Data Privacy

Health insurer Anthem said hackers gained unauthorized access to its IT systems and stole personal information relating to tens of millions of current and former members and employees. Calling it a “very sophisticated external cyber-attack,” Anthem CEO Joseph Swedish said the breach does not appear to have compromised credit card or medical information, but it did sweep up addresses, income estimates, Social Security numbers, and more. Details inside.

AvePoint, a provider of enterprise-class Big Data management, governance, and compliance software solutions for next-generation social collaboration platforms, has announced the general availability of AvePoint Compliance Guardian Service Pack (SP) 3. Compliance Guardian mitigates privacy, information security, and compliance risks across your information gateways with a comprehensive risk management process allowing organizations to document their policies, implement and measure them, and demonstrate conformance.

Electronic Commerce International, a payment processing solutions provider, today announced the  launch of PayArmor, a new way for companies to protect customer data from cyber criminals. PayArmor is a multi-layered suite of security and compliance services built to safeguard businesses against fraud, credit card data security breaches and to assist with PCI compliance. Details inside.

Image: Dec. 31—COSO’s Internal Control — Integrated Framework talks a good game about being useful beyond financial reporting risks, but Compliance Week Editor Matt Kelly has always wondered how that works in practice. Then came a nifty piece of guidance: a taxonomy of operational risks in cyber-security, published by the Software Engineering Institute, a division of CERT at Carnegie Mellon University. Combine that tool for risk assessment and COSO’s approach for risk management, he says, and cyber-risks get a little less scary. Details inside.

Uber, Snapchat, and Golden Technologies are the latest companies to come under fire for how they use the geolocation data they colect from their customers. In this week’s podcast, we talk to Fernando Bohorquez, a partner at the law firm BakerHostetler who specializes in privacy and data security issues, about how companies can navigate the inherent risks of this increasingly valuable data, incorporate the FTC’s “privacy-by-design” standard, and stay out of trouble with regulators and privacy advocates alike.

Image: The lessons from Sony’s surrender to North Korean hackers last week are too many to count right now, so let’s start with an immediate one: understand the risks your company creates with its communication habits, and enforce smarter business practices to change them. Easy enough to say, Compliance Week editor Matt Kelly writes. As always, forcing cultural change like that is much harder. More of his thoughts inside.

Bank CEOs and boards have a fresh batch of cyber-security guidance to evaluate. On Wednesday, The Conference of State Bank Supervisors released “Cybersecurity 101: A Resource Guide for Bank Executives,” a document that collects industry-recognized standards and best practices that are currently used within the financial services industry.

TD Bank this week reached a $625,000 settlement with the Massachusetts Attorney General’s Office after losing unencrypted back-up tapes containing personal information of more than 260,000 consumers nationwide, and delaying notice of the incident. The final settlement amounted to $825,000, but the AG’s Office credited the bank $200,000 to reflect security measures and upgrades it has already taken following the incident. Details inside.