Now Available:

line

Featured Resources:

line

Realtime Communities

line

Newsletter

Email Address:


line

Monthly Archives

line

RSS

line

Ask the Expert

Have a question for our resident expert? Email your questions to Rebecca.

« PII About 800,000 Individuals Compromised at UCLA | Main | Penalty Applied for Laptop Theft: More Significant Penalties Are Needed to Motivate Better Safeguards »

Example of Need to Validate Business Partner Security: State of Vermont Privacy Breach Resulting from Contractor

An incident recently occurred where a contractor for the State of Vermont accidentally posted the Social Security numbers for hundreds of healthcare workers within Vermont. The data existed on the web site for approximately one month before it was removed.

This demonstrates one of the multiple reasons why organizations must ensure the acceptable security practices of the business partners to whom they entrust sensitive information.

In this case, the contractor apparently did not have procedures in place to ensure only appropriate data was being posted to their web site, otherwise this incident likely would not have occurred. As a result, the State of Vermont now has to deal with the incident.

"In carrying out that task, the company obtained a list of health care providers from Cigna, the state's current health care administrator. The lists, which contained taxpayer identification numbers and in some cases SSNs, were included as attachments for the RFPs and were subsequently posted on the state Web site -- where the information remained for about a month before being removed, McIntire said."

This also raises the question of why Cigna included the taxpayer IDs on the list of health care providers to use for the RFP to the contractor to begin with. Is such information necessary when posting an RFP? Without having much information to go on from the report it would seem to not be necessary. What responsibility does Cigna have in this incident? Should the State of Vermont have asked them not to have included PII within the information sent to the contractor? Should Cigna have had policies and procedures in place to not send such information?

The State of Vermont is offering 1 year of credit monitoring services to the impacted individuals, so that is a good thing. Organizations must take responsibility for the impact their incidents have upon individuals, and not push the brunt of the impact to the individual victims themselves, who will still need to take their own time, and often money, to deal with the repercussions.

In this situation Vermont was dealing with two business partners. The more business partners, vendors, and so on that an organization entrusts their PII to, the more vulnerabilities and threats that are created for the PII. The situation certainly can get very dicey, and security-convoluted, quite quickly.


A Few of the Lessons learned:

* Performing due diligence to ensure comprehensive information security programs and practices are implemented with business partners to whom you entrust sensitive information is not only a good idea for compliance reasons, it is necessary to protect your organization's own business interests and reputation as well as your customers' PII.

* As you increase the number of businesses to whom you entrust your PII, you increase exponentially the risks to the PII.

* All organizations need to have information security incident and privacy breach response and notification plans in place. This is something that concerns me greatly, and I've written often about it. Situations that lead to privacy breaches are described within the latest issue of the Cutter IT Journal for which I was guest editor, "Avoiding Privacy Pitfalls." I will also be discussing the importance of having a breach incident response and notification plan in place, along with the necessary components for an effective plan, within a webinar I am giving January 23, "The Anatomy of a Privacy Breach." If you have the opportunity to attend, I'd welcome your participation in the discussion.

Tags:                
 Email This!  Digg it!  Sphere it!  Del.icio.us  Reddit!  Newsvine

Posted by Rebecca Herold on December 13, 2006 5:27 PM |

TrackBack

TrackBack URL for this entry:
http://www.realtime-itcompliance.com/type/mt-tb.cgi/257

Comments

Organizations clearly need a reality check in regard to potential risks of working with contractors. Security breaches, whether the fault of the company itself or the contracted worker, are rampant and all these organizations can offer is a year of free credit monitoring services to their victims.
What needs to happen is a harsh assessment of security procedures necessary to keep clients' data protected.

Posted by: Mila | December 13, 2006 7:00 PM

Thank you Mila for your comments.

Yes, so many companies outsource PII handling and processing to so many other companies, and so few are doing any due diligence activities at all to ensure those outsourced entities even have security in place. I've done MANY outsourced vendor security program reviews over the past few years, and I have found an alarmingly large number of them with basically non-existent security.

Posted by: Rebecca | December 14, 2006 10:18 AM

Post a comment

(All comments are approved by site leader before appearing here. Thanks for commenting!)

Search

line

Most Active Posts

line

Library Resources

line
line

Recent Posts

line

Categories

line

Rebecca Herold's Bio:

Rebecca Herold,CISSP, CIPP, CISM, CISA, FLMI, has been providing information security, privacy and regulatory assistance and services to organizations from a wide range of industries for over 18 years. Rebecca was instrumental in building the information security and privacy program while at Principal Financial Group, which was awarded the CSI Information Security Program of the Year Award in 1998. IT Security ranked Rebecca as one of the top 59 IT security influencers, and Computerworld put Rebecca their list of the 25 top privacy experts and on their list of the 9 best privacy consulting firms. Rebecca has been CPO for two consulting organizations, and has had her own information privacy, security and compliance business since 2004. Rebecca has written chapters for several books, dozens of articles, and has been writing a monthly privacy column for the CSI Alert newsletter since the beginning of 2001, and is working on her 11th book. Some of her other books include The Privacy Papers, Managing an Information Security and Privacy Awareness and Training Program, The Definitive Guide to Security Inside the Perimeter (Realtime Publishers), The Shortcut Guide to Improving IT Service Support through ITIL (Realtime Publishers), and The Practical Guide to HIPAA Privacy and Security Compliance. In addition, Rebecca is the leader of The Realtime IT Compliance Community where she posts to her IT Compliance weblog. You can contact Rebecca at: rebecca_herold@realtimepublishers.net.