KT Connections Blog

KT Connections has been serving the Rapid City area since 1997, providing IT Support such as technical helpdesk support, computer support, and consulting to small and medium-sized businesses.

Understanding Data Breaches Is The First Step To Stopping Them

Understanding Data Breaches Is The First Step To Stopping Them

Since the very beginning of the year, over 10 million personal records have been lost or stolen on a daily basis. As a result, chances are high that you or someone you know has been victimized by a data breach. However, since many individuals and businesses are never notified, they may have incorrectly come to the conclusion that they are not at risk. This, unfortunately, is not the case.

In actuality, there is a considerably good chance that your personal information has already been compromised--but the company responsible for losing your information wasn’t required to inform you. This is just one reason why it is critical to understand your rights as outlined in data breach laws. Do you know what information is considered ‘personal’? How many loopholes could a company have used to avoid notifying you of the breach?

Legal Definition of Personal Information
Each state has its own laws that govern how businesses must respond to a data breach, and while there is a consensus on the basic responsibilities these organizations have once data is accessed without permission, there are differentiating opinions on what constitutes personal information. Two qualifications most jurisdictions agree on are:

  1. First name or first initial and last name
    AND
  2. One or more of the following elements: social security number, driver’s license or state ID number, finance account numbers.

Some states choose to go a step further than this by only considering accounts secured with a PIN or password as being worthy of notification. For example, if your debit card number was stolen, the business that let it happen doesn’t need to contact you unless both the number AND the pin were compromised.

In states that have a more advanced view of data security, such as North Carolina and Nebraska, they include biometric information as part of their personal information considerations. Other states, like Missouri, have specific laws on the books that limit the legal portability that is inherent in the overreaching statutes.

Since the majority of health and medical data is protected under the federal Healthcare Insurance Portability and Accountability Act (HIPAA), only a few states include this information in their definition of personal information.

Additionally, some state laws state a limit of personal information a company can have compromised before having to contact their state’s attorney general’s office. This number is variable, but most states agree that anything over 1,000-to-5,000 files lost constitute an offense in which reporting becomes necessary.

Currently, however, the statutes on the books are biased to protect organizations from individual legal reprisals. Qualifications that protect corporate interests include:

  • Encryption: Many states have deliberately put in specific language to protect corporations if information was encrypted by an organization, stolen, and decrypted afterwards. This also goes for redacted information. If it was found that a business worked to secure the data, no breach notification would be necessary.
  • Questionable non-personal information: In various states, questionable information can be included as non-personal information. One example is the last four digits of a person’s social security number. Since the whole number’s integrity remains intact, the organization would not have to file it as having been compromised with the state’s A.G.
  • Good-faith acquisitions: Most states list “good faith acquisitions” as exemptions from standing data breach statutes. A ‘good faith acquisition’ is defined as an event where data is lost or compromised by people employed by the organization where an individual works, or had a working relationship with (like a vendor). Since a co-worker, superior, or vendor is not as likely to misuse or lose personal information, no breach notification is necessary if the event meets this very subjective ‘good faith’ requirement.
  • Risk of harm analysis: Around half of U.S. states have laws that allow an information-holding entity to run a ‘Risk of Harm’ analysis to quantify the risk any compromised personal information has in regards to its use by another party, or potential abuse that information could have in unauthorized transactions. If they find that risk from harm is minimal, the organization doesn't need to notify parties involved.

The fact is that a data breach, regardless of the circumstances surrounding it, can be completely categorized as a negative event. Call the IT professionals at KT Connections to find out how we can proactively manage your network to keep threats from affecting your data. Call us today at 605-341-3873.

 

Comments

No comments made yet. Be the first to submit a comment
Already Registered? Login Here
Guest
Monday, 20 November 2017
If you'd like to register, please fill in the username, password and name fields.

Captcha Image

Mobile? Grab this Article!

