[Dataloss] Sentry Insurance Says Customer Data Stolen
George Toft
george at myitaz.com
Sun Jul 30 14:15:18 EDT 2006
At this point, I would like to point out that Wisconsin has a weak
Identity Theft protection/reporting law (might not even be law yet).
Per Consumers Union
(www.consumersunion.org/campaigns/Breach_laws_May05.pdf), Wisconsin has
a bill SB164: "The entity need only provide notice if it knows that
personal information has been acquired by an unauthorized person. And
there is a material risk of identity theft or fraud." Well, the risk
has been realized.
And we have an insurance company [bound to comply with the
Gramm-Leach-Bliley Act and SOX 404, so they should have had adequate
security measures in place to prevent this incident - separation of duty
(legal requirement) and not using live data in development (best
practice)] who chooses not to report the breach until 72 people's
information is sold over the Internet. They chose to keep it quiet and
not tell anyone because there was no requirement to notify anyone of the
breach. Reading between the lines in the article, it looks like the
Secret Service was on top of the event before Sentry Insurance. I
wonder how soon the class-action lawsuit will be filed.
As this incident demonstrates, failure to disclose data loss events
leads to identity theft. Disclosure seems to have a positive
[short-term] effect on preventing ID Theft.
George Toft, CISSP, MSIS
My IT Department
www.myITaz.com
480-544-1067
Confidential data protection experts for the financial industry.
lyger wrote:
> Courtesy Fergie's Tech Blog: http://fergdawg.blogspot.com/
>
> http://www.mercurynews.com/mld/mercurynews/business/technology/15153907.htm
>
> Personal information on 72 worker's compensation claimants was stolen
> from Sentry Insurance and later sold over the Internet, the company said.
>
> The data sold included names and Social Security numbers but not
> medical records, Sentry said. Data on an additional 112,198 claimants
> was also stolen but there is no evidence it was sold, the company said.
>
> Sentry said it notified everyone affected and was providing credit
> monitoring services to help prevent fraud.
>
> [...]
>
> _______________________________________________
> Dataloss Mailing List (dataloss at attrition.org)
> http://attrition.org/errata/dataloss/
>
>
>
More information about the Dataloss
mailing list