THE BLOG
04/22/2013 06:09 pm ET Updated Jun 22, 2013

What's a Data Breach?

We read about it regularly, a company has a data breach and loses millions of client or patient records, because their server is hacked, a laptop lost, or a usb stick stolen. The list goes on and on. There are so many ways data goes missing which may constitute a breach. And that's the purpose of this piece - to provide food for thought on the different ways which your data can "go missing."

Lost Items: What do people lose? CD, DVD, USB, MemoryCard, Computer, Smartphone, Tape backup, Disk drives, Laptop, paper files are all items which contain data which can and do go missing. It has been reported that the Transportation Safety Administration (TSA) recovers between 900-1200 laptops left at checkpoints monthly. Add to that the ease at which a USB stick, MemoryCard or smartphone is misplaced and you can see how the number of items lost grows. It happens every day, as evidenced by the five memory sticks which are currently residing in San Diego's International Airport (SAN) lost and found - these five items were lost between Feb 10 and April 21, 2013 (SAN has a searchable database of lost items, in addition to the memory sticks, approximately 50 phones, 20 laptops, and even an individual's medical records were left behind a SAN.)

Stolen Items: If it has value, it may be a target for theft. Items such as, Computer, Laptop, Smartphone, Backup Tapes, Disk Drives, Documents, etc. We've all read of the individual who walks into a coffee house, puts their laptop on the table to go order a cup of coffee and when they return its gone. Or the individual who leaves a briefcase of documents and memory cards in their vehicle and the vehicle is stolen or the items are taken. Whether stolen for the data or the device value, both can constitute a breach if the data within is unprotected. Take the December 2012 instance when Crescent Healthcare (a Walgreen's company) had their billing office broken into and computer hardware and papers were stolen, all of which contained Patient Health Information (PHI) and Personal Identifying Information (PII) the loss of which necessitated a HIPAA Violation notification. (See: Crescent Healthcare Notifies Individuals of 2012 Data Breach)

Malware/Crimeware: The computer, smartphone, tablet or drive you are using becomes infected with malware or crimeware and your sensitive data is harvested. Happens with regularity. These malicious programs copy and transmit data found to the malevolent individuals. One of the most egregious such events happened to Global Payments when they lost more than 1.5 million account records to online criminals (See: Global Payments Data Breach). Another is the case of South Carolina's Department of Revenue and how their database of 3.8 million tax returns were compromised when an employee opened a malicious email containing malware. (See: NBC's report "One email exposes millions of people to data theft in South Carolina cyberattack" )

Disposal: Every year we read about information being found along the street, thrown into dumpsters, or data recovered from a device's memory after being bought off e-Bay, Craig's List or the like. All avoidable, with a bit of forethought. The USA Today did a piece on sensitive data found on devices in 2012, their researcher "randomly purchased 30 used devices off Craigslist, and had them examined with simple forensics tools. Half the devices were thoroughly wiped clean, but 15 disgorged plenty of sensitive data, ranging from bank account and Social Security numbers to work documents and court records." (See: USA Today - Discarded digital devices can contain sensitive data)

Mail/Fax/Email: We've all done it. Sent an email to an individual and realized that isn't the intended party. When dealing with sensitive data, this may constitute a breach. Same when faxing information to the wrong party. A recent case involving retired North Carolina government employees, had 26,000 individual's Social Security numbers revealed through the envelope window due to a misalignment of the printed document (See: NC exposes SSN's )

Insider: The inadvertent (human error) and the malicious (criminal) exposure of data both involve the insider. And yes from time to time, individuals have been known to break trust with their employer or the clients and engage in malicious or illegal behavior. The insider has privileged access to the sensitive data, in other instances, they may go mining for the data, far exceeding their authorized remit. In either case, lack of checks and balances will make the loss easier to occur and harder to detect. Take the example of Florida Hospital who discovered in 2011 that they had an employee who had been accessing the records of 763,000 patients (from 2009-2011) and had sold the data on 12,000 car accident victims for attorney and chiropractor referral services. A HIPAA violation if there ever was one. See: (Former Florida Hospital Employee Pleads Guilty to Data Theft) or the instance when human error causes a potentially horrible disclosure which occurred with the Pembrokeshire County Council in Wales, when they apparently mailed 400 pages of psych records on 10 abused children to an individual who had requested their own file. See: (Hundreds of pages of confidential reports released after council blunder.)

Websites: Example - You provide data to a company or organization via their web registration site and they put it into a database which you can access to keep your data up-to-date, but they don't secure the website. Depending upon what data is provided, the breach can be minimal or very invasive. The Privacy Commissioner of Canada commissioned a study to look at website for data leakage. The commissioner went on to say, "the email, username and location were shared with marketing firms and analytics providers. Another example involved a well-known Canadian media site" that gave user data like usernames, emails, and postal codes to a "content delivery, marketing company, an advertising network, and a news content provider." All of which potentially violated Canada's data privacy laws. (See: Canadian Privacy Commissioner Reveals Websites Sharing User Data Inappropriately)

Now you have an idea of what may constitute a data breach. If you are entrusted with data, do take the time to understand the processes and procedures which are in place to protect the data. An easy rule of thumb, treat data as you would cash, you don't leave it laying about, and you don't give it to someone without knowing why, you keep it in a safe and protected locale.