in

This Blog

Syndication

Tags

News

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Archives

AlertBoot Endpoint Security

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

October 2013 - Posts

  • Canada Data Breach Encryption: Region Of Peel Announces Patient Data Breach

    The US government shutdown has, among other things, prompted people to compare the USA with its neighbor to the north, Canada.  I bring this up because here's another thing that they do differently: data breach notifications...that are helpful!  Even more helpful would have been the use of medical data encryption like AlertBoot, but when that fails, you can still do right by your patients by being as informative as possible.

    SD Card Loss at the Center of Data Breach

    This is the first time I've run across a story where an SD card is at the heart of a data breach, but it's not unexpected.  They made their debut as affordable, easy-to-use storage media for prosumer digital cameras, and their use just kept spreading into other products.  Currently, SD cards have capacities of 32 GB for the standard SD cards, and 2 TB for the SDXC cards.

    And, with SD card ports routinely built into computers, it was a matter of time before these would fall under the spotlight of a medical data breach.  Which brings us back to the Region of Peel.

    According to a FAQ posted by the Region of Peel, 18,000 people who participated in the Peel Public Health's Healthy Babies Healthy Children program are now embroiled in a data breach.  It occurred when a bag was stolen from an employee's car (or possibly misplaced).  More details can be found here.

    Based on the information that was revealed, it looks like the customary information popular among identity thieves was not present, so affected patients should breathe a sigh of relief.  On the other hand, there is enough information for old-school cons.  You know, the kind that uses paper-based mail.  And, with 18,000 potential victims, just a 1% success rate translates into 180 future victims.

    Prompt Notification

    Not only did the Region of Peel provide details on when the breach occurred, what happened, how many people were affected, etc., they announced the breach on October 7.  The SD card was reported as missing on September 24.  It could have been missing since September 20.

    In other words, it took around 2.5 weeks from theft to public notification.  I don't think I've seen a turnaround this fast when it comes to medical data breaches from any US medical institutions.

    It's kind of nice when things work the way they're supposed to....

    Media Encryption

    When it comes to patient data encryption, there is this focus on dealing with the most obvious.  For example, in the US, there is a focus on installing PHI encryption software on laptops, which sometimes extends to USB sticks or external hard disk drives.

    Other media get the short end of the stick, though.  Or, more accurately, no stick at all.  For example, I've already noted the resistance against encrypting desktop computers.  This also tends to extend to backup tapes and "ultraportable" storage media like SD cards.  I think most people can understand, at the gut level, why this is so: encrypting such devices feels weird.  A little bit of overkill.  It's like when you've got secret service agents looking after the Queen's corgis.

    But, 2 TB of ePHI is 2 TB of ePHI, no matter what form it takes.  If you're willing to encrypt and secure a laptop because it's portable, but dispense with it for desktop computers (which as of late are pretty portable as well), how can you justify not encrypting backup tapes, external drives, and USB memory which are even more portable than laptops?

    This is why the AlertBoot solution doesn't just encrypt a laptop's disks.  It also allows the encryption of any external media that are connected to it.  Plus, it order to increase these devices' usefulness, the data on them can be accessed by any computers that are also encrypted with AlertBoot.

    It's sensible, it's smart, and it's included.  Oh, and by "included" I mean it's free with the AlertBoot FDE package.  When people are inventing all sorts of excuses that hamstring their own security efforts, it only makes sense to address the one area that's key.

    Related Articles and Sites:
    http://www.phiprivacy.net/region-of-peel-announces-breach/
    http://www.peelregion.ca/health/great-beginnings/breach-of-information-faq.htm

     

     
  • Data Breach Law: Presumption Of Harm In Data Breaches Could Be Law In California

    When it comes to data breaches and lawsuits, plaintiffs have been at a disadvantage.  The main issue is proving in court that plaintiffs suffered harm when their personal data was stolen.  Of course, the use of data encryption software, like AlertBoot and other information security measures, nearly eliminates the risk of such harm.  Not all companies have deployed information security tools in the workplace, however, resulting in class action suits against them when they suffer a data breach.

    An Amended Definition of Right to Privacy

    Companies have been lucky so far.  The courts have repeatedly held that in order to make plaintiffs whole, they must prove that there was a measurable harm.  The courts' position has led to creative lawsuits, such as accusing companies of breach of contract or false advertising, since most companies declare, in writing, that they're serious about customer data protection: all you have to do is visit their webpage and dig a bit.

