25 Tips to Prevent Data Breaches

By Sharon D. Nelson & John W. Simek
The Wisconsin Lawyer

Volume 85, No. 11, November 2012

Another day, another data breach. Data breaches have proliferated with amazing speed. Here is the roundup of some of the largest victims in 2011 alone: Tricare, Nemours, Epsilon, WordPress, Sony, HB Gary, TripAdvisor, Citigroup, NASA, Lockheed Martin, and RSA Security. Some mighty big names on that list.

Don't be lulled into thinking that law firms (large and small) aren't suffering data breaches just because they don't have millions of clients affected. On Nov. 1, 2009, the FBI issued an advisory, warning law firms that they were specifically being targeted by hackers. Rob Lee, an information security specialist who investigates data breaches for the security company Mandiant, estimated that 10 percent of his time in 2010 was spent investigating law firm data breaches.

(cut)


Top Practical Security Tips

1. Have a strong password – at least 12 characters. No matter how strong an eight-character password is, it can now be cracked in about two hours. A strong 12-character password takes roughly 17 years to crack. Much easier to hack someone else. Use a passphrase so you can remember the password: "Love ABATECHSHOW 2013!" is a perfect example.

2. Don't use the same password everywhere. If they crack you once, they've got you in other places, too.

3. Change your passwords regularly. This will foil anyone who has gotten your password.

The entire story is here.

Thanks to Ken Pope for this article.

New data spill shows risk of online health records

By Jordan Robertson

AP Technology Writer

Until recently, medical files belonging to nearly 300,000 Californians sat unsecured on the Internet for the entire world to see.

There were insurance forms, Social Security numbers and doctors' notes. Among the files were summaries that spelled out, in painstaking detail, a trucker's crushed fingers, a maintenance worker's broken ribs and one man's bout with sexual dysfunction.

At a time of mounting computer hacking threats, the incident offers an alarming glimpse at privacy risks as the nation moves steadily into an era in which every American's sensitive medical information will be digitized.

Electronic records can lower costs, cut bureaucracy and ultimately save lives. The government is offering bonuses to early adopters and threatening penalties and cuts in payments to medical providers who refuse to change.

But there are not-so-hidden costs with modernization.

"When things go wrong, they can really go wrong," says Beth Givens, director of the nonprofit Privacy Rights Clearinghouse, which tracks data breaches. "Even the most well-designed systems are not safe. ... This case is a good example of how the human element is the weakest link."

Southern California Medical-Legal Consultants, which represents doctors and hospitals seeking payment from patients receiving workers' compensation, put the records on a website that it believed only employees could use, owner Joel Hecht says.

The personal data was discovered by Aaron Titus, a researcher with Identity Finder who then alerted Hecht's firm and The Associated Press. He found it through Internet searches, a common tactic for finding private information posted on unsecured sites.

The data were "available to anyone in the world with half a brain and access to Google," Titus says.

Titus says Hecht's company failed to use two basic techniques that could have protected the data — requiring a password and instructing search engines not to index the pages. He called the breach "likely a case of felony stupidity."

One of the patients affected was Paul Thompson, who learned of the breach from Titus.

The Sugarloaf, Calif., electrician blew out his shoulder four years ago on a job wiring up a multiplex movie theater. His insurance company denied his claim, which led to a protracted dispute. He eventually settled.

Thompson says his injury has been a "long, painful road."

Unable to afford surgery in the U.S. to fix his torn rotator cuff, he paid a medical tourism company that was supposed to schedule a cheaper procedure in Costa Rica. The company went bankrupt, however, and Thompson said he lost nearly $7,300.

To have his personal information exposed on top of that was a final indignity.

"I'm totally disgusted about everything," he said, calling the breach "another kick in the stomach."

Thomson is worried that hackers may have spotted his information online and tagged him for future financial scams. He contacted his bank and set up a fraud alert with the credit reporting agencies.

He says the prospect of all health records going electronic — which federal law mandates should happen by 2014 — "scares the living hell out of me."

When mistakes occur, the fallout can be more severe than the typical breach of email addresses or credit card numbers.

The rest of the story can be read here.

Ten Best: Preventing Privacy and Data Breaches

By Tony Bradley, PCWorld

The antics of groups like Anonymous and LulzSec over the past few months have made data breaches seem inevitable. If information security vendors like HBGary and RSA Security aren't safe, what hope does an average SMB have? It is true that there is no silver bullet, and no impervious network security, but there are a variety of things IT admins can do to prevent network breaches and protect data and privacy better.

The Web safety and online identity protection experts at SafetyWeb.com and myID.com helped put together a list of ten different data and privacy breach scenarios, along with suggestions and best practices to avoid them.

1. Data Breach Resulting From Poor Networking Choices. Names like Cisco and Sun are synonymous with enterprise-level networking technologies used in large IT departments around the world. Small or medium businesses, however, generally lack the budget necessary for equipment like that. If an SMB has a network infrastructures at all, it may be built around networking hardware designed for consumer use. Some may forego the use of routers at all, plugging directly into the Internet. Business owners can improve network security and block most threats by using a quality router, like a Netgear or Buffalo brand router and making sure to change the router password from the default.

2. Data Breach Resulting From Improper Shredding Practices. Dumpster diving identity thieves target businesses that throw out paperwork without shredding it. Most home shredders will suffice for small businesses in a pinch, but a commercial shredder is a wise investment if private information is printed and shredded daily. Make sure that documents with sensitive information or personally identifiable data are thoroughly shredded before disposal.

3. Tax Records Theft Around Tax Time. On a similar note, businesses need to pay extra attention to incoming and outgoing information related to taxes. Businesses must ensure that tax returns are dropped off at the post office and refunds are collected promptly from the mailbox. Identity thieves often steal tax returns from an outbox or mailbox.

4. Identity Theft Resulting From Public Databases. Individuals, especially business owners, often publish lots of information about themselves in public databases. It is a sort of catch-22 because a small business owner wants to maximize exposure while still protecting individual privacy. Businesses are registered with the county clerk, telephone numbers are in the phone book, many individuals have Facebook profiles with their address and date of birth. Many identity thieves can use information searchable publicly to construct a complete identity. SMBs need to think carefully about how and where to gain exposure for the business, and consider the consequences of sharing sensitive information publicly.

5. Identity Theft Resulting from Using a Personal Name Instead of Filing a DBA. Along those same line, sole proprietors that do not take the time to file a Doing Business As application are at a far higher risk of identity theft due to their personal name, rather than their business names, being published publicly.

The rest of the story is here.