Qr Code

Tag Cloud

Tip of the Week Security Best Practices Privacy Technology hackers Email Cloud Internet Business Computing Google malware Network Security software Efficiency Ransomware Business User Tips Data Backup Microsoft IT Support Computer Smartphone Small Business Windows Hosted Solutions Mobile Device Management VoIP Productivity Managed IT Services IT Support Android Network Business Continuity communications Mobile Devices Data Management Operating System IT Management Money Facebook Windows 10 cybersecurity Hardware Cloud Computing Artificial Intelligence Bandwidth Upgrade Antivirus security cameras Update Disaster Recovery Nextiva Unified Communications Social Media Internet of Things data breach Outsourced IT End of Support Apple Gmail IT Services Passwords Communication Smartphones Microsoft Office Outlook Encryption BDR Business Management Alert Data storage Phishing The Internet of Things Server Legal Politics Apps Events App BYOD Word Event Marketing Windows 10 Local Buzz WiFi Drones Scam History Lunch and Learn YouTube South Dakota Data Recovery Best Practice vulnerability Innovation Hard Drive Managed IT Services Data Backup Law Enforcement IoT Spam Robot Access Control security solutions Remote Monitoring Patch Management Browser Firewall Customer Service Save Money Automation Search Productivity IBM Document Management SaaS Saving Money Google Maps Information Technology Analytics Networking Start Menu Google Wallet Big Data Google Docs Business Security Vendor Management appointment Uninterrupted Power Supply IT Solutions News Administration Communications Cabling Flash Business Technology Social Printing Monitors Office 365 Time Management Data Protection Gadgets enterprise productivity software Attorneys Education Hosted Solution Webcam Phone System Experience botnet attack Settings camera Disaster Downloads Displays Microsoft Bookings Unified Threat Management Corporate Profile password manager LastPass Budget Remote Computing Managed Services Programming Hardware as a Service Sports Worker botnet Rebrand macbook Workplace Tips Google Calendar Wireless Technology booking process Proactive IT Cloud Backup Hack Fast food File Sharing user confidence Bluetooth LiFi Quick Tips Rapid City HaaS Web Servers DDoS attacks Applications Knowledge Office Tips Business Communications Society Event Business Comunications Streaming Media Music Virtual Machines Local Technology Workers Solid State Drive Physical Security Safety VPN Visible Light Communication IoT Devices Press Release Vendor Mangement Internet 101 Tips and Tricks DDoS Tech Terms Government security precautions Collaboration Comparison Windows 8 Writing Mixer Touchscreen Windows XP Risk Creep Sales Tax Samsung LastPass Website Digital Business Mangement Compliance Internet Connected Devices communication device Virtual Reality Specifications Tech Support Vendors Websites Black Market IT for Oil Companies Penetration Testing Tablets Advertising Laptop Access How To business owner Data Security Printer Retail Community Involvement Software as a Service Virtual Desktop Risk Management Phishing Scams Mobility Memory face Redundancy Tablet Spyware Google Drive communication solutions Audit vulnerabilities Download Virus Business Growth Kaseya IT Consultation Virtualization identity theft surveillance cameras Project Management Network Congestion SOX Cryptocurrency Deep Learning Telephony Content Filtering Cost Management Maintenance Dell ’s Sonicwall Global Management System Microsoft Office 365 healthcare Law IT Kaseya Connect IT Assessment Information Security Computer Care media experience Trend Micro Managed Service Provider Sarbanes-Oxley Act Cache Fortinet Cleaning Office VoIP Managed IT AtomBombing Password Hacking Microsoft Office 365 features tool Lawyers Conference IT Strategy Email Security Running Cable Chamber of Commerce information Google Play Store Emergency End User Testing G Suite Training Wi-Fi Travel Playbook collaboration capabilities Processors Computer Malfunction Employer-Employee Relationship Sync Employer Employee Relationship Messenger Private Cloud breach methods Documents Microchip CrashOverride Digital Payment Users In Internet of Things Text Messaging Books Taxes PDF Motion Sickness Public Cloud Computing Reading Machine Learning Paperless Office Hiring/Firing Language Bring Your Own Device Relocation Administrator Hacker Miscellaneous base infrastructure CCTV Hacks Automobile Holiday Web Server Marketing security solution IT service Telephone Systems Unified Threat Management Notifications Business Metrics Meetings Social Engineering Health end-of-support date Ordinary Computers Television Banking holiday season Emails Chromebook Rental Service Flexibility quantum computers Mouse 3D Printing UTM Tracking holidays Cortana Supercomputer Reliable Computing Threat management scammers Twitter IT Consultant Work/Life Balance Scalability network security professionals Distributed Denial of Service Phone Systen scams