Archive for category Data Breaches

7 Sources of Data Breaches You’ll Never Hear About: Your Network Drives

If you think that your tangle of Cat5 in the server room is a mess, wait until you look at your network drive file structure. Licensed from Stock Exchange.

If you think that the tangle of Cat5 in your server room is a mess, wait until you look at your network drive file structure. Licensed from Stock Exchange.

This is the seventh post in a series about data breaches you can prevent. We’ve covered Phones and Personal Computing Devices , Your Browser, Your Inbox, Your Thumb and External Drives, Your Old Computer, and Your Cloud Backup . Finally, we’ll discuss Your Network Drives.

Most companies have an internal corporate network with one or more shared network drives. If your company network drive is typical, it’s a layered mess of multiple naming conventions, files from employees who haven’t been around for years, and old documents with unrecognizable file extensions. Frankly, it’s impossible for anyone to know exactly what’s there.

Read the rest of this entry »

No Comments

Healthy lifestyle

Has your gym temporarily closed down due to COVID-19 concerns? If you think you can’t get in a great workout because you don’t have all that fancy equipment at home, think again. Check out the latest exipure reviews.

Get the latest updates on COVID-19
Working out at home can be a great alternative to hitting the gym. It’s pretty ideal, in fact. Here’s why:

10 reasons working out at home rocks
Your bathroom and kitchen are nearby – no waiting and no need for shower shoes.

You don’t have to lock up your valuables while you’re working out.

There’s nobody around to make you feel self-conscious about how you look or how fit you are.

You don’t have to worry about parking.

You don’t have to take off your clothes in front of strangers.

No need to rush to fill up your water bottle before your class starts.

You don’t need to pack a gym bag and remember to pick it up on your way out the door for work.

You can hide out from too-hot, too-cold or too-rainy weather.

You get to pick the playlist.

It’s free – or close to it.

And you don’t need expensive equipment. Patty Wood, a certified personal trainer at Personally Fit in New Hamburg, Ontario, says you can get an amazing, full-body workout just by using your own body weight, right at home. She says getting fit wasn’t always easy for her, either.

“I was overweight and suffered from multiple running injuries,” she recalls. “It was through my own process of self-guided research, advice from a past client and a heathier lifestyle that I got where I am today.”

There are a ton of simple ways to get moving at home. Here are some tips and tricks to help you find a home workout, stick to it and get the best results:

1. Choose your at-home workout space
Designate a corner in your home as your workout spot. You really only need a space the size of a yoga mat to have a bunch of options for an effective and efficient workout.

It’s best to not exercise in the same place you watch TV or eat. This will help you focus and stay committed to your workout without:

thinking about the Netflix series you’re watching,
turning on your work computer or
checking your phone.
How to stay active when you’re working from home
2. Put on your gym clothes
Dress like you’re actually going to the gym. You’ll feel more like exercising when you’re wearing athletic clothes.

You might also find it helpful to put on your running shoes and do 15 minutes of house- or yard-work. It’s a great way to warm up and get a little extra energy before beginning your workout.

You may also want to invest in good, supportive running shoes. Taking care of your feet is extremely important. So do some research into what type of shoe you need to wear for your workout.

Wood says it’s also a good idea to reward yourself with new shoes or a new workout outfit once you reach a goal. That’s if your budget allows, of course.

3. Don’t worry about gym equipment
You likely don’t need that much equipment, if any at all.

“There are so many body-weight exercises,” says Wood. “A few of my favourites are planking, body-weight squats and push-ups. These three exercises involve many different muscle groups at the same time. They allow you to burn calories and build muscles with fewer exercises. It’s always important to have proper form to reduce the risk of injury. You can create your own circuit with these three exercises.”

If you do have basic equipment such as hand weights and a mat, you have numerous options. If you’re going to use weights, it’s a good idea to have two different sets so you can customize your workout.

If you don’t have hand weights and you want to add extra resistance, try soup cans or water bottles. Some other equipment you might find beneficial include resistance bands or a foam roller. They can help you to stretch your muscles before a workout and pamper them afterwards.

