Network World’s Carolyn Duffy rounded up the worst Internet privacy scandals of all time. While there were many memorable, painful breaches in recent years, the one we definitely feel is up there among the top “worst” was last March’s HealthNet breach:

8. Patient data exposed

In March 2011, California-based insurer HealthNet announced a privacy breach for nearly 2 million of its customers, exposing their names, addresses, Social Security numbers, health and financial data. The data were unencrypted and stored on hard drives that have gone missing from contractor IBM’s data centre. A nationwide class action suit was filed against HealthNet and IBM as a result of this incident. It was HealthNet’s second big data breach in two years, having lost the Social Security numbers of 1.5 million policyholders stored on a hard drive in 2009.

HealthNet isn’t the only healthcare provider to lose private medical data or inadvertently post it online. The US Department of Health and Human Services says personal medical data for more than 11 million people have been exposed online in the last two years.

Loss of private data is continuing to plague the healthcare industry and according to a study conducted by the Poneman Institute, breaches have risen by 32 percent.

Three leading causes of data breaches in health care are lost or stolen equipment, errors by third parties and employee mistakes. In fact, sloppy mistakes by employees have led to many data breach increases, according to 41 percent of respondents.

Data breaches have cost the health care industry an average of $6.5 billion annually since 2010. With that money, the industry would have been able to hire 81,250 nurses nationwide, the Ponemon Institute reports.

This is extremely unsettling when it’s put that way. If healthcare organizatons took a simple step, they would literally eliminate costly risks that could have life-saving results. What a waste.

According to ZDNet, here are a few highlights:

One regulation, less fragmentation
The current Data Protection Directive had to be implemented into the legal system of Europe’s 27 member states. This led to all countries having the same framework, but some legal systems having stronger and more protective rules than others. Germany’s data protection laws have the same elements as every other European country, but are far stricter than the ‘lenient’ UK’s laws, as an example.

The new Data Protection Regulation is a ‘one-size-fits-all’ legal instrument, and removes the need for member states to interpret the laws. It also makes way for better cross-border data transfers between European countries, and will save around €2.3 billion ($3.1bn) each year in ‘administrative’ costs.

The new Criminal Justice Directive will cover all matters pertaining to law enforcement, investigation, detection, or prosecution of criminal offences.

Right to be forgotten
This one is a tricky one, and details are still yet to be finalised. This ‘pet project’ of the European Justice Commissioner, Viviane Reding, will in effect allow European users to wipe their online slate clean. It will allow users to have their photos, details, and other data removed from websites, social networks, and search engines.

Users will have the right to demand that data held on them be deleted if there are “no legitimate grounds” for it to be kept. This includes if a user leaves a service or social network, like Google or Facebook, the company will have to permanently delete any data that it retains.

Search engines will also have to comply with this rule. The practicalities of search giants like Google complying, which has already warned that this may harm innovation, remains unclear.

ZDNet’s Zack Whittaker also summarized what US businesses need to know in terms of the reaching affects:

A European Commission spokesperson confirmed to ZDNet that the proposed measures are “focused on younger people”, particularly teenagers, students and young adults, in a bid to “protect the consequences of putting photos and other information on social network websites”.

It does not guarantee the right to have data held by local and European law enforcement agencies deleted, however.

But the proposed “right to be forgotten” laws have already been met with harsh criticism from the wider Web industry. It will create a right that will not only be difficult to implement, but could have a detrimental effect on the use of the Web in Europe.

Sheryl Sandberg, Facebook’s chief operating officer, gave an insight on what the wider argument could be amongst businesses and European regulators. While Web companies provide employment and spur on economic growth — such as seen with Facebook’s impact on the European economy — governments should not get in the way.

The Sony breach is a reference point for this, particularly because of the impact level it had on consumers and businesses alike:

Businesses are expected to lobby heavily for amendments that benefit them, and reduce the long-term workload that would be expected as part of the new Regulation’s finer details.
Details of data breaches — something every company will have to deal with at some point — also takes a high standing in the Regulation. Since the Sony breach, where over 70 million user accounts were hacked, Europe is responding by enforcing a “24-hour rule”.

“Companies that suffer a data leak must inform the data protection authorities and the individuals concerned, and they must do so without undue delay. As a general rule, without undue delay means for me ‘within 24 hours’,” Reding said in a speech earlier this week.

But should a company not be aware of a hack, a breach, or a data loss for 24 days, let alone 24 hours, it applies more pressure on companies to be aware of their own internal security matters and data protection policies.

Businesses will have a two or three year grace period with compliance, but nonetheless, the European data reforms are sparking a global shake-up. We’ll be watching this one closely…

According to a Wired article by Kim Zetter:

U.S. Bank seized about $10,000 from the McCombs’ account to pay $90,000 in fines that Visa and MasterCard imposed after alleging that Cisero’s had failed to secure its network and suffered a data breach that resulted in fraudulent charges on customer bank cards. U.S. Bank sued the McCombs to obtain the remaining balance on the fines, saying a contract the McCombs signed with the bank makes them liable for such fines.

