4IT Blog

4IT has been serving the Miami area since 2003, providing IT Support such as technical helpdesk support, computer support, and consulting to small and medium-sized businesses.

The Blindside Of: Data Breaches

The Blindside Of: Data Breaches

Over the course of the last couple of years as the number of data breaches has become much more frequent, and the public awareness surrounding those breaches has heightened, many of our customers have come to appreciate our record on data breaches.  To date, none of our managed service customers have had to manage or remediate a breach, which as many of you may not be aware, can be expensive and painful.  Just how expensive and painful is the topic that I would like to address today. 

We have recently worked with a number of companies that were referred to us after a data breach, and the effort involved in locking down a poorly managed environment, isolating the extent of the breach in terms of the data that was exposed, and communicating with the parties whose data was exposed will likely be a huge business interruption, cost a lot of money, and create some very negative publicity for the breached entity.

 

For those of you that are not familiar with Florida law regarding data breaches, Florida Gov. Rick Scott signed the Florida Information Protection Act (SB 1524) into law, amending Florida’s breach notification status effective July 1, 2014.  According to Karen Booth of Law360.com, “the act replaces Florida’s current breach notification statute (Fla. Stat. § 817.5681) with a new statute (Fla. Stat. § 501.171), which, among other changes: (1) expands the definition of “personal information” triggering breach notification obligations to include an individual’s online account credentials (following California’s recent amendments, and also to include an individual’s name in connection with his or her health care or health insurance information; (2) expands the definition of “breach” from “unlawful and unauthorized acquisition” of personal information to “unauthorized access,” of such information; (3) reduces the deadline for notifying affected individuals from 45 to 30 days after discovery; (4) requires notification to the Florida attorney general regarding breaches affecting more than 500 individuals “in Florida”; (5) imposes unique requirements to provide copies of forensic reports, “policies regarding breaches,” and other documentation to the attorney general upon request; (6) requires reasonable data protection and secure disposal of personal information; and (7) retains relatively unique provisions of Florida’s current statute imposing daily monetary fines for late notice and requiring vendors to notify data owners of breaches within 10 days of discovery, while maintaining that the statute creates no private right of action.”

To adhere to these new state requirements for identifying and reporting to the affected users and the Florida AG once a breach has occurred, proactively preparing for a breach becomes almost mandatory.  What does this kind of preparation look like?

First, there are a number of IT infrastructure changes and specific software tools that should be added to the environment to assist in identifying the scope of breach.  These include enabling more extensive logging on all internet exposed devices, access permissions and authentication logging on the internal network and on any external websites where the entity might be storing PI (Personal Information) data, and identification and isolation of any PI data within the IT infrastructure.  Once these changes have been made, a separate program to collect and permanently store all of these logs is critical to being able to rapidly scan these logs to establish when the breach occurred, what data was exposed to the breach, and when the breach was closed.  If none of these can be established, then by default, the breached entity would have to presume that all data was exposed to the breach, significantly widening the impact of the breach.

Second, it is clear from the new requirement that the Florida AG can request lots of information to establish whether the breached entity was negligent.  That the Florida AG can request documentation that includes corporate policies for data breaches, forensic reports, incident response plans and reports, and other documentation should be a clear indication that the state plans on assessing how well prepared the entity was to react appropriately to the breach.

As we have assisted more referral customers in working through the difficulties of a data breach, what has become quite clear is that being able to rapidly close the breach, identify the scope of a breach, and having well documented and published corporate policies regarding breaches is imperative to reducing the liability, cost, and business interruption a breach will create.

 

For more information on IT security best practices, or to schedule an audit of your company’s IT infrastructure, call us at 305-278-7100.

 

Comments

No comments made yet. Be the first to submit a comment
Already Registered? Login Here
Guest
Monday, 22 January 2018
If you'd like to register, please fill in the username, password and name fields.

Mobile? Grab this Article!

