Call your insurance agent to understand your cyber coverage limits and
exclusions.
Write, adopt and enforce data security procedures (e.g. use of personal
devices, password protection, data duplication, etc.)
Find a reputable firm to test your security systems and procedures then
implement their recommendations accordingly.
Give someone within your company authority and responsibility for data
security and enforcement.
Prepare a data breach and recovery plan so you know "who does what, to
whom, when" should a breach occur.

Whether you are an employer or employee, you have an obligation to your
customers and your business to protect your data and your reputation. So,
keep the ka-CHING in your own bottom line.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!