Business, Cloud, Compliance, Contracts, cybersecurity, Data, data privacy, Encryption, Internet, Law, Litigation, Ownership, Privacy, Regulation, Regulatory Compliance, RISK MANAGEMENT, Security

The New Wave of Data-Breach Outrage

You can almost feel it, like a power-line buzz in the air. If 2014 was the year that consumers and legislators woke up to the real threat to privacy and information security, 2015 may be the year that sees a shift in both enforcement and penalties.

On February 5, Anthem, Inc., the country’s second-largest health insurer by market value announced a security breach resulting in unauthorized access to tens of millions of current and former customer and employee accounts, Bloomberg reports.

Of particular concern is that the compromised data included social security numbers and birth dates, etc. Very different than having a credit card number stolen.

Last week, a group of 10 state attorneys general (AGs) sent a letter chastising Anthem for the length of time it took to notify the public of the breach. The letter was written on behalf of Arkansas, Connecticut, Illinois, Kentucky, Maine, Mississippi, Nebraska, Nevada, Pennsylvania and Rhode Island.

Some observers have commented that current encryption technology can limit the amount of data that even “authorized users” can view at one time, making it more difficult to compromise massive amounts of data.

In this situation, the breach occurred through misuse of an authorized user’s credentials, so encryption alone would not have worked. While most companies give universal access to data to some employees (senior level or IT), for the encryption approach to work, no one person or set of credentials should allow access to all data.

In the end, the new “best practices” approach may be a combination of encryption plus controls to limit the amount of data that any one set of credentials can access.

When it comes to addressing data privacy risks, it is often difficult to determine whether you should slow down, change course, signal for help, or simply muddle through. Often, teams tasked with managing privacy need to quickly identify potential issues, assess the risk, and implement controls to steer clear of unneeded exposure. The privacy professionals at the Adler Law Group can help you adopt Privacy Impact Assessments – or similar tools – and standardize a methodology for approaching these challenges by setting objectives, determining scope, allocating resources, and developing practices that will efficiently and effective manage privacy, while keeping pace with the business. For a free consultation, call us at (866) 734-2568, send and email to info@ecommerceattorney.com or visit our web site www.adler-law.com.

Published by David

I am a the founder of a boutique intellectual property law firm based in Chicago, Illinois. In my role as a trusted advisor, I act as the primary transactional attorney for my clients, reporting directly to a company’s executive staff and/or its General Counsel. I provide advice to business units and executives on copyright, trademark, ecommerce, software/IT, media & entertainment and issues associated with creating and commercializing innovations and creative content, drafting and negotiating contracts and licenses, advising on securities laws and corporate governance and managing outside counsel. My clients frequently rely on me to successfully draft and negotiate complex commercial and intellectual property transactions such as supply/distribution agreements, IP development and license agreements and documentation related to mergers, acquisitions and divestitures.