Qr Code

Tag Cloud

security Tip of the Week Technology Cloud Privacy Best Practices Microsoft software Internet Business Computing Backup Hackers Productivity Hosted Solutions Business Management Managed Service Provider Google Malware IT Services Business Efficiency Windows IT Support Innovation Disaster Recovery Business Continuity Hardware Workplace Tips VoIP Mobile Devices User Tips Saving Money Computer Miscellaneous Windows 10 Virtualization Upgrade Network Security Mobile Device Management Data Server Mobile Computing Email Alert communications Save Money Microsoft Office Communication Network Social Media Smartphone Quick Tips Small Business Information Technology Smartphones BYOD Going Green Mobile Office Office Managed IT Services Outsourced IT Apps Health Android Application Chrome Ransomware Browser Gadgets Operating System Holiday Firewall The Internet of Things Avoiding Downtime Productivity Managed IT Disaster Cybersecurity Tablet Mobility WiFi Telephone Systems Passwords Remote Computing Data Backup Unified Threat Management IT Solutions Spam BDR Risk Management Best Practice Data Management Search History Cybercrime Data Recovery VPN Employer-Employee Relationship Apple Budget Facebook Automation Vendor Management Marketing Hard Drives Saving Time Hacking Remote Monitoring Computers Wireless Technology Money Recovery Phone System Big Data Content Filtering Office Tips Proactive IT Law Enforcement User Error iPhone Customer Relationship Management Phishing Password Collaboration Hosted Solution Telephony Current Events Printer Bring Your Own Device USB Encryption Analytics Gmail Router Work/Life Balance Humor Antivirus Government Administration Shortcut Wearable Technology Office 365 Social Lithium-ion battery Maintenance PowerPoint Vulnerability Virus Users OneNote Windows 8 Wireless Trending Education Unsupported Software Private Cloud Net Neutrality Cloud Computing Google Drive Save Time Tech Support Data Security Data Protection Outlook SaaS Point of Sale IT COnsultant Audit HaaS Computer Repair App Cost Management Business Intelligence Intranet Bandwidth Printer Server Politics Personal Information Laptop Social Engineering Computer Care Battery Instant Messaging Robot Emails HIPAA Redundancy Data Storage Automobile Entertainment Benefits End of Support DDoS Display Computer Accessories Mouse Internet Exlporer Augmented Reality Compliance Network Congestion Paperless Office Internet of Things Identity Theft Two-factor Authentication Managing Stress Help Desk Solid State Drive Fax Server Flexibility Excel Sports Workplace Streaming Media Uninterrupted Power Supply online currency Travel Samsung Wi-Fi Emergency IT Support Artificial Intelligence Update Customer Service Applications Windows 10 Biometrics Retail Virtual Reality Social Networking hacker Meetings Efficency Transportation IT consulting Images Data Loss Experience iOS Human Resources Uograde Running Cable Avoid Downtime Blogging Keyboard Programming Managed IT Service Adobe Managed IT Services Reliable Computing Google Docs Music Computer Fan Website Hiring/Firing Licensing Bloatware Data storage Microsoft Excel Books Dark Web Video Games Smart Technology OneDrive Screen Mirroring Document Management Amazon Wiring File Sharing Data Breach Branding Information Advertising Co-managed IT Distributed Denial of Service Legal Cast Mobile Device Windows 10s Debate Touchpad WIndows 7 Lifestyle systems Managed Security Nanotechnology eWaste Ebay Storage Inbound Marketing Scam Tablets Computing Hard Disk Drive Regulations hack Root Cause Analysis Value Employer Employee Relationship HBO NFL Worker Commute best practices Operating Sysytem Cameras User Cortana CrashOverride Nokia PDF Scalability Science Files IT Management Word data breach Virtual Desktop Presentation Best Available Legislation Safety Settings Bluetooth Text Messaging IT Technicians How To Chromecast Twitter WIndows Server 2008 Upgrades Windows Ink risk management Surge Protector SharePoint Patch Management Administrator Television Training Consultant Google Maps 3D Printing Colocation The Blindside Of Commerce Teamwork Company Culture Regulation Black Market Access Busines Continuity Touchscreen Software as a Service Networking Near Field Communication Hard Drive IT Security ISP Cleaning Sync Relocation Gifts Sales Device Security Managed Service Provder Webinar Webinar Devices Credit Cards Mobile IT solutions Spyware FAQ Professional Services Charger Taxes IT service Wireless Charging Supercomputer Electronic Medical Records Domains Tutorial WannaCry IT Budget Evernote Reputation Comparison Workers Buisness Specifications Updates Gift Giving Conferencing Shadow IT Microblogging Youtube Microsoft Word