Most Notorious Data Breaches

February 26, 2021 at 8:00 am by Amanda Canale

From January to June 2019, it was reported that there were approximately 4,000 publicly disclosed data breaches, all of which had resulted in close to 4.1 billion compromised records. (That is half of the amount of people living on Earth!) In 2020, the rate of data breaches had decreased slightly, but studies show that there is no sign of them slowing down. While data breach tactics are constantly evolving, there are a multitude of ways a company or individual can prevent their most sensitive and confidential information from being stolen.

We’ve broken down some of the more infamous data breachers below and included best practices to ensure that your data stays protected.

U.S. Department of Veteran Affairs

In May 2006, the U.S. Department of Veteran Affairs found themselves in the midst of some hot water when they publicly announced that a data breach had compromised the records of 26.5 million veterans. Among the private and sensitive information that was stolen were names, dates of birth, and Social Security numbers in addition to other personally identifiable information (PII), such as disability ratings.

The breach was caused by a Veteran Affairs data analyst who had taken a laptop and external hard drive home from the office that had contained the unencrypted information of all 26.5 million affected veterans. The laptop and hard drive were then stolen from the analyst’s home during a burglary which ultimately led to the breach.

While the department stated that there was no evidence to prove that the stolen information had been used illegally, unfortunately, that is not a risk one should be willing to take. It’s important to note that there is no statute of limitations on data breaches; just because the information wasn’t misused then, doesn’t mean it won’t happen in the future. Therefore, it is always safer to leave that sort of information at the office or to have a secure system in place if that information needs to be accessed remotely.

Exactis

Marketing and data aggregation firm Exactis suffered a major breach in 2018 when a database containing sensitive information on 340 million individuals was accidentally released to a publicly accessible server. The stolen data totaled out to about 2TB worth of information on not only American individuals but businesses as well. (Remember: one-tenth of the Library of Congress can fit on a 1TB drive. Now double that!)

This breach, luckily, did not contain individuals’ credit card information or Social Security number, but it did contain names, email addresses, phone numbers, and even the ages and genders of a person’s children. This aspect of the breach is especially important to mention because even with a lack of financial or sensitive information, the information that was stolen can carry just as many negative consequences as it is all personally identifiable.

Having secured workspaces, servers, and data security protocols in place is just as vital to preventing a data breach as an in-house data destruction plan.

SOX data destruction

TRICARE

In 2011, military health program TRICARE announced that several of their computer tapes were stolen. The tapes in question were backup tapes of a military electronic health-record system that was in use from 1992 to 2011 and reportedly held the personal health information (PHI) of approximately 4.9 million subscribers.

The breach occurred when a TRICARE employee was tasked with transporting the tapes to an off-site storage facility as part of the company’s routine backup procedure, and the employee’s car was subsequently burglarized. While no financial information was held on the tapes, information pertaining to Social Security numbers, addresses and contact information, and even personal health data such as clinical notes, prescriptions, and laboratory tests were among the data stored.

While the military insurance carrier deemed the breach as a low risk to the affected individuals, only some of the information had been encrypted, meaning that most of the information would be fairly easy to pull and use for illegal purposes.

data-security

A common denominator in the data breaches above is not only human error but the misuse during storing and transporting of drives containing sensitive information. We understand that destruction does not always happen immediately after the drives and data are deemed end-of-life. Businesses may not have the proper equipment in-house or budget to outsource destruction, but it is this reason in particular why we at SEM stress that precautions and protocols should be in place to securely store and protect all data once it meets its end-of-life.

Whether the company is a small business, government agency, or health insurance carrier, all information and data should be locked up in a secure location, regardless of its end-of-life status. By leaving drives, whether encrypted or not, in unlocked office desk drawers, easily accessible boxes, or even in your personal vehicle and home, they are left vulnerable to hackers and thieves, and carelessness. We have more information on how to properly store your end-of-life data while awaiting destruction in this blog post.

When it comes to the destruction of data, it is always best practice to have an in-house destruction plan in place. At SEM, we have an array of various high-quality, high security NSA listed/CUI and unclassified magnetic media degaussers, IT crushers, and enterprise IT shredders to meet any regulation. Any one of our exceptional sales team members are more than happy to help answer any questions you may have and help determine which machine will best meet your company or federally regulated destruction needs.

