2011 Data Breach Review

2011 Data Breach Review

Presentation by Jeff Foresman from Pondurance at the January 12, 2012 Central Indiana ISSA chapter meeting.

“Those who do not learn from history are doomed to repeat it” – George Santayana

Organizations have a responsibility to protect the data of their customers, employees or other stakeholders. Many organizations are also required to comply with industry requirements or government regulations to protect their confidential data, yet every year hundreds of organizations experience a data breach.

In this attached presentation we review some 2011 data breach statistics and resulting cost estimates, to understand common breach patterns and financial impacts among the affected organizations. We also review the causes of those breaches, and examine possible actions that could have prevented or mitigated the attack.

“A good hockey player plays where the puck is. A great hockey player plays where the puck is going to be.”– Wayne Gretzky

A special thanks to the guest panelists supporting the discussion:

  • Dave Sims: WellPoint (Senior Information Security Advisor)
  • Tad Stahl: State of Indiana (Chief Information Security Officer)
  • Chris Blow: Brightpoint: (Manager, Global Information Security)
Tags: , , ,

2 Comments on "2011 Data Breach Review"

  1. Jeovan says:
    February 18, 2012 at 6:56 pm

    Interesting suvery but what would the results be like if small provider practices (1-3 doctors per office) were polled? Most small offices I have encountered do not have personnel with the knowledge, skills or experience to perform a security risk analysis- much less risk management. A security assessment AND risk management are REQUIRED objectives for HITECH fund recipients. Will HITECH fund awards trigger random OIG HIPAA security audits? Only time will tell .

    Reply
  2. steve.lodin says:
    February 21, 2012 at 4:07 pm

    Jeovan,

    I completely agree with the small office comment you mention. See my recent blog post on “SMB Security Can No Longer Be Ignored” http://www.pondurance.com/blog/smb-security-can-no-longer-be-ignored/

    I do not think Meaningful Use fund awards will trigger random audits. It appears that KPMG has a different set of criteria for selecting targets based on their initial process.

    Yes, it will be interesting to see the auditing steady state. Some organizations really only react in the security space when faced with fines or after they are breached. I’m not sure if the threat of audits and fines will move the needle.

    Steve

    Reply

Here's your chance to leave a comment!