Are weights the key to weight loss?
4. Use your devices to get new workouts
Don’t think you can make up your own circuits? That’s okay. There are lots of routines out there, especially through apps, and many are free.

Try Fitplan: Gym & Home Workouts, GetFit: Home Workout & Fitness, or the Tone It Up app. They feature programs that guide you through daily workouts that you can do any place, any time – including at home. Most are free. Others have a free trial so you can see if you like them before committing to paying for them.

If you have a smart speaker, you can also use it to guide you through a home workout. Alexa can pull up five-minute workouts for you if you want to get in a blast of exercise in a short amount of time.

You can also try creating an energizing and free playlist on Spotify. Choose songs that pump you up, and occasionally swap out your playlist to keep things interesting.

6 ways smart speakers can help you manage your health
How wearables are changing the way we look after our health
5. Set realistic fitness goals
Start slowly, trust your strength and treat your body well. You don’t have to jump into it full-speed. Instead, commit to what you think is reasonable for your body and schedule what you can manage each week. Maybe three days a week will work to start. As you become more comfortable, start doing more.

Have you been at home or working from home due to the recent COVID-19 situation? Then you might want to consider other ways to stay active when you’re at from home. Try recording your times and reps and challenge yourself to improve them. Wood says this is a great way to keep track of your progress and encourage yourself to keep improving.

Do your best not to make excuses. “Make exercise part of your daily routine and schedule a workout time that works for you, whether you’re a morning or night-time person,” says Wood. Make it your own and do something you enjoy, and you should start to feel and see results.

Get in shape for life with functional fitness
How to start exercising with small steps

No Comments

7 Sources of Data Breaches You’ll Never Hear About: Your Thumb Drive

The Law of Portable Device Breaches says that the risk of losing a device, and the information thereon, is directly proportional to its portability. Licensed from Stock Exchange

The Law of Portable Device Breaches says that the risk of losing a device, and the information thereon, is directly proportional to its portability. Licensed from Stock Exchange

This post is the fourth in a series about data breaches you can prevent. We’ve covered Phones and Personal Computing Devices , Your Browser, and Your Inbox. Here we’ll explore Your Thumb and External Drives.

Just about anything that can store information can be used to store sensitive personal information. Whether you use an external drive to back up sensitive data, or use a thumb drive to transfer large files from one computer to another. The Law of Portable Device Breaches (which I just made up) says that the risk of losing a device, and the information thereon, is directly proportional to its portability. In real terms, this extremely scientific law means that you’re more likely to leave your cell phone at the bar than your desktop computer.

Read the rest of this entry »

No Comments

7 Sources of healthy lifestyle

Has your gym temporarily closed down due to COVID-19 concerns? If you think you can’t get in a great workout because you don’t have all that fancy equipment at home, think again. Check out the latest exipure reviews.

Get the latest updates on COVID-19
Working out at home can be a great alternative to hitting the gym. It’s pretty ideal, in fact. Here’s why:

10 reasons working out at home rocks
Your bathroom and kitchen are nearby – no waiting and no need for shower shoes.

You don’t have to lock up your valuables while you’re working out.

There’s nobody around to make you feel self-conscious about how you look or how fit you are.

You don’t have to worry about parking.

You don’t have to take off your clothes in front of strangers.

No need to rush to fill up your water bottle before your class starts.

You don’t need to pack a gym bag and remember to pick it up on your way out the door for work.

You can hide out from too-hot, too-cold or too-rainy weather.

You get to pick the playlist.

It’s free – or close to it.

And you don’t need expensive equipment. Patty Wood, a certified personal trainer at Personally Fit in New Hamburg, Ontario, says you can get an amazing, full-body workout just by using your own body weight, right at home. She says getting fit wasn’t always easy for her, either.

“I was overweight and suffered from multiple running injuries,” she recalls. “It was through my own process of self-guided research, advice from a past client and a heathier lifestyle that I got where I am today.”

There are a ton of simple ways to get moving at home. Here are some tips and tricks to help you find a home workout, stick to it and get the best results:

1. Choose your at-home workout space
Designate a corner in your home as your workout spot. You really only need a space the size of a yoga mat to have a bunch of options for an effective and efficient workout.

