Archives

Maxxum Insured by Downstream Data Coverage

March 8, 2016

Downstream Data Coverage

Maxxum has always taken our responsibilities as a secure data destruction service provider very seriously. It’s why we’re proud to be AAA NAID certified—a program that establishes standards for secure data and equipment destruction processes.

These NAID (National Association for Information Destruction) standards include:

  • Operational Security
  • Employee Hiring and Screening
  • Audited by Independent 3rd Party
  • Documented Process
  • Data Destruction Insurance (best practices)

Maxxum passed a strict audit to become NAID AAA certified and has agreed to not only be recertified every year, but must pass random audits during the course of the year.

Working with an asset disposal company that is NAID AAA certified should first and foremost bring peace of mind to an organization. With data breaches and information theft making headlines far too often, it’s a HUGE relief for companies to partner with an organization like Maxxum, who will make sure they receive documented transfer of custody and indemnification from their technology assets.

Ensuring Data Security One Step Further with Downstream Data Coverage

Maxxum is now taking that piece of mind one step further for their customers as a “best practices” initiative. We’re now insured by Downstream Data Coverage, the only professional liability coverage developed specifically by NAID for data destruction services.

From the Downstream Data Coverage website:

“Data-related service providers obtain professional liability insurance to protect themselves and to ensure they can cover their financial liabilities to their clients.  When a service provider purchases an inadequate professional liability policy, they not only put themselves at risk, they also leave their customer exposed.  Downstream Data Coverage seeks to make sure that doesn’t happen.”

This specialized policy addresses many of the shortcomings of standard professional liability coverage that leave service providers and their customers at risk.

Downstream Data Coverage is only available to service providers that are subject to the routine announced and unannounced audits of NAID AAA certification. This means that not only is the service protecting the customer with quality professional liability insurance, the service provider is also operating under the scrutiny of outside auditors trained specifically for that purpose.

Too many technology asset destruction service providers rely on off-the-shelf professional liability coverage because they had no other alternatives. Many times that coverage still leaves companies without the full coverage they seek.

Many customers remain at risk, because their service provider would not be able to effectively cover their liability. At Maxxum, we are proud to ensure our processes meet the high standards needed for proper technology asset disposal and data destruction; with Downstream Data Coverage, we’ve just taken it one step further.

Maxxum Conducts Tech Disposal Research Study

February 3, 2016

tech disposal research study

Maxxum recently conducted a tech disposal research study with a simple objective in mind: We wanted to understand your world and how we can make technology disposal easier and safer given the challenges you face in today’s digital environment.

The overriding result of this study revealed that organizations still engage in risky technology disposal behavior, even as data breaches continue to increase in frequency and severity. We were quite happy to find that Maxxum customers rate our services more positively as compared to other technology companies, especially in the key areas of recycling, security, and compliance— which are cited as the most meaningful to organizations.

In this ever-evolving digital age it’s increasingly important to dispose of technology assets using a safe and compliant program. At Maxxum, we’re committed to helping you retire your technology in a documented, secure, and sustainable way.

Tech Disposal Research Proves the Importance of Proper Asset Disposal

Our tech disposal research study gathered responses from highly regulated/risk adverse organizations including health care, insurance, medical device MFG, financial services and education.

The most alarming data uncovered from our research is that 40 percent of respondents stated that they use disposal methods outside of a professional tech disposal service, including equipment donations and giving away old computers, monitors, etc. to employees. Just because your office is done with a computer, that doesn’t mean the secure information it holds isn’t still available.

We stress to our clients and say elsewhere here on our website: You may be vulnerable to legal ramifications if you don’t dispose of your data and drive assets properly. If your sensitive data leaks, you’ll have to answer to the law and your customers.

As one might expect, the most important elements for organizations, the key drivers, are: process and documents, recycling and reuse and security at destination. We’re happy to report that Maxxum customers ranked our service particularly high in those three areas versus other companies.

To see more of the tech disposal research study survey results, contact us for a copy of our white paper.

Ponemon: Data breach costs now average $154 per record

June 10, 2015

The per-record cost of a data breach reached $154 this year

broke

by Maria Korolov | May 27, 2015

According to a report released this morning by IBM and the Ponemon Institute, the per-record cost of a data breach reached $154 this year, up 12 percent from last year’s $145.

In addition, the average total cost of a single data breach rose 23 percent to $3.79 million.

Loss of business was a significant, and growing, part of the total cost of a data breach. Higher customer turnover, increased customer acquisition costs, and a hit to reputations and goodwill added up to $1.57 million per company, up from $1.33 million the previous years, said Ponemon Institute chairman and founder Larry Ponemon.

Ponemon analyzed results from 350 companies in 11 countries, each of which had suffered a breach over the past year.

Data breach costs varied dramatically by industry and by geography.

The US had the highest per-record cost, at $217, followed by Germany at $211. India was lowest at $56 per record.

Sorted by industry, the highest costs were in the health care industry, at an average of $363 per record.

The reason, said Caleb Barlow, vice president at IBM Security, is because the information in a medical record has a much longer shelf life than that of, say, a credit card number.

“With credit cards, the time frame from the breach to mitigation is very short,” he said.

The credit card company just has to cancel the old credit card number and issue a new one.

“But the health care record can be used to establish access in perpetuity,” he said, pointing out that health care records include a wealth of personal information as well as social security numbers and insurance numbers.

“it can be used to establish credit or steal your identity ten or fifteen years from now,” he said. “Once this information is out there, you can’t get the genie back in the bottle.”

And that doesn’t even include the costs of health care fraud, he added.

Factors that can impact breach costs

The Ponemon report looked at a number of other factors that could potentially influence the cost of a breach, and, unlike industry or geography, many of these factors were under management control.

For example, having an incident response team available ahead of time reduced the per-record cost by $12.60. Using encryption extensively reduced costs by $12. Employee training reduced costs by $8.

If business continuity management personnel were part of the incident response team, costs fell by $7.10. CISO leadership lowered costs by $5.60, board involvement lowered costs by $5.50 and cyberinsurance lowered costs by $4.40.

“Companies that have thought about this ahead of time, that had their board involved, that had insurance protection, that had practiced what they would do, they had a much lower cost per breach,” said Barlow. “This is really compelling. We have tangible evidence that those who were doing that had much lower costs. You don’t have days to respond — you don’t even have hours. You have minutes to get your act together.”

Factors that increased costs was the need to bring in outside consultants, which added $4.50 per record. If there were lost or stolen devices, costs increased by an average of $9 per record.

And the single biggest factor was if a third party was involved in the cause of a breach. That increased the average per-record cost by $16, from $154 to $170.

Costs rise with time

Ponemon found a positive relationship between the time it took to identify a breach and the total cost of the breach, as well as between the time it took to mitigate the breach and the cost.

On average, it took respondents 256 days to spot a breach caused by a malicious attacker, and 82 days to to contain it.

Breaches caused by system glitches took 173 days to spot and 60 days to contain. Those caused by human error took an average of 158 days to notice, and 57 days to contain.

This story, “Data breach costs now average $154 per record” was originally published by CSO.

Go to original article…

It’s Time to Re-Examine Risk Management

March 30, 2015

Attacks Against Anthem, Others Are a Call to Action

By Bob Chaput, March 27, 2015

Bob Chaput

Just as 9/11 shattered our assumptions about the impregnability of U.S. defense systems, the recent Anthem Inc., Premera Blue Cross and Community Health Systems mega-breaches show that we need a top-to-bottom re-examination of what information risk management really requires.

To be fair, most healthcare boards of directors and C-suite executives have had their hands full just dealing with the Affordable Care Act and the momentous shift from the fee-for-service model to value-based care. That may be the reason why so many healthcare boards and C-suites are either ill-informed or disengaged from information risk management.

“We must move from the technical/tactical/spot-welding approach to a business architectural solution that’s strategic.”

In the wake of the highly publicized Community Health Systems, Anthem and now Premera hacking incidents, most organizations are scrambling to play catch-up – often trying to “checklist” their way to security. By default, and in the absence of board and C-suite direction, this approach is often too technical, too tactical and involves too much spot-welding.

Here are some reasons why it’s not a matter of if, but when, the next Anthem-style disaster strikes:

Most organizations don’t truly understand the scope of the problem. Although the Anthem hacking incident, which affected 78.8 million individuals, made headlines worldwide, hackers only account for about 8 percent of major health data breaches since September 2009, according to the Department of Health and Human Services. The other 92 percent are mainly due to preventable mistakes made by an organization’s own employees and business associates – losing a laptop containing unencrypted PHI, improperly disposing of paper records, “snooping” into and disclosing confidential data, etc. A health system might pat itself on the back for avoiding an Anthem-type breach, then get stung by a smaller scale breach that can still tarnish its reputation and cost millions to remedy.

The value and vulnerability of patient data are increasing dramatically. The anticipated growth of the national eHealth Exchange means that the likelihood of breaches will continue to rise. The exchange is predicted to soon connect hundreds of hospitals and thousands of medical groups. Hackers will no doubt be encouraged by what the Anthem thieves got their hands on: dates of birth, physical and e-mail addresses, and Social Security numbers of nearly 80 million individuals. That’s the equivalent of the entire populations of California, New York, Illinois and Maryland.

Too few organizations have a formal process for benchmarking the maturity of their IRM programs. The healthcare field is way behind other industries in this regard. The FBI said as much in its April 2014 Privacy Industry Notice and its August 2014 Alert. Many manufacturers and retailers routinely use maturity models to test the efficacy of their supply chain management and business intelligence. Healthcare needs to make it a priority to benchmark its IRM programs.

The term “data security expert” doesn’t equate with “risk management expert.” Too many healthcare organizations rely on their IT staff to ward off hackers, forgetting that breaches also come in a variety of low-tech (or no-tech) varieties. Plus the Anthem breach begs the question: What were the “experts” really doing?

Although the hackers did penetrate several layers of Anthem security, they may have gained access to the huge database by using a stolen password. And numerous media reports suggest that Anthem hadn’t bothered to encrypt the database. At the very least, we shouldn’t be making it easier for hackers to do their job. Whether the Anthem hackers were part of an international cyber-espionage team – or just brainy teenagers – doesn’t really matter. Several news organizations are reporting that the insurer will soon exhaust its $100 million cyber-insurance coverage to meet the staggering cost of identity theft repair and credit monitoring.

The healthcare field has “HIPAA compliance” myopia. The Anthem breach proves once and for all that information risk management is much more than a HIPAA compliance issue. IRM has a direct impact on patient safety and quality of care. But even more than that, it’s a discipline that’s essential to the health of a company’s brand and bottom line.

The Anthem breach demonstrates that there’s still a glaring need for better board and C-suite education about what constitutes comprehensive IRM. We must move from the technical/tactical/spot-welding approach to a business architectural solution that’s strategic. To do so, healthcare organizations need to use new benchmarking tools to help them assess the maturity of their IRM initiatives.

If the CHS breach was a wake-up call, the massive Anthem breach was a bugle blaring across healthcare boardrooms and C-suites nationwide. Let’s hope that it rouses leaders to action.

Bob Chaput, CISSP, HCISPP, CRISC, CIPP/US, is CEO of Clearwater Compliance, an information risk management advisory firm based in Nashville, Tenn., that offers an IRM benchmarking tool.

Go to original article…

TD Bank to Pay Second Breach Penalty

December 9, 2014

Massachusetts Cites Bank for Tardy Notification

By , December 8, 2014. Follow Jeffrey @gen_sec

TD Bank has agreed to a second state settlement tied to a data breach involving the loss of two backup tapes that may have exposed personally identifiable information for 260,000 of the bank’s 8 million U.S. customers.

The $625,000 settlement with the Massachusetts attorney general is separate from an earlier, $850,000, nine-state settlement (see:TD Bank Agrees to Breach Settlement). Massachusetts pursued its own investigation because the breach occurred in that state and affected a large number of its residents, a spokesperson for the attorney general tells Information Security Media Group.

The Latest Settlement

In the Massachusetts settlement, Attorney General Martha Coakley said the breach exposed the personal information of more than 90,000 Massachusetts customers.

Coakley alleged that TD Bank violated the state’s data breach notice law by delaying providing notice of the March 2012 incident until October 2012. Under Massachusetts law, breached entities are required to provide written notice “as soon as practicable and without unreasonable delay.”

“Businesses are required to secure the sensitive information that consumers entrust to them, and cannot subject consumers to unnecessary risk by failing to provide prompt notice when that information is compromised or lost,” Coakley says.

TD Bank, in a statement, says it has been continually enhancing its technologies and processes to better protect the personal information of its customers. “This agreement highlights our efforts to evolve our security controls to further benefit our customers,” says Judith Schmidt, a TD Bank spokesperson. “TD Bank has settled with the attorneys general in an effort to resolve this issue.”

Under the Massachusetts settlement, TD Bank will pay $325,000 in civil penalties, $75,000 in attorney’s fees and costs, and $225,000 to a fund administered by the attorney general’s office to promote education or to fund local consumer aid programs.

In addition, TD Bank has agreed to give prompt notice of future data breaches and to comply with Massachusetts data security regulations, which mandate that organizations encrypt personal information stored on back-up tapes; require third-party service providers to implement and maintain appropriate security measures; and review the security practices and procedures of third-party providers entrusted with personal information.

Backup Tapes Lost

TD Bank reported in October 2012 that two unencrypted backup tapes, which contained 1.4 million files on 260,000 bank customers nationwide, were lost (see: TD Bank Breach Response Questioned). The bank, in its breach notification letter, said the tapes, which contained personal information, were misplaced in late March of 2012 while in transit to one of the bank’s Massachusetts locations.

The information on the tapes may have included names, addresses, Social Security numbers, account numbers and/or other data elements, such as dates of birth or driver’s license numbers, the bank says. As a result, TD Bank offered affected customers 12 months of free credit monitoring services, although the bank advised its customers to monitor their accounts for 24 months.

View article source...

Optical Care Chain Loses a Server, Again

December 5, 2014

Missing Computer Contained PHI for 48,000 Customers

By , December 2, 2014. Follow Marianne @HealthInfoSec

For the second time in recent weeks, Visionworks Inc., has revealed that one of its stores misplaced a database server, apparently due to improper disposal.

