Angry Employees and Your Corporate Data

Beyond the Syrian Electronic Army, Anonymous and other hactivists cracking into databases, there is yet another threat—perhaps even a greater threat—to your corporate information: angry employees.

Did you know that half of employees who left or lost their jobs in the last 12 months kept confidential corporate data? It’s true. And according to a global survey from Symantec,

> Read More

Market Impact of a Data Breach

In my Changeup post the other day, I mentioned that my colleague Paul Henry had saved an organization an estimated $10M (or roughly 15%) in market cap by showing that an intrusion had no material impact. That got me to thinking: what *is* the typical market impact of a breach?

> Read More

ZIP Codes Are … PII?!

Mr. ZIP (or Zippy to his friends) was born back in July 1963 and the soon-to-be 50-year-old is finally getting some privacy … in Massachusetts at least.

The Massachusetts Supreme Court recently determined that under Mass. Gen. Laws, ch. 93, § 105(a), “personal identification information” includes a consumer’s ZIP code and decided that collecting such personal information is a violation of state privacy law for which the consumer can sue.

> Read More

Global 2013 Trends in Data Protection Maturity

Protecting sensitive information has become increasingly difficult the last few years – if you haven’t recognized this fact and modified your security approach recently, you’ve got issues.

One reason for this is the explosion of mobile devices on our networks. While convenient for our users and a significant productivity booster for our business,

> Read More

Uncle Sam Has Yet Another Data Protection Bill

The latest attempt at creating a US Federal data protection / data breach notification law was recently introduced in the Senate. The “Data Security and Breach Notification Act of 2012” (S.3333) was submitted by Sen. Pat Toomey (R-PA) with the support of Sens. Olympia Snowe (R-ME), Jim DeMint (R-SC), Roy Blunt (R-MO) and Dean Heller (R-NV).

> Read More

Vermont Updates Data Breach Notification Laws

Updates to the Vermont Data Protection and Breach Notification laws came into effect in May 2012. As readers of my posts know (yo G!), although I seem to play one in this blog, IANAL. With that said, since these laws seem to cover any business in the US and beyond, you should take a quick look at Vermont’s data protection laws.

> Read More

Data Breach Trends in the Financial Sector

Financial institutions are, it seems, doing a better job at protecting customer data than most industries. This is the conclusion one reaches when looking at the latest data in the Chronology of Data Breaches from the Privacy Rights Clearinghouse.

Overall, the CDB has 2929 breaches in the 2005–2012 timeframe, involving 544,591,013 records (yup,

> Read More

Illinois’ New Data Protection Law

News today, courtesy of Brendon Tavelli at Proskauer’s Privacy Law blog via the always excellent Office of Inadequate Security, of a new data breach notification bill just signed by Governor Pat Quinn of Illinois. Interesting to me both personally (Go Illini!!) and professionally, this bill (HB 3025) amends Illinois Public Act 097-0483 (the Personal Information Protection Act) and brings the state in-line with a small but growing number of states which mandate what information must be contained in a breach notification as well as the cooperation between the “data collector” and anyone holding or storing the data.

> Read More

It’s Time to Act

January 28, 2011 is Data Privacy Day. Analyst Eric Ogren from The Ogren Group sat down with Lumension CEO Pat Clawson to ask some key questions around what this day means for the industry and how it has made an impact since Congress implemented it two years ago.  Both Eric and Pat get down to the key issues while at the same time offer specific advice for individuals and organizations to better protect their most important asset –

> Read More

iPad Security – Does the Enterprise Care?

With the introduction of the iPad, Apple is again hitting the consumer market with an innovative product that may have security implications for enterprise IT teams.  Although based on the iPhone OS, the use cases identified by Apple for the iPad (especially as an electronic document reader) portend a wide range of business uses that would not be viable on the small iPhone screen.

> Read More

Is FIPS 140-2 Fatally Flawed?

So, upon my return to the Valley of the Sun and after figuring out where our new offices (let alone the coffee machine and bathrooms) were (Lumension has moved, in case you’ve not heard – 3rd floor with a seriously sweet view), I settled down to see what happened over the holidays. First up – the German security consultancy SySS published a method by which certain USB flash drives with “built in” FIPS 140-2 certified encryption are vulnerable to attack.

> Read More

Who Owns Your Data in a Social World?

Over the past months it has been interesting to watch the furor over certain End-User License Agreements and the definition of data ownership.  Most draconian was the idea that once posted by a user, the data transferred ownership to the social networking site.  This of course has huge implications to an individual user, especially for professionals that use social sites to propagate their content. 

> Read More

“Micro-Botnet” – The Cybercriminal’s Choice for Enterprise Data Stealing?

Last winter and spring we all watched with interest the headlines heralding the spread of the Confickr botnet.  The under-reported part of the story was that fact that well-patched enterprise networks were largely unaffected by Confickr’s bloom.  In some circles, this seems to have lead to a complacency or belief that botnet infections are not a problem for well-maintained enterprise networks. 

> Read More