It’s best to not exercise in the same place you watch TV or eat. This will help you focus and stay committed to your workout without:

thinking about the Netflix series you’re watching,
turning on your work computer or
checking your phone.
How to stay active when you’re working from home
2. Put on your gym clothes
Dress like you’re actually going to the gym. You’ll feel more like exercising when you’re wearing athletic clothes.

You might also find it helpful to put on your running shoes and do 15 minutes of house- or yard-work. It’s a great way to warm up and get a little extra energy before beginning your workout.

You may also want to invest in good, supportive running shoes. Taking care of your feet is extremely important. So do some research into what type of shoe you need to wear for your workout.

Wood says it’s also a good idea to reward yourself with new shoes or a new workout outfit once you reach a goal. That’s if your budget allows, of course.

3. Don’t worry about gym equipment
You likely don’t need that much equipment, if any at all.

“There are so many body-weight exercises,” says Wood. “A few of my favourites are planking, body-weight squats and push-ups. These three exercises involve many different muscle groups at the same time. They allow you to burn calories and build muscles with fewer exercises. It’s always important to have proper form to reduce the risk of injury. You can create your own circuit with these three exercises.”

If you do have basic equipment such as hand weights and a mat, you have numerous options. If you’re going to use weights, it’s a good idea to have two different sets so you can customize your workout.

If you don’t have hand weights and you want to add extra resistance, try soup cans or water bottles. Some other equipment you might find beneficial include resistance bands or a foam roller. They can help you to stretch your muscles before a workout and pamper them afterwards.

Are weights the key to weight loss?
4. Use your devices to get new workouts
Don’t think you can make up your own circuits? That’s okay. There are lots of routines out there, especially through apps, and many are free.

Try Fitplan: Gym & Home Workouts, GetFit: Home Workout & Fitness, or the Tone It Up app. They feature programs that guide you through daily workouts that you can do any place, any time – including at home. Most are free. Others have a free trial so you can see if you like them before committing to paying for them.

If you have a smart speaker, you can also use it to guide you through a home workout. Alexa can pull up five-minute workouts for you if you want to get in a blast of exercise in a short amount of time.

You can also try creating an energizing and free playlist on Spotify. Choose songs that pump you up, and occasionally swap out your playlist to keep things interesting.

6 ways smart speakers can help you manage your health
How wearables are changing the way we look after our health
5. Set realistic fitness goals
Start slowly, trust your strength and treat your body well. You don’t have to jump into it full-speed. Instead, commit to what you think is reasonable for your body and schedule what you can manage each week. Maybe three days a week will work to start. As you become more comfortable, start doing more.

Have you been at home or working from home due to the recent COVID-19 situation? Then you might want to consider other ways to stay active when you’re at from home. Try recording your times and reps and challenge yourself to improve them. Wood says this is a great way to keep track of your progress and encourage yourself to keep improving.

Do your best not to make excuses. “Make exercise part of your daily routine and schedule a workout time that works for you, whether you’re a morning or night-time person,” says Wood. Make it your own and do something you enjoy, and you should start to feel and see results.

Get in shape for life with functional fitness
How to start exercising with small steps

No Comments

7 Sources of Data Breaches You’ll Never Hear About: Your Phone

Smart phones are now portable computers which just happen to make calls. Licensed from Stock Exchange.

Smart phones are now portable computers which just happen to make calls. Licensed from Stock Exchange.

This post is the first in a series about preventable data breaches. Most Americans have received a letter, telling them that their personal information has been breached. But there are many breaches you’ll never hear about, and many of them are right under your nose. The first source we’ll explore is Your Phone and Personal Computing Device.

Remember when cell phones were telephones? Those days are long gone. The current generation of smart phones are powerful computing devices which just happen to also make phone calls.

