Featured Image -- 4671

UPDATE: “This is not a security breach.” Really? IRS hit by cyberattack, thousands of taxpayers’ information stolen

Shawn E. Tuma:

UPDATE: We now think we know a little more about this:

  1. Russian hackers are believed to have been behind it (CNN Story);
  2. Tax return information of more than 100,000 taxpayers was stolen;
  3. The information was used to obtain $50 million in fraudulent tax refunds;
  4. The taxpayers whose information was stolen will be offered free credit monitoring.

So, with this, can we now get a retraction of that incredible statement? “This is not a security breach.”

Originally posted on business cyber risk | law:

IRSCompare and contrast the following statements:

Thieves managed to steal information on more than 100,000 taxpayers from the IRS,” Commissioner John Koskinen said Tuesday

“’This is not a security breach. Our basic information is secure,’” Mr. Koskinen insisted.

Well, I am glad to know that stealing consumer data from the computer of an entity to which it was entrusted is not a security breach. Nothing to see here. Move along …

Read more: IRS hit by cyberattack, thousands of taxpayers’ information stolen – Washington Times.

View original

Really??? Proposed legislation would allow companies to keep some data breaches secret

Let me make sure I have this right … the same company officials who are currently being warned about cyber risk but are not finding it significant enough to act are going to be the ones who determine whether there is a reasonable chance that customers will be harmed — from their data breach — and if, in their judgment there is not, they will not have to go through a breach response? Really???

“The proposed law would require quick disclosure by companies if there is a risk of serious identity theft or fraud, the Wall Street Journal’s Risk & Compliance Journal (sub. req.). But there would be no need for disclosure when company officials believe there is no reasonable chance that customers will be harmed.”

via Proposed legislation would allow companies to keep some data breaches secret.

Treasury_Department_WDC

“This is not a security breach.” Really? IRS hit by cyberattack, thousands of taxpayers’ information stolen

IRSCompare and contrast the following statements:

Thieves managed to steal information on more than 100,000 taxpayers from the IRS,” Commissioner John Koskinen said Tuesday

“’This is not a security breach. Our basic information is secure,’” Mr. Koskinen insisted.

Well, I am glad to know that stealing consumer data from the computer of an entity to which it was entrusted is not a security breach. Nothing to see here. Move along …

Read more: IRS hit by cyberattack, thousands of taxpayers’ information stolen – Washington Times.

CareFirst cyberattack causes data breach of more than 1 million members

“Personal information of more than 1 million current and former CareFirst BlueCross BlueShield members was leaked in a cyberattack on the insurer’s database.” The information exposed included names, birth dates, email addresses, and subscriber identification numbers. The attack was similar to the Premera BlueCross breach, which was hit one month earlier than CareFirst.

Read more: CareFirst cyberattack affects more than 1 million members – Baltimore Business Journal.

AllClear ID

Excellent information and great company: check out AllClear ID’s “Resources” page

I have always been a fan of AllClear ID for being the best of the best at handling breach response logistics but now, I have to give them a shoutout for another reason. AllClear has a Resources page with some of the very best and most well-respected law firm blogs in the world.

While I am certainly not saying it is deserved, it is very much appreciated that they have chosen to include this blog — the Business Cyber Risk Law Blog — among such great company. Go check it out and you will see for yourself why this is such an honor.

Thank you AllClear ID!

FTC

FTC Gives Good Reason to Not (Try to) Hide Data Breaches

Why do I need to report a data breach?

FTCThis is a common question that business owners ask me all of the time. In response, I rattle off a laundry list of reasons why reporting is not optional — but mandatory. This includes ethical stewardship and obligations, business and public relationship reasons, and finally legal obligations that make it mandatory.

Some still think I am just Chicken Little claiming the sky is falling, but so it goes as some people just can’t be helped.

Thanks to the FTC, I now have another reason to give them. It fits into the legal obligations requirement and, while implicitly, most of us in this profession knew this all along, it never helps like an agency like the FTC just comes right out and says it: The FTC said that it looks ‘favorably’ on firms that report data breach.

“In our eyes, a company that has reported a breach to the appropriate law enforcers and cooperated with them has taken an important step to reduce the harm from the breach,” said Mark Eichorn, the agency’s assistant director for privacy and identity protection.

There you go, simple enough? Yes, you must report the data breach. Period. End of story.

Read more via FTC looks ‘favorably’ on firms that report data breach | TheHill.

Cybersecurity Risk: Law and Trends – Ethical Boardroom Article

The law is trending toward more risk of liability for Officers and Directors. Learn more about this from my recent article in Ethical Boardroom — full text available without paywall here: Cybersecurity Risk: Law and Trends.