New Perils in a Connected World – by Stew Nelson
Data breaches announced in August at the University of Wisconsin-Milwaukee and Yale University compromised Personal Information consisting of names and Social Security numbers of almost 120,000 individuals. These breaches could potentially cost $500,000 just to provide credit monitoring for two years for everyone affected. If you add $10 to send a registered letter of notification it will add another $1.2 million to the remediation costs! It is not hard to imagine the total cost of these two breaches to exceed $2 million in total costs. Serious money!
Lessons we can learn
The breach in Milwaukee was caused by malware installed by an unknown individual. It could be that an insider installed the malware in the affected server but it is equally likely that the malware infected someone’s computer when they visited an infected website. No matter how much security you install, a rogue employee can always do damage. But if the malware was caused by someone web surfing it is much more preventable with education of employees and strict usage policies of university or corporate computers. As hackers become more sophisticated they are setting traps in what appear to be innocuous websites, employees home computers and even cell phones. So using personal computers for work or personal cell phone for work can compromise an entire network.
The breach in New Haven Connecticut at Yale University appears to be a case of negligence (As most breaches are!) that left a server containing names addresses and Social Security numbers from former employees, employees and students from 1999 connected to the Internet. So wouldn’t you know along came a Google spider and found the data file that did the damage. The issue here is why the server was connected to the Internet to begin with as there probably wasn’t much immediate need to retrieve information from this legacy database. The lesson to be learned is that all data that is stored by an organization needs to be assessed and evaluated for confidentiality and stored accordingly. As I have mentioned in previous posts if you don’t need to store it….. shredded it!
Universities typically are self-insured for these type of liabilities however, you don’t have to be. Each of these situations could have been fully insured at very reasonable prices. Talk to your agent about cyber liability insurance.