data breach

Subscribe to data breach via RSS

Hands pointing towards businessman holding head in hands concept for blame, accusations and bullyingBeing a CISO is a tough gig.  The perpetual deluge of news items on hack after hack, breach after breach, has finally conveyed that data security is an imperative for all companies, large and small.  But the perception still lingers that the Chief Information Security Officer (or the InfoSec team) will single-handedly prevent breaches at “our” company – and if one should occur, will take care of the response.  For some CISOs, it may feel like High Noon, all over again.

This is unfair to the CISO, and wrong on at least two counts.  First, regardless of the CISO’s job description, the full range of cyber risk exceeds the scope of the CISO’s practical control.  Second, effective breach response requires up to ten channels of coordinated activity, and nine of the ten fall outside of the CISO’s authority.Continue Reading Why govern your information? Reason #10: It’s a when, not if, world for data breaches

Cat watching a movieIn my last post I talked about how organizations can get employees to follow security advice. Today’s riff is on “making it personal.” Make security self-serving.  In other words, answer the question, “What’s in it for me?”  Corporate security is inextricably linked to personal privacy—here’s why.
Continue Reading Corporate security – “What’s in it for me?”

Broken brick wall and blue sky with clouds.This week, with echoes of vintage John Mellencamp in the air, the U.S. Court of Appeals for the Sixth Circuit took a gavel to the wall that for years has blocked consumer class actions for data breach claims – Article III standing.  In Monday’s unpublished, 2-1 decision in consolidated cases against Nationwide Mutual Insurance Company, the court ruled that plaintiff consumers had standing to pursue negligence claims against Nationwide arising out of a 2012 security breach, in which hackers stole personal information of 1.1 million customers.

The Sixth Circuit is now aligned with the Seventh Circuit, which just last year in its Neiman Marcus decision similarly lowered the bar for Article III standing in consumer data breach litigation.Continue Reading Consumer data breach litigation standing – the walls are crumblin’ down

View of crowd covering earsBy now, you’ve surely heard about the hack of the Democratic National Committee that gathered thousands of email messages, the contents of which were exposed by WikiLeaks and ultimately caused Chairwoman Debbie Wasserman Schultz to resign. But did you also know that only last fall, the DNC commissioned a two-month security risk assessment that yielded dozens of recommendations to improve the security of its network? The real story is what happened next.
Continue Reading Why people ignore security advice, and what to do about it

KindergartenSometimes we make things way too complicated – especially our relationship with business data. Allow me to “kidnap” Robert Fulghum’s classic poem – wisdom in effectively governing information compliance, cost, risk, and value is not found exclusively at the top of the data science mountain, but there in the sandpile at kindergarten.  Here are the things we learned there:
Continue Reading All we really need to know about Information Governance we learned in kindergarten

Retina ScanOK, “souls” is alliterative, but a bit over the top.  How about instead “selling our bodies for security,” such as our retinas, our fingerprints, or our faces?  Multifactor authentication is indeed a useful security access control, the combination of two or more of (1) something you know, (2) something you have, and (3) something you are.  Thus, requiring both a password or PIN (something you know) and also a token or certificate (something you have) should be more secure than merely requiring a password.

The problem is that as biometric authentication becomes more widespread, our immutable characteristics are in play, in a when not if world of data breaches.  Getting hacked can cause harm and embarrassment, but if biometric authentication becomes widespread, the post-breach “loss of face” will be literal … and also permanent.
Continue Reading Selling our souls for security