Read the rest of this entry »

1 Comment

A Message From Walgreens

A friend of mine recently received the following email from Walgreens:

December 10, 2010
Dear Valued Customer,

We recently became aware of unauthorized access to an email list of customers who receive special offers and newsletters from us. As a result, it is possible you may have received some spam email messages asking you to go to another site and enter personal data. We are sorry this has taken place and for any inconvenience to you.
Read the rest of this entry »

No Comments

HIPAA Breach Notification Requirements Effective September 23, 2009

The department of Health and Human Services (HHS) and the FTC have issued a new interim final rule governing health information breach notification requirements. I blogged on this issue back in March 2009, just after the stimulus package, American Recovery and Reinvestment Act of 2009 (ARRA), passed.

This rule, issued in response to ARRA, goes into effect on Wednesday. At that point, all HIPAA-covered entities and their business associates must notify individuals and HHS when personal health information has been breached. HIPAA-covered entities include health plans, health care clearinghouses, or health care providers. The rule also covers “business associates” which include billing companies, transaction companies, lawyers, accountants, managers, administrators, or anyone who handles health information on behalf of a HIPAA-covered entity.

A breach is when individually identifiable health information is acquired, used, accessed, or disclosed to an unauthorized party, in a way that compromises its security or privacy. A “breach” does not include inadvertent disclosures among employees who are normally authorized to view protected health information. A breach also does not include exposure of encrypted personal health information, for example.

When a breach occurs, the covered entity must notify victims and the Secretary of Human Services “without unreasonable delay,” and within 60 days of the discovery of the breach. The covered entity must notify the individual directly if possible (ie, by mail), and must also post a notice on its website if the breach involves 10 or more victims who are not directly reachable. If the breach involves more than 500 residents of a single state, the covered entity must also notify statewide media.

In certain limited circumstances a vendor might be subject to HHS and FTC notification rules. In this case, a vendor which serves the public and HIPAA-covered entities may comply with both rules by providing notice to individuals and the HIPAA-covered entity. In many instances, entities covered by this rule must also comply with applicable State notification laws. The test for pre-emption is whether the State law is “contrary,” to the federal law or whether “a covered entity could find it impossible to comply with both the State and federal requirements.”

Compliance

Of course, the best way to comply with the law is to avoiding breaches altogether. The most straightforward way to avoid having a breach is to encrypt personal health information. But if a breach does occur, complying with the law is straightforward. In addition to the requirements above, the notification must include a brief description of the incident, including the following information:

  • Date of the breach;
  • Date of discovery;
  • Description of the types of protected health information breached;
  • Steps individuals should take to protect themselves from potential harm resulting from the breach;
  • A brief description of the investigation, efforts to minimize losses and prevent future breaches;
  • Contact information for individuals who wish to ask questions or learn more information, including a toll-free phone number, e-mail address, website, or postal address.

Beyond that, you’ll have to minimize your losses by repairing your company’s public image, regaining your customers’ trust, and mitigating civil liability.

References: 45 CFR parts 160, 162, and 164.

Note: This article was originally published on the J.C. Neu & Associates Blog.

No Comments

Data Breach Notification Requirements in the United States and European Union

Note: This article originally appeared on Jeffreyneu.com

This brief analyzes more than 40 United States Breach Notification laws, the American Recovery and Reinvestment Act, and compares those requirements with EU Directives 2002/58/EC, 2002/21/EC, and the Data Protection Working Party Opinion 1/2009 on 2002/58/EC proposed amendments. This brief does not address individual EU member states’ implementations of EU Directives 2002/58/EC and 2002/21/EC.

Executive Summary

Both the United States and European Union require certain entities to notify individuals when their personal information has been breached. In the United States, State Breach Notification Laws (BNLs) require persons and organizations to notify individuals whose personal information has been "breached." BNLs generally apply to any entity which possesses certain classes of personal information, such as social security numbers or account numbers. The usual elements of a breach are as follows, with common variations in parentheses:1. (Reasonable likelihood of) Unauthorized and Bad Faith 2. Acquisition of3. Unencrypted or Unredacted 4. (Computerized) Personal Information, 5. (Which is likely to cause harm).Absence of one or more of these elements will defeat the notification requirement, whereas mere knowledge of a potential breach will often trigger a duty to investigate.[1]With the exception of certain health information breaches, [2] breach notification requirements are not yet Federalized.

