Maybe those DLP $$$/record breached stats aren’t so far off…

by seth on Jun.16, 2010, under Security

I have often scoffed at some of the numbers used to cost justify Data Leakage Prevention (DLP) purchases. While I agree there is a pretty serious need for redoubled efforts at preventing (and moreover detecting) sensitive data leaving an organization’s control, I haven’t found myself persuaded by most of the “studies” that show crazy high $$$/record costs. Perhaps I am jaded, but often these reports feel as if they were funded by those with a vested interest in the results pointing in a particular direction (that of “buying our product makes cents” [sic]).

Fast forward to the DarkReading article that I first noticed this past weekend. In 2008, California passed two laws Assembly Bill 211 and Senate Bill 541, which were aimed at further incentivizing health care providers to ensure the privacy of medical records. The laws went into effect 01/01/2009, but last week marks the first time that the California Department of Public Health (CDPH) has wielded its expanded power of fining facilities up to $25,000/per record for allowing unauthorized access to a patient’s medical record. CDPH has published the details here.

Five separate facilities were fined a total of $675,000. In total, the confidentiality of 245 medical records were breached. Although the fines varied (sometimes based on the number of people that accessed the records), in aggregate, that puts the cost/record breached at $2,755. A far cry from the $25,000/record mark (though some instances did receive that level of penalty), but still a substantial cost. Given the relative low volume (when compared to the numbers frequently seen in credit card breaches), it is hard to anticipate if thousands or tens of thousands of records were breached whether the penalties would remain this high.

While I welcome the increased penalties that might help persuade organizations to make further strides in ensuring the confidentiality of sensitive data, I am worried about the (un)anticipated side effects. The CDPH has made the sanitized reports available on their website. One phrase seems to be a fairly common theme, “the facility reported the breach”. I applaud the facilities for reporting these breaches of medical privacy, but will every facility be so forthcoming given the potential for fines. Would a private for-profit hospital be hesitant to report the breach of 1,000 records knowing that it could result in $25,000,000 in fines? I hope so, but something tells me that not every health care provider would reach the conclusion that self-reporting is in their best interest. As a parting shot, know what the cost/day fine is if it is found that a facility didn’t report a breach? A hundred bucks… Seriously? Not sure a benjamin is a strong incentive for early reporting…

:DLP, Security

1 comment for this entry:

Peter Abatan
June 17th, 2010 on 03:56
Seth, interesting post. I must say that I was initially skeptical about the cost of a data breach per record. However, I am beginning to realize that those figures are conservative. Heartland is a typical example.

The Ponemon Institute has been one of the pioneers analyzing cost per record breached and is not associated with any DLP vendor or IT security vendor. The guys at Ponemon are definately worth checking out.

Subscribe

You can also subscribe by email by filling the field below:
Recent Posts
Bio
SANS
SANS Teaching
- …additional teaching details
Tags
401 504 538 542 560 AWLG browser career CeWL Cheat Sheets Community SANS discount Ed Skoudis Fgdump Frank Kim GCIH GIAC hacking Hping insider job Log Management malware Metasploit Netcat newsletter OnDemand password cracking pauldotcom penetration testing Robin Wood SANS SANS Teaching SANS Teaching Security Security Essentials seth misenar Skoudis Spam Summit Tools webappsec wordlists Worm XSS
Context Security
- Maybe those DLP $$$/record breached stats aren’t so far off… 09/03/2010
  I have often scoffed at some of the numbers used to cost justify Data Leakage Prevention (DLP) purchases. While I agree there is a pretty serious need for redoubled efforts at preventing (and moreover detecting) sensitive data leaving an organization’s control, I haven’t found myself persuaded by most of the “studies” that show crazy […]
  seth
- 25% off SANS SEC401 vLive format (offer ends 1/8) 09/03/2010
  Just wanted to let everyone know that SANS has provided me with a 25% discount code for the upcoming vLive class that I will be co-teaching with Dr. Eric Cole. The code to be used is: IN401 Here is the link to the class particulars: http://www.sans.org/info/52819 If you aren’t already familiar, the vlive format is an online delivery [...] […]
  seth
- Quick synopsis of Cybersecurity Act of 2009 09/03/2010
  Just wanted to let everyone know that Stephen Northcutt has a quick section by section 1-3 sentence review of the Cybersecurity Act of 2009 legislation (a.k.a Rockefeller-Snowe Bill) that was recently proposed. http://www.sans.edu/resources/musings/1439.php I just got my hands on a copy of the bill, and am gonna try to read through it while waiting at the do […]
  seth
- 20% Off All SANS OnDemand Classes 09/03/2010
  Received an email this morning notifying me that SANS OnDemand is running a special for the month of March. 20% off of any SANS OnDemand class. As an added bonus, you could have me as your OnDemand Virtual Mentor (ODVM) Please feel free to leave a comment or email me at seth combined with [...] […]
  seth
- w3af Technical Segment on PaulDotCom Tonight 09/03/2010
  Just wanted to let you all know that I will be a guest on the PaulDotcom Security Weekly podcast tonight. I will be leading a technical segment on w3af, which is a very nifty free/open source tool for web application scanning/exploitation. Should be loads of fun! The live stream should go up around 1845 EDT with [...] […]
  seth
- SANS Protecting Your Web Apps 09/03/2010
  SANS Protecting Your Web Apps: Two Big Mistakes and 12 Practical Tips to Avoid Them Not sure when this was released, but I am sure that it was pretty recently. From the title I wasn’t really expecting much, but was pleasantly surprised by the clarity with which the tips were explained. Frank Kim and Ed Skoudis [...] […]
  seth
- SANS 542 Webcast: Build Your Own Army of Darkness: XSS Frameworks for Zombies and Profit 09/03/2010
  Below is information regarding a webcast I will be leading for SANS on 03/18/2009 at 10 AM EST. Should be fun. Build Your Own Army of Darkness: XSS Frameworks for Zombies and Profit Featuring: Seth Misenar In this preview to the newly updated SEC542 Web Application Penetration Testing course being offered in Amsterdam, you will learn how build [...] […]
  seth
- SANS/Ed Skoudis Releases 3 Pen Testing Cheat Sheets 09/03/2010
  Thought some of you might be interested… Ed Skoudis (of InGuardians and SANS 504/517/560 fame) twitted about the release of 3 new cheat sheets this morning. The sheets are hosted on SANS website and links to them can be found on InGuardians (http://www.inguardians.com/pubs/articles.html). Here is the description from InGuardians: “Ed Skoudis rel […]
  seth
- Associative Wordlist Generator (AWLG.org) 09/03/2010
  Stumbled upon AWLG over at Darknet: http://www.darknet.org.uk/2009/01/the-associative-word-list-generator-awlg-create-related-wordlists-for-password-cracking/ This seems to follow nicely with the previous post referencing, CeWL. Also dovetails nicely with me currently listening to Day 4: Password Attacks of SANS 560: Network Penetration Testing and Ethical […]
  seth
- SANS Training 25% off discount extended 09/03/2010
  Full disclosure: I serve as a Technical Director and Virtual Mentor for SANS OnDemand (as well as Community SANS Instructor in general). SANS OnDemand online training has extended the 25% off discount promotion that was being run at the end of 2008. This is one of the steepest discounts I’ve seen for SANS training of any [...] […]
  seth

Categories

Meta
- Log in
- Valid XHTML

Context Security