But in their countersuit against U.S. Bank, the McCombs allege that the bank, and the payment card industry (PCI) in general, force merchants to sign one-sided contracts that are based on information that arbitrarily changes without notice, and that they impose random fines on merchants without providing proof of a breach or of fraudulent losses and without allowing merchants a meaningful opportunity to dispute claims before money is seized.

If this case proceeds, it could unravel the PCI structure:

Andrea Matwyshyn, a law and business ethics professor at the University of Pennsylvania’s Wharton School says the system of fining merchants could prove to be a problem for the payment card industry if the court views them as punitive in this case.

“In general, contract law does not like punitive damages being included in contracts,” she says. “If you argue that these fines are punitive and unrelated to actual losses suffered, courts could deem your contract to be overreaching and conclude that its intent is to punish rather than to compensate harm.”

Matwyshyn also says the fact that merchants are liable for a third-party agreement their banks make with Visa and MasterCard is also problematic because it disempowers merchants and prevents them from being able to “negotiate the kinds of balanced provisions we would expect to see between two parties to a contract.”

“We should see some interesting contract analysis from the court [on this],” she said.

This will be one to watch, though it’s hard to imagine the banks will let this go to court. My bet is they will probably settle. Interestingly enough, TJX made a similar argument which resulted in a TJX settling and avoiding fines in its own breach case several years ago.

The incident could be an example of hackers trying to get “inference data,” or information that can be combined with other pieces of information to “infer something useful,” Mike Logan, president of Axis Technology, told eWEEK. Since the type of sensitive information being inferred is usually protected at a higher security level, the breach attempt illustrates the importance of protecting all types of customer data, according to Logan.

Managing Sensitive and Confidential Data in Development & Test Environments

Does your organization have production data in development & test environments?

Do you worry about the privacy of your test data?

Do you share your production data with off-shore vendors?

If you answered “Yes” or “I don’t know” to any of these, you need to learn about data masking!

Date:
Wednesday, November 16, 2011

Time:
12:00 PM – 1:00 PM PST

After registering you will receive a confirmation email containing information about joining the Webinar.

Click here to register now! Space is limited…

What: Handling healthcare claims and benefits can be challenging enough. A data breach or loss of private information can literally cripple a business. Check out the pioneering data masking product, DMsuite, and learn about how it can meet all of your data security needs. Don’t count on network security or encryption alone—especially when your business is trying to keep up with ever-changing privacy regulations or working with multiple organizations and contractors.

Where: Las Vegas Convention Center

Why: The data security landscape is constantly changing with more and more threats emerging every day. The Axis team will guide you through the ins and outs of safe-guarding your sensitive data so you can go about running your business with secure confidence.

It’s been a steady event for us so far, and yesterday we announced our latest DMsuite news:

Axis Technology Announces Comprehensive Applications Support

DMsuite™ Data Masking Increases Roster of Secured Applications; Provides Dedicated Sensitive Data Protection for Insurance Industry

Boston, MA & National Workers’ Compensation and Disability Conference & Expo, Las Vegas, November 9, 2011 – Axis Technology Software, LLC, the leading provider of enterprise data masking solutions proven to save businesses hundreds of thousands in costs, today announced that DMsuite™, the industry’s premier and most effective data masking platform, provides dedicated support to applications most used by businesses including PeopleSoft, SAP, Oracle, SalesForce, and custom applications. In particular, DMsuite is a critical component in securing data used by insurance providers, especially in processing claims.

By masking data with DMsuite, insurance providers sharply reduce their risk by eliminating a number of vulnerable data sources. Additionally, DMsuite automatically identifies sensitive data across databases, copybooks, and files. DMsuite allows insurance companies to easily and safely share masked data with partners, third parties, and outside vendors.

“Doing business in the insurance field requires accessing and sharing tremendous amounts of private consumer data. There’s just no way to avoid it,” said Mike Logan, President of Axis Technology Software, LLC. “With the increasing incidents of data loss, both by theft or unintended negligence, it’s more important than ever for businesses to execute multiple data security measures. Data masking is rapidly becoming a key level of defense for at-rest data, which is a very vulnerable source of sensitive information. If that data is lost it can prove costly, both from business and legal standpoints, as evidenced by recent data losses experienced by TRICARE in which reports are saying a class action suit could cost nearly 5 billion dollars.”

To learn more about data masking with DMsuite, visit the Axis team at the National Workers’ Compensation and Disability Conference & Expo in booth #443, from November 9 to 11, 2011.

DMsuite™ secures development, quality assurance, and third-party testing environments by removing confidential data and replacing it with realistic, fictitious data. Because the masking transformation is executed in memory, production data is not accessible within DMsuite or anywhere in the target environment, making DMsuite the most secure and effective data masking offering on the market today. It maintains referential integrity across business lines and different platforms, including InterSystems Caché, Oracle, IBM DB2, SQL Server, Sybase, Teradata, Netezza, MySQL, Adabas, Informix, flat files, and mainframe. It also supports file formats that include VSAM, Excel, delimited, and XML. DMsuite can be used straight out of the box, offering self-service provisioning functionality. DMsuite is web-based and its central point of control enables easy operation, administration, logging, and auditing.