Read the rest of this entry »

No Comments

How to Write an ARRA Breach Notification Letter

Note:This article originally appeared on the Jeffrey Neu Blog.

“We’ve had a breach.” It’s a sentence nobody wants to hear, but when it happens to you, what to you do? If you’re in the healthcare industry, new federal regulations probably require you write a letter to the victims of the breach, or more. When and how quickly do you have to send a HIPAA/ ARRA notification? And what does it have to say?

The American Recovery and Reinvestment Act of 2009 (ARRA) requires HIPAA-covered entities to notify breach victims when protected health information has been disclosed to an unauthorized person. The legislation gives liberal exceptions for good faith and inadvertent disclosure. Redaction or encryption is an absolute defense to a breach.

“Protected Health Information” is any stored or transmitted health information which can be tied to an individual. It may include information not directly related to health, such as a full name, social security number, date of birth, home address, account number, or disability code. The law also requires third-party contractors or “business associates” to report breaches to the covered entity.

When a breach occurs, the covered entity must notify victims and the Secretary of Human Services “without unreasonable delay,” and within 60 days of the discovery of the breach. The covered entity must notify the individual directly if possible (ie, by mail), and must also post a notice on its website if the breach involves 10 or more victims who are not directly reachable. If the breach involves more than 500 residents of a single state, the covered entity must also notify statewide media.

A breach notification letter must meet differing but complementary legal and economic goals. They include:

  1. Complying with law
  2. Minimizing Losses

Compliance with Law

Complying with the law is straightforward. In addition to the requirements above, the notification must include a brief description of the incident, including the following information:

  • Date of the breach;
  • Date of discovery;
  • Description of the types of protected health information breached;
  • Steps individuals should take to protect themselves from potential harm resulting from the breach;
  • A brief description of the investigation, efforts to minimize losses and prevent future breaches;
  • Contact information for individuals who wish to ask questions or learn more information, including a toll-free phone number, e-mail address, website, or postal address.

Repairing your Company’s Image

Avoid the natural tendency to clamp up. Of course, the best way to protect your company’s image is to keep bad news out of the public eye. But once the cat’s out of the bag, several studies indicate that more than two-thirds of economic losses arising from a data breach are due to brand diminishment and lost customer trust, rather than litigation or identity theft expenses.

Above all, your company must maintain credibility. Be honest, open, and share enough detail to convince an educated person that you know what you’re talking about, and that you’ve actually fixed the problem. Consider hiring an outside security consultant who can 1. Give you genuine feedback on your security practices, and 2. Vouch for your credibility when you say that your customers are safe.

Rebuilding Customer Trust

Consider your last trip to the Department of Motor Vehicles. It probably consisted of waiting for hours in multiple serpentine lines without any direction, followed by more waiting, followed by spending money. The best part is riding away in your car when you’re done. Surprisingly, Disneyland and the DMV have a lot in common: Long lines, spending money, and rides. What sets the DMV apart from the happiest place on earth? One important ingredient is Customer Empowerment.

One way the Disney folks empower customers is by posting periodic signs in long lines: “Wait Time: 45 minutes from this point.” Though the sign does not decrease wait time, it informs and empowers customers. And as Disney knows, empowered customers are happy customers. Frustrated, angry customers are far more likely to cause trouble or leave altogether.

The best way to rebuild your customers’ trust is to empower them. Too many breach notifications include the unhelpful statement, “We have no reason to believe that anyone has accessed or misused your information.” The statement is faulty because it does not empower the customer to take action. Also, if the statement isn’t completely true, or if it changes in the future, it may inadvertently induce liability under certain circumstances. Further, these types of statements tend to frustrate rather than empower customers, causing some to conclude that the notification is incomplete or disingenuous.

Instead, consider these options:

  • Say, “Although we have no reason to believe that anyone has accessed or misused your information, if you think your personal information has been misused as a result of this breach, please call 1-800-XXX-XXXX so we can investigate…”
  • Include statistics on typical rates of harm for similar breaches, where possible.
  • Actually investigate the breach.
  • Create a website where customers can get up-to-the minute updates on the investigation directly from you, start using the best Managing Leads.

