Two months ago, Shavlik released a security advisory alerting our customer community to the availability of off-the-shelf, exploit kits that enable less sophisticated hackers to mimic a Target-like attack.
In that advisory, Rob Juncker, Vice President of R&D for Shavlik, accurately predicted the availability of these exploit kits would lead to the following.
- More companies will be coming forward to report breaches.
- The scope of these breaches will go beyond retailers to impact all types of business that have valuable and private information.
Earlier this month, the game changed again, but this time the threat doesn’t come from hackers alone; it’s coming from the court room, the halls of government, and maybe even from your own employees. For the first time we are seeing companies being held legally and financially responsible for security breaches that occurred due to insufficient and/or negligent security practices.
Today, Shavlik is issuing another security advisory to draw your attention to three landmark cases that made headlines earlier this month.
Anchorage Community Health Services was fined $150,000 by the U.S. Department of Health and Human Services’ Office of Civil Rights (OCR) for “failure to apply software patches [that] contributed to a 2012 malware-related breach affecting more than 2,700 individuals,” according to GovInfoSecurity.
This incident is the first where a company has been held liable by OCR for failing to patch software, and now a precedent has been set, making disciplined patch management a critical part of HIPAA compliance.
“Successful HIPAA compliance requires a common sense approach to assessing and addressing the risks to ePHI on a regular basis. This includes reviewing systems for unpatched vulnerabilities,” OCR Director Jocelyn Samuels said to GovInfoSecurity.
U.S. District Court in Minnesota denied Target Corporation’s motion to have litigation dismissed that has been filed by financial institutions who suffered losses as a result of Target’s 2013 data breach.
According to Reuters, Judge Paul Magnuson found “…banks were foreseeable victims of Target’s allegedly negligent conduct.”The report went on to say, “Importantly, Judge Magnuson said that imposing a duty of care on Target ‘will aid Minnesota’s policy of punishing companies that do not secure consumers’ credit- and debit-card information.’”
This case may set a precedent for companies to be financially liable to both consumers and financial institutions for breaches that compromise customer data.
Two employees filed a class action lawsuit against Sony for allegedly not taking adequate precautions to secure employee data.
According to an article posted on TechCrunch, “The complaint references a tech blog reporting to note that Sony was aware of the insecurity on its network and took the risk.”
It has been confirmed that employee emails, website viewing activities, credit card website credentials, and social security numbers were among the data made public as a result of the Sony breach, and now after having already lost an estimated $100 million, Sony could be in for more expense at the hands of its own employees.
In a month where the security stakes have never been higher for corporations, CIO Magazine reported that Most Companies Fail at Keeping Track of Patches, Sensitive Data. According to its report,
- 12% of companies have no patch management process at all
- 58% of companies have a patch management process that is not fully mature (e.g. may patch the OS but not third-party applications)
- 19% of companies have no control or tracking of sensitive data at all
If you see your organization in any of these statistics, now is the time to act. Your response will not only help keep your company out of the headlines but also out of the court room.