BreachExchange mailing list archives
Data security: pay it now or pay out later
From: Audrey McNeil <audrey () riskbasedsecurity com>
Date: Fri, 8 Nov 2013 00:18:56 -0700
http://www.lexology.com/library/detail.aspx?g=f896a107-d388-4092-9c2a-ede837ab933b The price of compliance may be high, but the price of non-compliance is even higher. Based on its recent $3 million data breach settlement, AvMed, and many other entities that have experienced data breach litigation, would likely agree that paying for security upgrades now, is far superior to paying for data breaches later. In 2009, AvMed, a Florida-based health insurer, reported the theft of two laptops containing unencrypted personal information of more than 1.2 million customers, including names, social security numbers, and health-related information. Last week, AvMed signed a settlement agreement to end the class action litigation that began in 2010. The settlement essentially requires AvMed to implement data security measures it should have had in the first place, including mandatory security awareness training, new password protocols, upgrades to laptop security systems, facility security upgrades and updates to security policies and procedures (all of which are set out in HIPAA regulations). Not only does AvMed have to correct its non-compliance, but it must also forfeit the “unjust enrichment” it has received over the years by not spending sufficiently for data security it should have provided. AvMed will reimburse “premium overpayments” of $10 for each year the customer paid AvMed insurance premiums with a $30 cap for each approved class member without a showing of actual harm. In addition, AvMed will pay actual, proven losses due to identity theft. The AvMed settlement proves the need to implement data security measures now that will protect your company, patients and customers in the future. Although data losses are likely inevitable, breaches can be prevented by implementing data security measures already suggested or required by regulations for most healthcare entities. In AvMed’s case, encryption would have rendered the stolen information unreadable and no breach would have occurred. In the wake of HIPAA, HITECH and state data privacy/security laws, it’s not surprising that companies are feeling the financial pinch of upgrading data security systems to ensure that they do not fall victim to hackers, thieves, and even unintentional errors resulting in lost protected health information. Although most are working towards compliance, others have reasoned that the time and the money necessary to implement data security measures are not worth it. AvMed would likely disagree. Data breaches in the healthcare sector are extremely costly. A simple theft can lead to a long list of costs including civil monetary penalties to Health and Human Services, criminal penalties to the Department of Justice, and loss of business through negative press. Plaintiffs’ litigation now adds another layer to the potential financial outlay.
_______________________________________________ Dataloss Mailing List (dataloss () datalossdb org) Archived at http://seclists.org/dataloss/ Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss For inquiries regarding use or licensing of data, e-mail sales () riskbasedsecurity com Supporters: # OWASP http://www.appsecusa.org # Builders, Breakers and Defenders # Time Square, NYC 20-21 Nov o()xxxx[{::::::::::::::::::::::::::::::::::::::::> Risk Based Security (http://www.riskbasedsecurity.com/) Risk Based Security offers security intelligence, risk management services and customized security solutions. The YourCISO portal gives decision makers access to tools for evaluating their security posture and prioritizing risk mitigation strategies. Cyber Risk Analytics offers actionable threat information and breach analysis.
Current thread:
- Data security: pay it now or pay out later Audrey McNeil (Nov 12)