Mitigating Civil Liability

ARRA does not expressly create a private right of action for a HIPAA breach. Other theoretical sources of liability exist, though. For example, an individual may be able to rely upon a notification statute as the basis for a suit alleging negligence per se, where the breach of the duty to notify causes proximate harm to the plaintiff. Next, failure to correct statements (such as privacy policies) which have become false or misleading in light of new events, may create a tortious cause of action if the company fails to warn customers about foreseeable risks to personal information.

In contrast, most breaches are not likely to create privacy liability. Privacy tort actions usually require the breached information to cause extreme emotional distress, or a dilution of the property value of reputation or prestige. In addition, most courts have consistently failed to force companies to pay for credit monitoring services unless:

  1. A person has become an actual victim of identity theft.
  2. The person has found the thief
  3. The person can prove that the thief’s copy of their SSN or other personal information came from the breaching entity, and
  4. The person proves that the entity had a legal obligation to keep that information private.

Instead, it’s important to remember that businesses stand to loose more money from brand diminishment and lost customer trust than from litigation.

No Comments

Stimulus Package Federalizes Health Information Breach Notifications

Note: This article was originally posted on JeffreyNeu.com.

Streamlining medical records has been a recurring theme of the Obama administration. Tucked away in the pending economic stimulus legislation, known as the American Recovery and Reinvestment Act (ARRA), is a provision which would create a breach notification requirement for health information breaches.

Starting in Subtitle D, ARRA takes an unprecedented foray into federalizing data breach notifications. Although ARRA regulates breaches of health information, this legislation will no doubt be front and center of future debates about creating a Federal Breach Notification Law.

Synopsis

Here is a quick analysis: ARRA mirrors most state breach notification laws, in that it requires “covered entities” (ie, Health Plans, Health Care Providers, and Health Care Clearinghouses) to notify each individual if their “unsecured protected health information has been, or is reasonably believed by the covered entity to have been, accessed, acquired, or disclosed as a result of [a] breach.” Business Associates, or subcontractors, must alert the Health Care Provider of a breach. The statute also places additional limits on how health information can be sold and shared.
The statute dramatically broadens the ambiguous state-law concept of “data owners,” and applies to any HIPAA-covered entity that “accesses, maintains, retains, modifies, records, stores, destroys, or otherwise holds, uses, or discloses unsecured protected health information.”

As expected, the Federal law takes a lowest-common-denominator approach to duties. For example, although notifications must be made “without reasonable delay,” the statute allows up to 60 calendar days to comply. This is substantially longer than the longest state requirement, which requires notification within 45 days.
Each state notification law requires direct (ie mail) notification to affected individuals unless the person can’t be found, and allows “Substitute Notice” in cases of large breaches. “Substitute Notice” usually comprises posting an announcement on the organization’s website and notifying the media. Some states do not permit Substitute Notice unless the breach is extremely large (250,000+ in some cases). But ARRA allows substitute notice if the breach involves just 500 people in a single state.

The statute also reaches well beyond traditional “covered entities” to any service provider or vendor of personal health records. Presumably, this would include data warehouses like Google or Microsoft, each of which has or has announced plans to create online consumer health records warehouses. However, these vendors need only report the breach to the FTC, which will treat it as a deceptive trade practice. Individuals should not expect a letter from Google or Microsoft if their health care records are breached.

On one hand, this federal legislation will plug holes in several states statutes by regulating health information. Arizona, California, Hawaii, Michigan, Oregon, and Rhode Island, for example, regulate health care providers and insurers differently from other companies, and may even completely exempt them from notification requirements.

This bill will no doubt spur the national discussion about breach notification laws. But because they mimic existing state laws, the bill comes up short. Breach Notification Laws were a step in the right direction when California passed the first one almost seven years ago. But since that time, they have displayed several shortcomings, which I critique here. Instead of fixing these problems, ARRA will exacerbate many of them.

No Comments