The best breach disclosure events of 2012
As another year heads toward a close, we can't help but look back on the notable victories and defeats that defined IT, and this inevitably includes a multitude of security failures. Reported data breaches have risen significantly in 2012, and those that are reported may be only a fraction of the total incidents. Everyone's network, we're told, can be hacked, and the new mantra in IT security is, "ask not if, but when." For a look at some of the more cautionary tales in the realm of security this year, see our slideshow.
But organizations that report their breaches in a responsible fashion should be given their due. If a highly regulated company, such as a hospital or bank, quickly discovers and discloses a breach, is it a "worse" security lapse than a less regulated company that learns of a breach months or years after the fact and then goes to great lengths to hush it up as long as possible? (Even if customer data or other personally identifiable information isn't exposed in a breach, shareholders might be interested in hearing about the incident.) It isn't hard to imagine that the industries with the highest number of reported breaches could have more secure networks than those that report few breaches, precisely because they have such strict disclosure requirements.
Hospitals and other healthcare organizations were responsible for about a third of the breaches recorded by the ID Theft Resource Center so far this year, but this does not necessarily mean that this sector has the least secure networks and databases. (The ITRC includes breaches in which an individual's social security number, financial record, medical record or driver's license number was put at risk.) Healthcare is subject to strict data privacy and security regulations under the Health Insurance Portability and Accountability Act, as well as numerous state breach disclosure laws.
In the grand scheme, organizations that react quickly and responsibly to data breaches regardless of disclosure requirements are taking important strides for security, and this should be noted in the year's victory column. In that spirit, I present The Best Data Breach Disclosure Events of 2012:
Online retailing giant Zappos disclosed a massive data breach Jan. 15, notifying employees and customers by email. The company earned widespread praise for having an efficient breach notification system in place and sending out a timely warning and instructions for changing passwords.
In February, Reuters reported that VeriSign was hit by two data breaches in 2010. While VeriSign didn't report the breaches in a particularly timely or forthcoming fashion, it did report them in its October 2011 quarterly filing with the SEC. Some people lambasted VeriSign for not disclosing the breaches sooner, but others applauded it for disclosing them at all, which apparently sets it apart from the pack.
Alaska Department of Health and Social Services
In September, the Alaska Department of Health and Social Services settled HIPPA-related charges over a breach that occurred in 2009. The settlement cost the department $1.7 million, but its officials took the opportunity to review data processes and find ways to improve the agency's compliance posture. Better yet, the department shared detailed lessons from the experience for all to learn from.
It would be great if 2013 sees a significant decrease in data breaches, but history suggests we shouldn't hold our breath. If the mantra among network and database security pros remains "ask when, not if," then improved disclosure and notification practices could go a long way in helping maintain public confidence in online systems. - Caron