The Privacy Professional

Data breaches are happening more frequently than most companies are willing to admit. Labcorp, one the nation’s largest medical diagnostic companies, released a statement yesterday stating that it is investigating a possible Data breach that may have occurred over the weekend. I applaud Labcorp for coming forth so early in the breach response process. What sets a company apart from pack is not only their efforts to prevent and breaches,  but how the structure their breach response polices. More than ever it is essential that effected parties are notified as soon as possible,  to prevent further harm to the party and further reputational harm to the company. You can read more about the Labcorp data breach clicking the hyperlinked text.

Right on the heels of South Dakota, who passed their data protection bill in February of this year, Alabama is the 50th and final State to pass a data protection bill. Alabama SB 318 was passed this month. The codification of state data protection laws began in 2003 with California. To date all remaining states have followed suit. SB 318 , seemingly incorporates Health Insurance Portability Accountability Act's ( HIPAA ) terminology and some application. Class of protected The statute applies to individuals residing within the state. Individuals rights Individuals are afforded protection from the breach , which is defined as the unauthorized acquisition of personally identifiable information (PII). PII is also referred to as personal data , in some jurisdictions. Data Protected The statute outlines the type of PII that is protected under the statute as “electronic data ” that can be any of the following : Identification number (military, driver’s

In the EU, individual privacy and data protection have been a fundamental rights for quite some time and is now a way of life under GDPR .  Data protection in the U.S. is a fairly new concept. In 2003, California was the first state to pass a data protection law. Since then, 48 other states have followed suit by passing data protection laws that protect the personal data of their respective residents. South Dakota is not the last state, but by passing SB 62 in February of this year it is still pretty late to the data protection party. Class of the protected individuals The bill applies to individuals residing in the state. Individual Rights Individuals have the right to have their personally identifiable information (PII) from being acquired by an unauthorized parties (breach ). PII is defined as “ computerized data ” consisting of first name (or first initial) and last names AND one of the following : Identification number (such as social security numbers

Controller –any person or entity that determines the purpose of data. Processor –any person or entity that processes data for the controller. Personally Identifiable Information (PII) information that can be reasonably linked to an individual, using persistent identifiers. Personal Data (EU term) data related to an identifiable natural person, who can be identified (directly or indirectly) by reference of an identifier: ID#, Location data, physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.   Encryption - turning data into an unreadable cipher text (ibid.). This is usually done with the use of an encryption key, which specifies how the message is to be encoded. Breach (Data Breach) - unauthorized and sometimes unlawful access and or acquisition of PII. Health Insurance Portability and Accountability Act of 1996 (HIPAA) PHI (Protected Health Information)- identifiable health information including demographic data that rel

A Target threat is when attackers make a conscious effort to attack a particular organization. So they take their time to study the origination systems and strategically plan the attack. There several common steps that an attacker takes during a targeted threat. Several Steps in a Target Threat Life Cycle: External Reconnaissance occurs when attackers collect intelligence on HOW to successfully attack. The look for unpatched systems, ip address ranges, open ports and target endpoints. Breach (Penetration of the permitter)  i s achieved using one of the many tactics used to gain access such as : social engineering , phishing, vishing, brute force attacks, tailgating, drive by download ect.  Internal Reconnaissance is when the attackers collect intelligence on the internal system, by reviewing the system and search for admin accounts that they can hijack. Lateral Movement phase occurs when the attackers take control of the clients, servers, active directory domain controller. 

Privacy Tableau Workbook   I have created these worksheets, using publicly available data sets, in order to display 2017 data breach statistics and the costs associated with various types of breaches. You can access these worksheets in Tableau by clicking the link provided above.