Wednesday, September 16, 2009

Adding Insult to Injury, Cybercrime Victims May Be Faced with Expensive "Breach Notification" Costs

What's happening: Cyberthieves stealing money from corporate bank accounts are also trigerring "breach disclosure" laws

What it means: At least 44 states plus the District of Columbia have "breach disclosure" laws requiring businesses and other organizations to notify consumers when they have reason to believe that private consumer information has been compromised. According to insurance industry studies, current "breach notification costs" exceed $200 for every person that has to be notified.

What to do: Take all the steps we've previously identified to keep from being a cybercrime victim. Delete sensitive private information of customers when it is no longer needed. As part of breach disclosure planning, know how to contact customers should you need to notify them of a breach. Talk to your insurance broker about breach-notification insurance.

**********************************

Brian Krebs: Washington Post:

Data Breach Highlights Role Of 'Money Mules'

On Friday, Brunswick, Maine-based heating and hardware firm Downeast Energy & Building Supply sent a letter notifying at least 850 customers that the company had suffered a data breach. Downeast sent the notice after discovering that hackers had broken in and stolen more than $200,000 from the company's online bank account.

The attack on Downeast Energy bears all the hallmarks of online thieves who have stolen millions from dozens of other businesses, schools and counties over the past several months. In every case, the thieves appeared more interested in quick cash than in pilfering their victims' customer databases. Nevertheless, the intrusions highlight an additional cost for victims of this type of crime: complying with state data breach notification laws.

http://voices.washingtonpost.com/securityfix/2009/09/money_mules_carry_loot_for_org.html?hpid=sec-tech