Many of the costs of a data breach are pretty cut and dry. They are obvious, like the myriad of explicit costs concerning lost data, costs of fixing security issues, downtime costs, and so many more. But what happens when sensitive data is compromised -- data that tens, hundreds, thousands, or even millions of people have entrusted you with? Inevitably, we arrive at another compelling reason why appropriate security infrastructures cannot be ignored, the legal side of things can get tricky when dealing with other people's information. Although, by the time data compromises reach the stage at which legalities are a concern, your organization is probably already in some deep trouble, legal consequences can undoubtedly signal the end of an unequipped organization.
A story that I came across today seems to highlight this rather indirect cost that I thought important to discuss.
In the second lawsuit filed by a patient since this particular cyber attack, a Los Angeles man has filed a class action lawsuit against UCLA Health, "alleging that the health care provider did no adequately store private medical information of around 4.5 million patients," during the recent data breach.
The attack, which is suspected to have occurred last October was announced by officials as recently as July, 17 (quite some time, I know), leading to FBI investigation of the attack.
According to the Daily Bruin, the incident likely exposed names, addresses, dates of birth, Medicare or health plan ID numbers, Social Security numbers and medical record numbers.
Tod Tamberg, a UCLA spokesman, said even though hackers accessed personal information, there is no evidence that any information was taken. Nonetheless, sheer access to information as sensitive as that which is under scrutiny is concerning in itself. And this is not by any means the first time that UCLA health has come under serious attention for data security related incidents.
1. In 2007,UCLA's general database was compromised, exposing personal info of around 800,000 students, staff, and administrators, including SS numbers. This also led to an FBI investigation.
2. In 2011 UCLA Health patients were notified that a hard drive holding more than 16,000 individual's information including birth dates, medical record numbers, and addresses had been stolen from a UCLA physician's home. This prompted similar, but unsuccessful lawsuits.
I find this saga of breaches and lawsuits particularly intriguing. Why? Well, there are a couple of reasons. First, your personal information and your business's sensitive information are stored in multiple formats, in multiple places, and in an endless variety of security environments. Think about it, once you swipe your card, or enter your details, or engage in a transaction captured by digital means, the data that has traveled is not magically erased. With this said, the interconnectedness that marks the transactional nature of personal and business relations are driven by digital. As beautiful and fruitful as digital has been to us, we find the privacy of our sensitive, private information precariously dependent on the integrity of data and information systems of which we are perfectly unaware.
Second, and maybe just as critical, is the fact that an organization or firm is now subject to confronting legal ramifications for the compromised integrity of data. Every single organization who accepts payment, at the very least, deals with data that might be understood as sensitive. In principle, neglecting the security question is not an option. According to a recent PwC cybersecurity report, trends indicate that larger organizations have recognized this over the past year and have subsequently increased spending in the average information security budget. However, smaller organizations have witnessed stagnation or a minor reduction in spending, all in the midst of a near doubling in the quantity of attacks and breaches.
My point here is this: As interesting a story as this might be from both a legal and cyber security perspective, lets get to know our security infrastructures. Hot terms such as cloud, hybrid, SaaS, PaaS, and IaaS can no longer intimidate. Instead lets get to know them a bit better, asking what they can do to empower the longevity and well-being of the individual and the enterprise. Although UCLA seems to be addressing these very pressing concerns duly, the average business will not have the means to manage an infrastructural infiltration of this degree, tantamount to a devastating burglary of critical physical assets. The two are truly no longer far from one another in their potential to inflict irreparable damage on the integrity and existence of any present day organization.