Data Breach Research Paper
Introduction
Numerous data breaches and computer intrusions have been disclosed by the nation’s largest data brokers, retailers, educational institutions, government agencies, health care entities, financial institutions, and Internet businesses. A data breach may occur when there is a loss or theft of, or other unauthorized access to, data containing sensitive personal information that results in the potential compromise of the confidentiality or integrity of data. Sensitive personal information generally includes an individual’s name, address, or telephone number, in conjunction with the individual’s Social Security number, driver’s license number, account number, credit or debit card number, or a personal identification number or password. Breach notification laws enacted by many states require the disclosure of security breaches involving sensitive personal information (Stevens, 2008).
The story of Health Net of Connecticut ("Health Net") is instructive.
In May 2009, Health Net discovered that it had lost a computer hard drive containing the personal health information of approximately 500,000 Connecticut residents. In January 2010, the State of Connecticut commenced a lawsuit against Health Net alleging that it had failed in a timely manner to notify residents and state authorities on this data security breach incident. The suit alleged violations of the Health Insurance Portability and Accountability Act ("HIPAA"), the Connecticut data breach law and the Connecticut Unfair Trade Practice Act. Under the terms of a stipulated judgment entered into on July 6, 2010, Health Net agreed to pay $250,000 in penalties and implement a corrective action plan.
In November 2010, the Connecticut Insurance Department and Health Net settled a separate enforcement action commenced against Health Net arising out of the same data security breach incident. Under the terms of that settlement agreement, Health Net agreed to pay $350,000 in penalties and to provide two years
Numerous data breaches and computer intrusions have been disclosed by the nation’s largest data brokers, retailers, educational institutions, government agencies, health care entities, financial institutions, and Internet businesses. A data breach may occur when there is a loss or theft of, or other unauthorized access to, data containing sensitive personal information that results in the potential compromise of the confidentiality or integrity of data. Sensitive personal information generally includes an individual’s name, address, or telephone number, in conjunction with the individual’s Social Security number, driver’s license number, account number, credit or debit card number, or a personal identification number or password. Breach notification laws enacted by many states require the disclosure of security breaches involving sensitive personal information (Stevens, 2008).
The story of Health Net of Connecticut ("Health Net") is instructive.
In May 2009, Health Net discovered that it had lost a computer hard drive containing the personal health information of approximately 500,000 Connecticut residents. In January 2010, the State of Connecticut commenced a lawsuit against Health Net alleging that it had failed in a timely manner to notify residents and state authorities on this data security breach incident. The suit alleged violations of the Health Insurance Portability and Accountability Act ("HIPAA"), the Connecticut data breach law and the Connecticut Unfair Trade Practice Act. Under the terms of a stipulated judgment entered into on July 6, 2010, Health Net agreed to pay $250,000 in penalties and implement a corrective action plan.
In November 2010, the Connecticut Insurance Department and Health Net settled a separate enforcement action commenced against Health Net arising out of the same data security breach incident. Under the terms of that settlement agreement, Health Net agreed to pay $350,000 in penalties and to provide two years
References: Banham, R. (2012) “Where the Money Is, And the Security Isn’t: Cyber thieves are increasingly targeting small and midsize businesses, and why not? Most SMBs do little to protect themselves”. Retrieved from www.CFO.com Cate, F.H Guffin, P. (2012) “United States: Data Security Breach Notification Requirements in the United States: What You Need to Know” Retrieved from www.mondaq.com Heussner , K.M Mintz Levin (2011) “State Data Security Breach Notification Laws” Retrieved from www.Mintz.com Picanso, K.E., (2006) “Protecting Information Security under a Uniform Data Breach Notification Law” Fordham Law Review, Volume 75 | Issue 1 Article 9 Romanosky, S., Telang, R., & Acquisti, A. (2010) “Do Data Breach Disclosure Laws Reduce Identity Theft?” The Heinz College: Carnegie Mellon University Simon, J.M Stevens, G.M. (2008) “CRS Report for Congress: Federal Information Security and Data Breach Notification Laws”, Congressional Research Service van Eecke, P., Craig, C., and Halpert, J “Should you share breach information” (2011) Retrieved March 3, 2012 from www.networkworld.com