jump to navigation

Dear OPM – Thanks for exposing my data!…”Clean up your own backyard!” (Elvis) October 20, 2015

Posted by Chris Mark in Uncategorized.
Tags: , , , , , , , , , , ,
add a comment

Let me start with Elvis’ “Clean up your own Backyard”

“Back porch preacher preaching at me
Acting like he wrote the golden rules
Shaking his fist and speeching at me
Shouting from his soap box like a fool
Come Sunday morning he’s lying in bed
With his eye all red, with the wine in his head
Wishing he was dead when he oughta be
Heading for Sunday school

Clean up your own backyard
Oh don’t you hand me none of your lines
Clean up your own backyard
You tend to your business, I’ll tend to mine”

menendezToday I received a letter from the United States Office of Personnel Management or OPM informing me that my personal data had been stolen in a data breach.  As a quick reminder the OPM was the victim of a major data breach in which over 22.4 million current and former federal workers and military members’ personal information was stolen by the Chinese Government although the Obama administration did not formally accuse Beijing.

The breach was finally disclosed by the OPM in June 2015 but started in March 2014. So what was stolen?  According to the report I received today…it included (ready for this)…1) Social Security Number 2) Full Name 3) Address 4) Education History 5) Employment History 6) Information on my dependents and close family and 7) my SF86 from when I applied for my security clearance…among other data. For those who are unaware..the SF86 is a 127 page document titled “Questionnaire for National Security Positions” that asks questions about every aspect of a person’s life to include 1) Friends’ names, 2) Emotional and Psychological health, 3) use of alcohol and drugs 4) financial issues 5) affiliations with groups and more!  This information is much more personal and sensitive than just a social security administration.

I find it amusing that within 2 days of Target notifying that they had been victimized by criminals who stole millions of credit card numbers that the “Honorable” Senator Menendez (D NJ) a sitting US Senator (and “back porch preacher” who is now under criminal indictment) would deride Target and ask whether the: “…FTC has the teeth to hold retailers who failed to protect consumers’ information accountable,” He then continued: “if a company doesn’t invest in security to ensure customer data can’t be stolen, “then you have to question why a company would not do that.” The Target CFO would be forced to APOLOGIZE to the US Congress for security ‘failures’ yet when the OPM is breached the US Government distances itself from any liability.  This is sine qua non for any action in which the Federal Government fails..they simply deny that they failed.  According to OPM spokesperson Samuel Shumach:  (more…)

“You Can’t Unring That Bell!” – What is a”Data Breach” and When Should I Notify? August 21, 2012

Posted by Chris Mark in cybersecurity, Data Breach.
Tags: , , , , , , , , , , , ,
add a comment

There are currently over 45 state breach notification laws, several data protection laws, and numerous regulations including PCI DSS, HIPAA/HITECH, FISMA, and more.  I frequently find myself working with companies on data breach notification plans.  One of the more interesting (and heated) discussions comes when I ask them to define a “data breach” or “data compromise”.  More interesting is when I ask them to define a “suspected data breach”.  Visa’ rules state that “suspected” breaches must be reported within 24 hours of identification or there could be penalties. Consider the following example.  You, as CSO, are informed of a malicious software outbreak in the customer service department. Does this require notification under the state breach notification laws, or relevant regulatory regimes?  Maybe, maybe not.  It is dependent upon a number of factors including access to data, data protections (ie. encryption), segmentation, the various laws etc.  In short, it is not easy to decipher yet it is critical to be as accurate as possible.

Understanding what is, and what is NOT, a data breach or data compromise is the first step in defining your company’s data breach notification plan.  The reason it is so critical is in the titled of this article.  Once you notify that your company has been ‘breached’ you cannot ‘unring that bell’.  The genie is out of the proverbial bottle and things start moving quickly.  Most company’s would absolutely hate to make an announcement only to find that, while they may have experienced a security incident, it did not impact sensitive data (PII, CHD, NPI, PHI, etc.).   It is important that you work with your compliance group, legal (don’t forget legal!), and the infosec & risk department to ensure you have a solid understanding of when, and under what conditions your company is required to notify of a breach or suspected breach.  Here are some basic definitions to use as a starting point.  (check with your legal council and don’t simply use these…there..that should protect me!;)

Security Incident/Event – Any event that compromises the availability, accessibility, or integrity of any asset.  This includes systems, personnel, applications, services, etc.

Data Breach – Any exposure of or unauthorized access of sensitive and/or protected data to include PHI, PII, CHD, and NPI.

Suspected Data Breach– In the absence of  direct evidence (identified fraud, or misuse of data, for example), any Security Incident in which it can be reasonable assumed that sensitive and/or protected data was exposed or accessed without authorization.

Remember, some state breach notification laws do not consider a breach of encrypted data as a trigger for notification…others do 😉  If you need help unraveling these issues (insert shameless marketing plug)…contact Mark Consulting Group…www.MarkConsultingGroup.com

graphic by Hippacartoons.com

%d bloggers like this: