What a Data Privacy Breach Means For You
By Team, Inspectiv
It seems that data privacy breaches are occurring daily. What has been happening this year, you ask? Well, some of the most significant breaches include:
- April 19, 2021, an unknown number of GEICO customers had their driver’s license number because there was a flaw in their online sales system. Hackers had access from January 21 to March 1.
- 5 days later in April 2021, over 5.6 million Reverb users had their personal data leaked onto the Dark Web.
- 2 days later in April 2021, tens of millions of American’s personal data was accessible because Experian had an unsecured Application Programming Interface (API).
This list could continue on and on and on. I think you have the idea.
Protecting customer and employee personal data is no longer a choice. Europe has set a precedent with the Data Protection Directive, which GDPR has replaced. Similarly, in the US, California is following suit with the California Consumer Privacy Act of 2018 CCPA.
It is possible that a business does not have to comply with California or European law, but one will likely come to your state sooner than later.
The general idea of these laws is that a company must protect personally Identifiable Information (PII). It is not sufficient to notify the customer when there IS a breach. Businesses must put protection mechanisms in place now. Protection involves everything from encrypting data at rest and in transit to controlling who has access to the Database (DB).
New privacy rights include:
- The right to know what personal data is collected and how it is used;
- The right to be forgotten so that your data deleted from their records; (There are exceptions to this; you cannot ask to be forgotten by the government, so you do not have to pay taxes.)
- The right to opt-out so that a company cannot sell your personal data
The European Union set fines for GDPR that are tremendous. The EU has determined fines can be between 20 million Euro or 4% of the company’s global turnover, whichever is higher.
Medical Data Breaches
Medical data is protected under the Health Information Portability and Accountability Act (HIPAA), and the Health Information Technology for Economic and Clinical Health (HITECH) Act requires the protection of Personal Health Information (PHI). HITECH has the maximum penalty set at $1.5 million; while not as harsh as GDPR can still be painful for companies.
Significant health data breaches include:
- March 26, 2021, the Cancer Treatment Center had an email account compromised that allowed the hackers access to over 104,000 patients.
- Hackers encrypted MultiCare Health System servers with ransomware exposing over 200,000 patients’ data on March 9, 2021,
- A hacker gained access to Nebraska Medicine systems and deployed malware (unknown type) to access over 219,000 patients’ data on February 10, 2021.
Lessons to Learn from Data Breaches
Take action now! Either phishing attacks or source code flaws are the source of most breaches today.
Users (people in general really) need constant reinforcement of security awareness concepts. A training video once a year that lasts one hour at best is not sufficient. Check out KnowBe4 for more info.
Improved coding practices are essential. Simply said because hackers are exploiting our flaws. Our friends at Manicode can help train your developers on secure coding practices.
Inspecitv works with 1700+ vetted security researchers to continuously scan and identify security vulnerabilities. Taking the perspective of an external attacker, Inspectiv identifies assets, continuously monitors for vulnerabilities, validates, deduplicates, and then provides this critical information in a streamlined and actionable format.