Data security: pay it now or pay out later

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.lexology.com/library/detail.aspx?g=f896a107-d388-4092-9c2a-ede837ab933b

The price of compliance may be high, but the price of non-compliance is
even higher. Based on its recent $3 million data breach settlement, AvMed,
and many other entities that have experienced data breach litigation, would
likely agree that paying for security upgrades now, is far superior to
paying for data breaches later.

 In 2009, AvMed, a Florida-based health insurer, reported the theft of two
laptops containing unencrypted personal information of more than 1.2
million customers, including names, social security numbers, and
health-related information. Last week, AvMed signed a settlement agreement
to end the class action litigation that began in 2010. The settlement
essentially requires AvMed to implement data security measures it should
have had in the first place, including mandatory security awareness
training, new password protocols, upgrades to laptop security systems,
facility security upgrades and updates to security policies and procedures
(all of which are set out in HIPAA regulations).

 Not only does AvMed have to correct its non-compliance, but it must also
forfeit the “unjust enrichment” it has received over the years by not
spending sufficiently for data security it should have provided.  AvMed
will reimburse “premium overpayments” of $10 for each year the customer
paid AvMed insurance premiums with a $30 cap for each approved class member
without a showing of actual harm. In addition, AvMed will pay actual,
proven losses due to identity theft.

 The AvMed settlement proves the need to implement data security measures
now that will protect your company, patients and customers in the future.
Although data losses are likely inevitable, breaches can be prevented by
implementing data security measures already suggested or required by
regulations for most healthcare entities. In AvMed’s case, encryption would
have rendered the stolen information unreadable and no breach would have
occurred.

 In the wake of HIPAA, HITECH and state data privacy/security laws, it’s
not surprising that companies are feeling the financial pinch of upgrading
data security systems to ensure that they do not fall victim to hackers,
thieves, and even unintentional errors resulting in lost protected health
information.

 Although most are working towards compliance, others have reasoned that
the time and the money necessary to implement data security measures are
not worth it. AvMed would likely disagree.

 Data breaches in the healthcare sector are extremely costly. A simple
theft can lead to a long list of costs including civil monetary penalties
to Health and Human Services, criminal penalties to the Department of
Justice, and loss of business through negative press.  Plaintiffs’
litigation now adds another layer to the potential financial outlay.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

# OWASP http://www.appsecusa.org
# Builders, Breakers and Defenders
# Time Square, NYC 20-21 Nov
o()xxxx[{::::::::::::::::::::::::::::::::::::::::>

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security offers security intelligence, risk management services and customized security solutions. The 
YourCISO portal gives decision makers access to tools for evaluating their security posture and prioritizing risk 
mitigation strategies. Cyber Risk Analytics offers actionable threat information and breach analysis.