Data Privacy Day 2021

January 27, 2021 at 8:00 am by Amanda Canale

It may seem contradictory, but, even in the age of Big Media, millions of people are still uneducated on how to keep their information safe and uninformed about how it is being used or shared. This is where Data Privacy Day comes in. Data Privacy Day (DPD) is part of an international effort to heavily encourage people to not only comply with privacy laws and regulations, but to also educate people on how to protect and manage their personally identifiable information (PII).

Every year on 28 January, the National Cyber Security Alliance (NCSA) creates an engaging and informative campaign in order to raise awareness about data security and protection best practices, especially in regard to social networking. The campaign is targeted towards anyone with an online presence of some sort, whether it be business or personal, and offers collaborative opportunities for various industries, such as government, academia, privacy experts, and nonprofit organizations. This internationally recognized day was initially established in 2008 in North America as an extension of Data Protection Day in Europe, which has been in effect since 1981. It is the first legally binding international treaty to recognize data privacy concerns.

In 2020, the world experienced what felt like an onslaught of events that directly disturbed people’s lives – environmental disasters, social justice movements, an economic downfall, a pandemic, and much more. Technology has astronomically advanced over the past year in order to keep up with the world as it changes, but what about data privacy? Have best practices been left behind for the sake of keeping up the pace?

This year’s theme for Data Privacy Day is Own Your Privacy. A 2019 Pew Research Center report stated that 84% of consumers want more control over how their data is being used.

Shredded paper with text.

Protect Your Data: At Home

When it comes to keeping our PII safe, it is crucial that we follow data security and privacy best practices as that information is extremely valuable to hackers and thieves. Information such as your IP address, purchase history, and location can offer hackers a wealth of knowledge as to your income, spending habits, card information, and where you live, for starters.

It helps to think of your personal information as being as valuable as the money in your bank account and wallet, simply because it really is. According to the IBM and Ponemon Institute report, the cost of an average data breach in 2020 is approximately $3.86 million. While most of these costs are from business reputation maintenance and regulatory fines, the costs can still add up when it’s your PII on the line. On an individual level, people can experience identity theft, monetary theft, changes in credit score, and much more, all of which can cost money and time to rectify. You wouldn’t willingly give up money from your personal wallet, so be sure not to do the same with your information.

As important as keeping that mentality is, it is just as crucial to keep track of where you find yourself willingly offering up your information; every time you are asked for your information (whether in a webform, email, mailing list, etc.), think about whether you can really trust the inquiry. While nobody thoroughly enjoys reading the terms and conditions’ fine print, if data protection is your goal, as it should be, it is highly recommended that you do so.  According to a 2019 Pew Research Center report, 74% of people rarely or never read a company’s policy before accepting it. By reading a company’s policy, people will have a much better understanding on whether the information in question is required or even relevant for the services they are offering.

In addition to reading the fine print, it’s suggested that people routinely delete accounts and apps that they no longer utilize, update their applications, and manage their privacy settings. In just a few moments, you can completely update your privacy and security settings to your comfort levels. The NCSA offers great resources on how to locate your privacy settings for online services and popular devices. This way, you are mindful of your information’s worth, what information you willingly give out, and are aware of a company policy and what information is necessary to give out.

For tips on how to keep your data safe while working from home, refer back to our previous blog, How to Properly Handle Information While Working From Home.

Hacked data concept. Data unsafe, computer crime, security breach. Words and binary code, depth of field effect

Protect Your Data: At Work

Data privacy and security best practices may vary between businesses and individuals, but they are just as important. As we get further and further into the digital age, hackers and thieves no longer just need to breach a facility’s physical barrier in order to steal information. They can access all of your confidential information remotely through methods of phishing, hacking the cloud, and other more advanced virtual methods. (Don’t forget about dumpster diving for hard drives, USB drives, and paper too!)

From January to June 2019 alone, there were over 3,800 publicly disclosed data breaches that resulted in 4.1 billion compromised records. Yes, four billion records compromised within a short, six-month time window. As discussed above, data breaches can cost upwards of millions of dollars in reputation maintenance and fees. The most expensive type of record is client PII, which can average out to about $146.00 per compromised record. Multiply that amount by the number of compromised records (keeping in mind that one single hard drive can store a LOT of data) and your company now has a burning hole in its pocket.