    The loss of personal data in of itself, it turns out, is not considered to be harmful in the eyes of the court.  Well, that's about to change...possibly.  According to mondaq.com, California is "one step closer towards amending its Constitution to create a presumption of whenever personal data is shared without a consumer's express opt-in, a change that would clear a significant hurdle to many privacy breach lawsuits."

    The summary to the initiative reads thusly (oag.ca.gov):
    Defining the right of privacy to include the protection of "personally identifying information", including heath (sic) and financial information.  Establishes new standards for the collection of personally identifying information by government and commercial entities, including: (1) the presumption that personally identifying information is confidential and (2) the presumption that the unauthorized disclosure of personally identifying information harms the consumer.
    Mondaq.com also notes that "as a potential ballot initiative, this issue is not subject to review by lawmakers nor to the standard lobbying efforts of industry stakeholders. Instead, this aspect of the future of California privacy law rests firmly in the hands of her voters".

    In other words, companies must lobby voters directly if they do not want this initiative to become law.  I foresee an uphill battle for them and their lobbyists.  Although I won't deny that they can create very persuasive and imaginative campaigns, could they create a cogent argument against stronger privacy rights?  Especially when everyone is familiar with horror stories revolving around stolen IDs?  And the Snowden revelations?  And the general perception that businesses and corporations have been trying to screw over the everyday Joe?

    If the initiative becomes law, companies still have some breathing room.  The law won't be taking effect until January 2016 at the earliest.

    HIPAA Covered Entities Beware

    If the above becomes law, I can see a number of industries that will have to double their data protection efforts in California.  Chief among them is the medical industry.

    While medical organizations have begun to clean up their act, the truth is that they were forced to do so, a result of the updated HIPAA rules and the HHS/OCR's recent use of financial penalties for HIPAA breaches.  If these constitute a push towards better data security, the amendment to the Privacy Law would essentially represent a shove, as it would add a significant force in encouraging covered entities to step up their data security game.

    Currently, HIPAA does not make a provision for individuals bringing a private cause of action against covered entities (that is, affected patients can't file a civil suit directly founded on a medical data breach).  And affected individuals have a hard time proving they were harmed by a data breach, as previously mentioned.

    (This is not to say that they're not harmed by a data breach; after all, medical identity fraud is one of the biggest and fastest-growing areas of crime.  It's just that, with entities in every sector breaching the same type of data, it's hard to pinpoint where, how, and by whom a person was harmed.  Factor in that sometimes crimes tied to a data breach reveal themselves after a significant delay, and that sometimes the affected individuals don't even know they are victims because they're looking in the wrong place (or not looking at all, possibly because they were not notified of the breach), and...well, the "actionable harm" requirement favored by the courts can fall short.)

    By legally declaring that the breach of personal data is harmful, covered entities will face a significant problem.  For example, consider Sutter Health.  This California-based non-profit health system experienced a data breach in 2011.  The maximum penalty that can be handed out by OCR is $1.5 million, which is significant but won't sink them (the OCR has not made any announcements regarding the situation.  It could very well be that the OCR will find Sutter Health of having complied with HIPAA).

    Sutter Health is also currently facing lawsuits that range between $900 million and $4 billion.  As the law is currently written, chances are that Sutter will come out on top.

    But imagine what it would mean if the breach of personal information were legally classified as actionable harm today.  It should be sending shivers down CEOs' spines that do business in California.

    Also imagine the good that would come out of this: for example, it would put to rest the silly arguments that desktop computer encryption software is not required.  Please, someone enlighten me what's so magical about desktop PCs that they cannot be at the center of a data breach.

    I mean, Sutter Health is facing a $4 billion lawsuit because an unencrypted desktop computer was stolen from their offices.  Plus, desktop computers are listed multiple times as the reason for a data breach in the HHS Wall of Shame, proving that Sutter's breach is not a rarity.

    And yet, we've seen pushback from covered entities making the argument that desktops are an exception to the use of cryptographic tools.  I imagine that these arguments will fade away if the potential risk comes with eight zeroes or more.
    Related Articles and Sites:
    http://www.mondaq.com/unitedstates/x/266604/Data+Protection+Privacy/Opening+The+Flood+Gates+California+Voters+May+Create+Presumption+Of+Harm+In+Privacy+Breach+Cases
    http://www.databreaches.net/opening-the-flood-gates-california-voters-may-create-presumption-of-harm-in-privacy-breach-cases/
    https://oag.ca.gov/system/files/initiatives/pdfs/13-0008%20%2813-0008A1S%20%28Privacy%29%29.pdf

     

     
  • UK Personal Laptop Encryption: London Film Maker Asked Password By Unknown American

    A London-based film maker, Glenn Swift, was contacted out of the blue by an American looking for Swift's password.  Apparently, the American had bought Swift's laptop – a computer that the film maker had returned to the manufacturer because there were problems with it – and was being prompted for a password in order to log in.  The Guardian has labeled the incident as bizarre (and has recommended the use of laptop encryption, just like AlertBoot, to avoid becoming a victim).