In a Nov. 21 statement, Visionworks, a unit of Pittsburgh, Pa.-based healthcare insurer Highmark Inc., revealed that a database server at a store in Jacksonville, Fla., containing “partially unencrypted protected health information” belonging to approximately 48,000 customers had been mistakenly discarded after it was replaced on June 2 during scheduled computer upgrades.

Last month, the chain announced that a store in Annapolis, Md., lost a database server containing patient information in June while it was being replaced during a store renovation (see Lost Server: What Went Wrong?). The lost Maryland computer, which contained data on 75,000 customers of that store location, is believed by Visionworks to have been discarded by mistake in a landfill.

Preventive Steps

The Highmark spokesman declined to comment on steps the company is taking to prevent the loss of more servers from its stores. “Visionworks is in the process of fully encrypting all servers. The process should be complete within the next six months,” he says.

While encrypting all data on the lost computer could have potentially prevented the breach at both store locations, “Server hard-drive encryption in an optometrist store is very rare,” notes Kerry McConnell, a senior consultant at security services firm, Tom Walsh Consulting.

Security experts say the back-to-back incidents spotlight the need for organizations to have solid inventory management and data disposal practices, and to ensure that staff are aware of those policies.

“In our experience doing HIPAA risk assessments, we often see storerooms or locked ‘cages’ of older used equipment,” says Dan Berger, CEO of security services firm Redspin. “We often point this out as a vulnerability for precisely the reason that occurred at Visionworks. Once taken out of service, it is very easy to forget what is on each server or workstation,” he says. “That sets the stage for an inadvertent discarding of a device that contains lots of confidential data.”

Berger stresses that having policies safeguarding PHI even when it’s no longer needed is mandated under HIPAA.

“We cite the HIPAA Security Rule, which requires that covered entities and business associates implement policies and procedures to address the final disposition of electronic PHI and/or the hardware or electronic media on which it is stored,” he says.

Read full article…

A Lost Server: What Went Wrong?

Inventory Management, Data Disposal Practices in the Spotlight

By , November 14, 2014. Follow Marianne @HealthInfoSec

The loss of a server at an optical wear retail store in Maryland offers a reminder not only of the importance of encryption but also the value of good inventory management and data disposal practices.See Also: Healthcare Data Breaches: Have We Learned Anything?Visionworks Inc., a unit of Pittsburgh, Pa.-based healthcare insurer Highmark Inc., says the problems began when the server was being replaced in June during a remodeling project at its store in Annapolis, Md. “We believe that the server was accidentally removed with trash from recent renovations and taken to a local landfill” along with other materials, a Highmark spokesman tells Information Security Media Group.

The server held protected health information for as many as 75,000 of the store’s customers, according to a Visionworks statement. “All credit card information housed on the server was encrypted, and therefore should not be at risk,” the company says.

Besides the encrypted credit card data, however, the server also contained unencrypted data, including customer names and addresses and some information related to optometrist visits and lens prescriptions, the spokesman explains.

Server Security

While lost and stolen unencrypted computers and storage media, especially mobile devices, are the most common culprits in breaches that appear on HHS’ “wall of shame”, which lists breaches affecting 500 or more individuals, some security experts say the Visionworks server incident is somewhat unusual.

“It’s highly unlikely to lose a server since they typically don’t move around once they get ‘racked and stacked’ in a data center,” says Brian Evans, senior managing consultant at IBM Security Services.

Also, while encryption of all data contained on the lost server would have protected against a data breach, “it’s not commonplace in healthcare to encrypt servers for a variety of reasons,” he says. “Most organizations think they’re safe because their data is secure within a data center environment where access is physically restricted,” he says – unlike the retail setting where the Visionworks server was located.

“Visionworks could have benefitted from a formal media disposal and asset inventory process,” Evans says. “As a result, the server operating system could’ve been wiped or destroyed while tracking and accounting for this asset.”

Lessons Learned


All healthcare organizations should have policies that spell out how computing devices need to be handled if moved or relocated, says Tom Walsh, president of the independent security consultancy Tom Walsh Consulting.

He suggests that such a policy should state: “Any media, equipment, or device containing memory and possibly storing confidential information needs to be sanitized or erased before the media or equipment is reused, sent to a vendor for repair, sold, or prepared for donation or disposal.”

Additionally, he says relocation policies often prescribe that, “hard disk drives are removed from servers, workstations, laptops and other devices – including multifunction printers – and kept temporarily in a secure holding area, such as a locked office/cage/room/cabinet, until the hard drives are physically destroyed by the IT department staff or electronics recycling vendor. The inventory tracking database also needs to be updated when equipment is removed from service.”

Read full article…