Blog

Archive for Disaster Recovery

Ransomware: Legal Breach Notification Cheat Sheet

Incidents of ransomware are on the rise and it’s a growing concern for all of us. We have been well versed on what not to open or click on. But it is equally important to be informed on what actions you need to take if you fall victim to a ransomware attack.

If your business falls under breach notification rules, here is a cheat sheet that presents information without all the legalese.

Breach Notification Rules for Ransomware

The real issue to investigate is whether unauthorized access alone triggers a notification to customers. In effect, that is what ransomware is doing – accessing your PII without your permission.

We present for your ransomware breach response edification the following:

  1. Healthcare– HIPAA’s Breach Notification rules requires covered entities (hospital, insurers) to notify customers and the Department of Health and Human Services (HHS) when there’s been unauthorized access to protected health information (PHI). This is the strictest federal consumer data laws when it comes to a ransomware breach response. HHS has put out a helpful guideline explaining more of the complexities involved in a determination of a PHI breach.
  2. Consumer banks and loan companies– Under GLBA, the Federal Trade Commission (FTC) enforces data protection rules for consumer banking and finance through the Safeguards Rule. According to the FTC, ransomware (or any other malware attack) on your favorite bank or lender would not require a notification. They recommend that these financial companies alert customers, but it’s not an explicit obligation.
  3. Brokers, dealers, investment advisors– The Securities and Exchange Commission (SEC) has regulatory authority for these types of investment firms. Under GBLA, the SEC came up with their own rule, called Regulation S-P, which does call for a breach response program. But there’s no explicit breach notification requirement in the program. In other words, it’s something you should do, but you don’t have to.
  4. Investment banks, national banks, private bankers– With these remaining investment companies, the Federal Reserve and various Treasury Department agencies jointly came up with their own rules. In this case, these companies have “an affirmative duty” to protect against unauthorized use or access, and notification is part of that duty. In the fine print it says, though, that there has to be a determination of “misuse” of data. Whether ransomware’s encryption is misuse of the data is unclear. In any case, the rules spell out what the notification must contain — a description of the incident and the data that was accessed.

Green, Andy. “Ransomware: Legal Cheat Sheet”. Inside Out Security Blog – Data Security, January 2017

Posted in: Disaster Recovery, Security

Leave a Comment (0) →

Does Your Business Have a CyberSecurity Plan?

Here’s an interesting fact: In 2012, companies with just one to 250 employees — what we commonly think of as small businesses — were the victims in more than 30 percent of all cyber attacks. Entrepreneur Magazine cites this statistic, taken from the 2013 Internet Security Threat Report from Symantec, to prove a point: Even small businesses need a cybersecurity plan.

Anti-Virus Software Matters

The Entrepreneur story says that the first step in any cybersecurity plan is anti-virus software. As the story says, this software is a must for small business owners. Anti-virus software isn’t perfect, and especially clever viruses can slip past it, but businesses that don’t have any anti-virus protection are setting themselves up for a massive hack.

Suspicious E-mails

Next, small businesses should make sure that their employees understand how important it is to delete e-mail messages that seem suspicious, whether sent by known or unknown senders. Businesses should also remind their employees to never click on the links contained in these suspicious e-mail messages. Not all employees will listen or remember. But many will.

Firewalls

Entrepreneur also recommends that small businesses use firewalls to protect their inbound and outbound network traffic. Firewalls can keep hackers from tapping into a small business’ network. Firewalls can also block employees from accessing potentially dangerous Web sites.

Posted in: Business, Disaster Recovery, Security, Tech Tips for Business Owners

Leave a Comment (0) →

Facing an Emergency? Turn to These Apps

These are dangerous times. Mother Nature is unleashing droughts and record-setting high temperatures. It seems a new tornado is ripping through the Midwest every day. And those are just the big emergencies. What if you lock yourself out of your car when your toddler’s stuck inside it?

Fortunately, there’s a whole class of apps that can help you deal with emergencies big and small.

Here is a closer look at three of these apps that might be able to bail you out in case of an emergency.

AroundMe

AroundMe has been around for a while, but it remains a top locator app. With it, you can find everything from the nearest gas station to the nearest bank.

It’s easy, too, to see how AroundMe might help in case of an emergency.

Say your toddler is sick, you’re in a strange city, and you need to find a hospital as soon as possible. Just log onto the app, click the category that you need — in this case, “Hospital” — and find the nearest medical provider to you.

It’s little surprise that many consumers consider AroundMe to be a must-have app.

CPR & Choking

The name of this app says it all: CPR & Choking will give you tips and full-fledged lessons on how to deal with a person who is choking or who is not breathing. It can be especially handy if you’ve never taken CPR classes or have forgotten what you’ve learned.

This app, which is free, was developed by the University of Washington and King County EMS to save lives. It contains a variety of videos that tell you exactly what to do if someone you know is in the middle of a medical emergency or cardiac event.

There aren’t too many apps that can save a life. CPR & Choking is one of them.

Emergency Radio Free

What if there’s an armed criminal on the loose in your community? What if a tornado has been spotted?

You can stay informed with Emergency Radio Free, an app that lets you access hundreds of police, fire, weather, and other live emergency radio feeds from around the country.

It’s easy, too, to identify and tune into radio feeds in your specific community. You can also save radio feeds to a favorites area so that you can access them quickly should an emergency strike.

Of course, no app, no matter how impressive, will be able to protect you completely from harm should danger arise. These apps, though, will give you the chance to be better prepared should an emergency strike.

Read more at CNET.

Posted in: Business, Disaster Recovery, Mobile Computing, Tech Tips for Business Owners, Technology

Leave a Comment (0) →

The Worst Data Security Breaches in History

We all like to think that the companies that have our credit-card information—the banks, entertainment companies, and government agencies—are able to protect our valuable information.

Unfortunately, that isn’t always the case.

CSO Online recently ran a list of some of the worst data security breaches of the 21st Century. And if you want to worry about the safety of your financial and personal information? This list gives you plenty of cause.

TJX Companies

For instance, the list covers the December 2006 security breach suffered by retail giant TJX Companies in which the credit-card information of 94 million customers was exposed.

There are two theories about how this security breach happened. One view is that a group of hackers took advantage of a weak data encryption system and stole credit-card data during a wireless transfer between a pair of Marshall’s stores in Miami. A second theory is that hackers broke into the TJX network through kiosks inside actual stores that allowed people to apply for jobs.

The upshot? Albert Gonzalez, a legend in the hacking community, was arrested and sentenced to 40 years in prison for the scheme.

Department of Veterans Affairs

In May of 2006, hackers stole an unencrypted database with the names, Social Security numbers, birthdates, and disability ratings for 26.5 million Military veterans, active-duty military personnel, and spouses.

The database was, amazingly, stored on a laptop and external hard drive that were both stolen from the home of an analyst with the Veterans Administration.

This case ended with a fairly happy ending as an unknown person returned the stolen laptop and hard drive about a month after the theft.

Sony’s PlayStation Network

PlayStation Network suffered what is still viewed as the worst gaming community data breach ever in April of 2011. Hackers compromised the accounts of 77 million PlayStation Network accounts, and Sony reportedly lost millions of dollars by shutting down the site for a month.

Sony says it has still not found the source of this hack, but as CSO Online says, the hackers gained access to full names, passwords, email addresses, home addresses, purchase histories, and credit-card numbers of PlayStation Network gamers.

Read more at CSO Online.

Posted in: Business, Disaster Recovery, Security, Tech Tips for Business Owners

Leave a Comment (0) →