Businesses can keep their clients’ information safe by instilling secure processes for collecting and maintaining relevant information for legitimate purposes. The motto should always be, “if you collect it, protect it.” One of these processes can be researching and designing a privacy framework your company can use to help manage risk assessment, along with conducting routine assessments of your data collection practices. Keep up to date on privacy laws and records retention schedules so you know when your client and employee information will expire, and what laws and regulations apply to your specific business. Train and educate current and future employees of their and your business’ obligations to protect personal or confidential information.

In addition to these methods, transparency about how your collect, use, and share consumer information is crucial. Be up front and honest with your clients, users, or consumers about what they can expect their information to be used for and offer them other settings to protect their information by default.

And last but not least, when your information-bearing media reaches end-of-life — whether hard drives, portable IT storage, or even paper — destroy it to prevent leaks that could happen for many years down the road.

You can find more information about the costs of data breaches by visiting our previous blog, Cost of a Data Breach vs. Hard Drive Crusher: How You Can Save Millions.

Records Retention Schedules: When Will Your Data Expire?

January 21, 2021 at 8:00 am by Amanda Canale

In the growing age of Big Media, it is imperative now more than ever that companies and organizations develop and maintain a Records Retention Policy, otherwise known as RRP. An RRP is a policy that defines a company or organization’s legal and compliance bookkeeping requirements. An RRP ensures that corporate documents are managed and destroyed in a way that is lawful, effective, and efficient.

When establishing an RRP, there are several key questions to keep in mind. Who is responsible for overseeing the RRP? How long should records be retained? What type of records should be retained? What should we do with those records after the required retention period has passed?

Within any type of business, there are a multitude of records you’ll need to keep track of, from accounting and bank records to corporate and employee information, just to name a few. Just as the type of record may vary, so does the retention period. Let’s break down some of the more important record types and retention periods.

identity-theft
Accounting Records

It is a good rule of thumb to keep the majority of accounting records permanently. These types of records can range from income taxes, asset records, training manuals, general ledgers, and more. Patents and related papers, insurance claim documents, legal correspondence, capital stock and bond documents require permanent retention, along with real property records, such as deeds, bills of sale, and appraisals.

While the majority of accounting records should be kept permanently, there are some types that you can safely destroy after a period of seven years. These types of records can be in the form of electronic payment records, employee expense records, inventory listings, and timecards. These records are still crucial to your accounting team but are not necessary to harbor forever.


Employee Benefit and Personnel Records

When it comes to employee benefit and personnel records, the retention period can vary. Any financial statements, documents from the Internal Revenue Service (IRS) and Department of Labor Correspondence, and plan and trust agreements should all be kept permanently.

Normal employee personnel files, employment applications, individual employee contracts, and employment applications should be kept on file for two to three years from the date of termination. Other personnel records, such as worker’s compensation and employment eligibility forms can be kept for three to five years.


Insurance and Legal Records

Insurance records, such as accident reports and settled claims, fire inspection and safety reports, and expired insurance policies should all be kept for seven years. It’s important to note that any accident reports and settled claims should be kept for seven years from the date of the settlement, not when the accident occurred. When it comes to legal documents, the retention period can vary. Records of expired contracts and leases and employment agreements can be kept for seven years, but other documents, such as effective contracts and leases, meeting minutes, partnership agreements, and legal correspondences should be kept permanently.

It is also important to keep in mind that records are not just paper documents but can consist of electronic documents and data as well. This includes, but is not limited to, word processing, emails, databases, spreadsheets, and so forth. Any device on which files are stored, optical media, flash drives, and HDDs or SSDs are considered to be electronic documents and must follow the same RRP guidelines the corporation sets forth for paper documents retention and disposal.

The disposal of these records is just as important as retaining them. Having an appropriate shredder is crucial to ensuring that your data is not falling into the wrong hands.

Although the non-permanent records are no longer required to be kept in your possession, this does not mean that the information on those records has necessarily expired or become any less important. If records are disposed of in an unsecured manner and important corporate or employee information falls into dishonest hands, the results can be catastrophic for both the corporation and the employee. (You can read about the monetary consequences of data breaches here.)