Data Breach Costs: Beware Vendor Contract Fine Print

Organizations often end up paying the consequential costs of data breaches when third-party vendor contracts aren’t scrutinized.

Whether it’s from a vendor improperly securing database information it’s hosting for a customer or a storage company that leaves backup information unlocked in a truck, data breaches caused by third parties happen all the time. If organizations are not careful in the way they construct their contracts with those vendors, the organization itself could end up being on the hook for far more of the breach liability than it expected. But if they do it right, they could use that contract as a tool to mitigate risk to their organization.

Litigation in these cases of third-party breaches is a common occurrence, frequently with the third-party organization ducking under the radar as their customer gets hammered by class action suits. For example, when a breach that exposed data for 4.9 million active and retired U.S. military personnel was caused by the theft of backup tapes from the car of an employee at Science Applications International Corp. (SAIC), working on behalf of Tricare, in September, the $4.9 billion lawsuit by affected individuals filed last week was lodged against TRICARE and the Department of Defense, not SAIC.

Similarly, Stanford Hospital had a $20 million lawsuit filed against it after an employee at its billing contractor, Multi Specialties Collection Services (MSCS) inadvertently posted patient information on a homework help site online. Stanford has been on a publicity blitz claiming its outsourcer was totally to blame for the breach.

These examples are quite common- and costly! It’s a lot easier to avoid becoming a PR nightmare…

eWeek’s “10 Stupidest Hacks of All Time”

PropertyCasualty360′s “Cyber Security: A Scary Tale”

TechNewsWorld’s “October’s Scary Security Surprises”

Huffington Post’s “If You’re Worried About Medical Privacy, Better Take Some Xanax”

One thing to beware of when you select a data masking solution is imitators. Many companies are offering data masking solutions, but Axis Technology essentially created the market and as data masking is rapidly becoming the proven, most effective measure for securing non-production data, there are a lot of copycats rushing to market to try and capitalize on this- right down to directly lifting information from our marketing and public relations materials.

So much like the many costumes and masks you’ll see out on Halloween, there are many data masking solutions out there that try to dress up like DMsuite, but it’s the original, pioneering data masking product that continues to evolve and stay ahead of the data security market. Check out our demo today!

DMsuite-Based Data Masking Product Dedicated to Informatica Provides Fastest, Most Comprehensive Protection of Sensitive Data; Video Demo Available

Boston, MA & RSA Conference, London, UK, October 12, 2011 – Axis Technology Software, LLC, the leading provider of enterprise data masking solutions proven to save businesses hundreds of thousands in costs, today announced the availability of Informatica Accelerator, an Informatica-focused product based on DMsuite™, the industry’s premier and most effective data masking platform.

Informatica Accelerator enables companies to maximize their investment in the industry-leading data integration application by identifying, provisioning, and securing sensitive information in a matter of hours─a process that typically takes several weeks. This eliminates the need for additional resources, saving companies hundreds of thousands of dollars by reducing the need for added Informatica development staff.

Check out our Informatica Accelerator demo video to see it in action!

And if you’re at the show, stop by stand B2 and say hello!

Axis Technology Announces Support for InterSystems Caché

DMsuite is the Only Data Masking Product to Support Healthcare-Focused Platform

Boston, MA & RSA Conference, London, UK, October 11, 2011 – Axis Technology Software, LLC, the leading provider of enterprise data masking solutions, today announced that its premier data masking product, DMsuite™, now supports the InterSystems Caché platform, an advanced object database that is used primarily by the healthcare industry. Caché handles huge volumes of transactional data, which requires a data masking product that is capable of keeping pace. DMsuite can be deployed in under one hour, safeguarding all nonproduction data while maintaining referential integrity. Additionally, DMsuite ensures that all data privacy requirements, including HIPAA and the HITECH Act, are fulfilled, and keeps organizations ahead of regulation changes.

DMsuite supports a comprehensive roster of platforms beyond InterSystems Caché. These include Oracle, IBM DB2, SQL Server, Sybase, Teradata, Netezza, MySQL, Adabas, Informix, flat files, and mainframe.

“Supporting Caché is yet one more way DMsuite is staying ahead of the data security industry,” said Mike Logan, President of Axis Technology Software, LLC. “DMsuite does not take a ‘one size fits all’ approach to securing private data. Instead, we analyze and address the unique needs of each platform to ensure ironclad data protection.”

To learn more about DMsuite for InterSystems Caché, visit the Axis team at RSA Europe from October 11 to 13, 2011 in stand B2 or visit www.axistechnologyllc.com.

DMsuite™ secures development, quality assurance, and third-party testing environments by removing confidential data and replacing it with realistic, fictitious data. Because the masking transformation is executed in memory, production data is not accessible within DMsuite or anywhere in the target environment, making DMsuite the most secure and effective data masking offering on the market today. It maintains referential integrity across business lines and different platforms, as well as file formats that include VSAM, Excel, delimited, and XML. DMsuite can be used straight out of the box, offering self-service provisioning functionality. DMsuite is web-based and its central point of control enables easy operation, administration, logging, and auditing.