    The thing is, the incidence is not bizarre.  Heck, it's not even a coincidence.  It's the law of large numbers: stuff like this is bound to happen when you consider how manufacturers operate.

    Insourcing – the UPS and Toshiba Example

    Everyone knows what outsourcing.  The loss of call center jobs to the orient has put outsourcing on everyone's lips.  Insourcing is...well, it's not exactly the opposite of outsourcing.  But it's close, I guess; it depends on how you're defining it.  Take this example from "The World is Flat" by Thomas Friedman (p. 168):
    Consider this: if you own a Toshiba laptop computer that is under warranty and it breaks and you call Toshiba to have it repaired, Toshiba will tell you to drop it off at UPS store and have it shipped to Toshiba and it will get repaired and then be shipped back to you.  But here's what they don't tell you: UPS doesn't just pick up and deliver your Toshiba laptop.  UPS actually repairs the computer in its own UPS-run workshop dedicated to computer and printer repairs at its Louisville hub.  (Ed.: I should note this is different from the current definition of "insourcing," which refers to bringing home the jobs that were previously outsourced overseas.)
    The situation is probably no different for the laptop Swift had purchased and returned, except it was an Acer.  In Swift's case, since the machine was returned, chances are the laptop was repaired and then put up for sale as a refurbished machine.  (Your guess is as good as mine on how the laptop ended up on eBay.)

    Anyhow, with many companies doing this; and seeing how technicians are human and prone to mistakes and oversight; and the market for laptop manufacturers is global, the law of large numbers just makes it a certainty that something like Swift's experience will pop up once in a while.  Nothing bizarre about it.  I mean, would you think it's bizarre that a frog with six legs was found close to a nuclear power plant that had a meltdown and spewed low levels of radioactive material into its surroundings?

    Insurance, Pandemics, Roulette, and Encryption

    What do the insurance business, the casino business, and the managed encryption business have in common?  The law of large numbers.

    Insurance companies are pretty good at divining the future.  For example, they don't know who among the people in their twenties will die in a car crash this year.  However, factor in a number of relevant parameters and they get a pretty good idea how many will out of a certain population.

    Likewise, the casinos don't really know who will win big or lose big.  However, the casinos know that the margins are built into the games and over the long run, they will be the big winners.  Granted, they'll have guests who will also win big... but that's also a side of the law of large numbers.

    And encryption....well, the law of large numbers applies in terms of data breaches.  Like the insurance industry, it's impossible to tell who will actually suffer a data breach.  However, the law of large numbers guarantees that someone is bound to have one each year – there are just too many companies out there that collect data, and even if they are armed to the teeth with data security software there's always bound to be a breach for one reason or another.

    For example, let's say that the odds of a laptop with sensitive data being stolen in any given year are 1 in 1,000 (I pulled out a number out of thin air).  Sounds like a tiny number, right?  But what if a company has 400 laptops to protect?  Does the 1 in 1,000 work in their favor?

    Beating the Odds

    What are the chances that you'll have a data breach in a given year if each individual laptop had a 1 in 1,000 chance of being stolen, and you had 400 laptops?  The answer is about 33% (or 330 in 1,000 for easier comparison).  It's less than half but it's a far cry from 1 in 1,000.

    How'd I get that number?  It doesn't matter how many laptops with sensitive data you lose – 1, 2, 10, or 100 laptops – since the loss of any number of laptops is a data breach.  So, you calculate the odds that you won't suffer a data breach – 999/1,000 raised to the power of 400 – and you get a 67% chance of being OK.

    Doesn't sound too bad, does it?  Let me put it in context for you: That's like playing Russian roulette with a revolver that has only three chambers, one of them loaded.  Or if you're a traditionalist, a six-shooter but with two bullets instead of one.

    Now, if you were to install full disk encryption on these 400 machines, the odds of each of them being stolen would still remain 1 in 1,000.  However, the odds of being embroiled in a data breach would be astronomically lower.
    Related Articles and Sites:
    http://www.theguardian.com/money/2013/sep/28/identity-theft-fears-faulty-laptop-resold

     

     
More Posts « Previous page