In conclusion, establishing an RRP is a crucial step in ensuring that corporate documents are managed and destroyed in a way that is lawful, effective, and efficient. Management of these records include, but is not limited to, securing the information they contain, even upon disposal of those records. Records that no longer require retention should be destroyed by means of shredding, disintegration, or degaussing, whichever is appropriate depending on the storage method and applicable industry regulatory requirement. Although it is not necessary for a corporation to maintain the same destruction requirements as a government facility, the proper destruction should not be considered any less vital. With any company or organization policy, an RRP relies on its employees to maintain and enforce it.

Data Privacy Day in a Consumer Driven Economy

January 22, 2020 at 7:47 pm by Flora Knolton

Data Privacy Day is an international effort celebrated every year on January 28th to generate awareness about the importance of respecting privacy, guarding data, and aiding trust. Data Privacy Day was established in 2008 in the USA and Canada as an extension of Data Protection Day in Europe.  Data Privacy/Protection Day honors the signing of Convention 108 in 1981, which is the first legally binding international treaty to acknowledge data privacy concerns.

data-privacy-day

Consumers are becoming more and more aware each year on an international level about how much value their personal data is worth. Research conducted by the Lares Institute shows that 40% of consumers, particularly those possessing higher incomes, made buying decisions based upon privacy. In addition, 51% of consumers say in the past two years they have been notified by a company or government agency that their personal information was lost or stolen as a result of one or several data breaches. The results of this study show how data loss can mitigate shareholder value as well as customer loyalty.

data-responsibility

Businesses are wise to be just as cautious as their consumer counterparts. Big organizations like Facebook and Amazon may be making the headlines when it comes to data breaches; however, 60% of small and mid-sized companies go out of business within six months of a cyber-attack. Attacks and breaches have increased exponentially within the last decade, and, as a result, we have seen an influx of data protection regulations around the world that require businesses to implement concrete data protection methods. In short, our rising digital economy has forced businesses to rethink their data security priorities and practices. Practicing data privacy is just as important as customer service, and, since the implementation of GDPR, is typically also a regulatory requirement. Below are a few ways companies can pursue data privacy preparation further.

data-loss-prevention

If corporations are people too, they should empathize with consumers. Companies may gain advantages relating to customer retention if they focus on the needs of the individuals entrusting them with their data. Privacy is a hot topic of marketing for the technology industry. However, marketing new privacy tactics is no longer only a concern for tech companies in this digital economy. Companies that take precautionary efforts to protect their consumers’ data will ascend those competitors who may have taken a passive approach.

Educate the consumer. Whether that be an employee or a customer, the end user is the best line of defense against an attack. Many federal statutes are already in place in industry-specific contexts such as HIPAA, FCRA, FACTA, PCI DSS, The Privacy Act of 1974, etc. These laws attempt to protect an individual’s personally identifiable information (PII) by restricting a company from sharing information. Employees must know the proper data destruction method for specific PII to guarantee data won’t end up in the wrong hands. Outlining to the customer how their data will be destroyed from the organization post-use will retain their loyalty. Whether it’s a solid-state drive (SSD) or hard disk drive (HDD); failed, erased, or overwritten drives can still contain recoverable data. Regardless, advancements in computing create the ability to process vast amounts of information, and new challenges have emerged as our technology evolves.

Adopting an Acceptable Use Policy (AUP). Acceptable use policies outline when and how employees can use the business’ internet access. They set the stage for concerning questions employees might have regarding the use of PII. These policies cover who needs access to PII, which regulations the company must follow, where are the vulnerabilities in the company’s use of PII, and rules and permissions company personnel have must follow. Regardless of how the data is compromised or lost, or how small the company may be, fines are one of the largest — and most effective — known consequences for mishandling personal data. And let’s not forget that a breach in personal data can also result in severely damaging the brand’s reputation, loss of customer trust, employee dissatisfaction, and increased costs after the breach to recover from the aftermath. As an example, Health Net of the Northeast Inc. agreed to pay for two years of credit-monitoring for 1.5 million members whose details were on a single lost hard drive.

Overall, by empathizing with the individuals at risk, organizations can gain perspective in regard to their client’s privacy, thus strengthening the bond to maintain that level of trust. It’s necessary to educate employees and users how PII is controlled using a layer of technology that exhibits practical data privacy practices. By enforcing Acceptable Use Policies within the company, they can lay the groundwork for how this layer of technology is used with respect to PII and who is permitted to handle it. While there are many other protective elements companies can use to reinforce data privacy, being mindful of these few can differentiate your business from competitors.