« Find Your HIPAA Violations Before Others Do | Main | Are IT Security Professionals the Last Line of Defense for Patient Privacy? »
People Have Grown Immune to Breach Notifications
by Lex van den Berghe
LogLogic Customer Evangelist
Back in simpler times, the “high tech” approach to breach notification was a gang of domestic geese or peacocks posted as sentries ‘round the farm to squawk bloody murder whenever strangers approached the property line. Times have changed, as has the definition of “high tech”…but the basic principles and necessity of effective breach notification remain the same.
I spoke with Sudha Iyer, Director of Product Management at LogLogic, and she shared her two cents on breach notification and why it pays to be prepared…
It seems that not a day goes by without a report of a data breach, or a discussion of the latest attack of the Conficker (or other malware) variant. Lest organizations become desensitized to such attacks, I’ve noticed that that breach notifications can have a negative impact on the organization’s net worth.
Take the case of Heartland Payment Systems (NYSE - HPY) for example. When markets opened after Heartland’s public announcement of their credit card breach in January 2009, their stock price shrunk to $8.54 and plummeted to $3.95 by March 2009. Today, Heartland is fortunate that their stock is almost back to its pre-breach notification price of $14.53.
Despite the continuous flood of public breach notifications like Heartland Payment Systems, I find it troubling that so many organizations continue to act as if they are immune to such attacks. Has the barrage of public breach notifications bred enough apathy so as to undermine the primary reasons for public notifications in the first place? I thought breach notifications were meant to…
· Spur the offending organization into action to put in place the necessary process, people and technology to do the right thing for the individual(s) and the business to which they are accountable.
· Serve as a warning to other organizations to do the same before their data is compromised.
Consider the healthcare industry. The Health Information Technology for Economic and Clinical Health Act (HITECH) includes a health care breach notification law. This interim final rule on the HITECH Act just became effective on September 23rd, and the law requires any organization covered under the Health Insurance Portability and Accountability Act (HIPAA) to notify patients of a data breach involving their personal health information. Will this law, especially with its recent amendments that critics say completely guts the original intent of the bill, achieve the aforementioned aims of data breach notification? This leads to a larger question, does data breach notification adequately protect the consumer or patient whose information is compromised?
If there’s a lesson to be learned here, it would have to be: “Don’t put off until tomorrow, what you can do today.” Rather than be vulnerable and exposed to attack, enterprises should enact the proper defenses and alerts to fend off the perpetrators. If your high tech “farm” could use a good flock of geese or peacocks, check us out…we can help!
Posted October 05, 2009 in | Permalink
August 2010
| Sun | Mon | Tue | Wed | Thu | Fri | Sat |
|---|---|---|---|---|---|---|
| 1 | 2 | 3 | 4 | 5 | 6 | 7 |
| 8 | 9 | 10 | 11 | 12 | 13 | 14 |
| 15 | 16 | 17 | 18 | 19 | 20 | 21 |
| 22 | 23 | 24 | 25 | 26 | 27 | 28 |
| 29 | 30 | 31 |
Categories
Archives
- August 2010
- July 2010
- June 2010
- May 2010
- April 2010
- March 2010
- February 2010
- January 2010
- December 2009
- November 2009
- October 2009
- September 2009
- August 2009
- July 2009
- June 2009
- May 2009
- April 2009
- March 2009
- February 2009
- January 2009
- December 2008
- November 2008
- September 2008
- August 2008
- July 2008
- June 2008
- May 2008
- April 2008
- March 2008
- February 2008
- January 2008
- December 2007
- November 2007
- October 2007
- September 2007
- August 2007
- July 2007
- June 2007
- May 2007
- April 2007
- March 2007
- February 2007
- January 2007
- December 2006
- November 2006
- October 2006
- September 2006
- August 2006
- July 2006
- June 2006
- May 2006
- April 2006
- March 2006
- February 2006
- January 2006
- December 2005
- November 2005
- October 2005
- September 2005
Blogroll
Blogroll
Compliance
Good Reading
- Internet and Web Security Review
- Log Management ROI
- Log Management Best Practices
- SANS Institute Log Management White Paper