About Data breach

A data breach occurs when sensitive, private, or protected information may have been viewed, stolen, or utilized with individual consent. Personal identifying information (PII), personal health information (PHI), trade secrets, and intellectual property may all be included in a data breach. Any information that can be used to distinguish one individual from another is considered to be personal identifying information. Either sensitive or non-sensitive information can be present. Raw data includes medical information, personally identifiable financial information, and biometric data—information that, if disclosed, could harm the person whose confidentiality has been violated. Therefore, PII should be encoded in transit and when information is at rest. On the other hand, non-sensitive data is the type of information that can be conveyed in an unencrypted form without causing any destruction to a person, for instance, phone books information. Moreover, personal health information (PHI), refer to demographic information, test and laboratory results, medical history, that a healthcare proficient collects to identify an individual and regulate proper care. Further, a trade secret is a confidential business information, which provides an enterprise a competitive edge (Baker, Hylender, Pamula, Porter, & Spitler, 2011). The trade secret information includes industrial and commercial secrets. On the contrary, the most conception of information breach is an invader hacking into the business network to steal the confidential information. Conversely, not all information breaches are hacked for instance if unlicensed hospital worker opinions a patient health information on a computer screen over the shoulder of the approved worker, this is considered as a data breach. On the contrary, a data breach can take place intentionally or unintentionally. A data breach occurs accidentally if a legitimate custodian of information negligently uses corporate tools. On the other hand, deliberately data breach takes place when a cyber attacker hacks into an individual’s company system for accessing proprietor and personal information. Therefore, a data breach is the unauthorized access and retrieval of a sensitive report by a group, an individual or software system.

What administrative controls, technology controls, and training and awareness measures could have been implemented to prevent the breach?

Preventing data breach is a primary goal of every individuals and company. A data breach can be prevented through implementation of administrative control, technology control, and awareness measure. In this case, regulatory safeguard refers to actions, policies, and procedures taken by the administration to accomplish the selection, expansion, implementation, and conservation of security measure to guard the information of any institution. Therefore, in implementing the administration control, the agencies should offer a regular education program to its employee on how to prevent data breaching (Baker, Hylender, Pamula, Porter, & Spitler, 2011). This will help the employee to understand the covered entity security policies and procedures and apply appropriate sanctions against any workforce member who violate the method and systems of information at all level of an organization. Additionally, understanding the access of management will enable institutions to evaluate their practices and enhance safeguard that is needed to limit unnecessary access to and disclosure of relevant information. Furthermore, technology control is the formalization of process and procedure taken to ensure that any sensitive information is not disclosed to unauthorized personnel. To hedge the risk of data breach, through the implementation of technology control is crucial for any institution. In this case, agencies should employ computer specialist who will help provide support to information technology and should deal with all computers that carry sensitive information in an organization. In case there is any hacking, the computer specialist should be in a position to realize and generate a complex password that will be difficult for hackers to guess. Institutions should implement egress filtering that will help them monitor and restrict the flow of information from one network to another. Moreover, training and awareness refer to an educational program that is designed to reduce the number of security breaches that take place through lack of employee awareness. Therefore creating awareness program in institutions will help measure the number of the employees who is aware and understands the institution policy, processes, and standards. On the contrary, implementing awareness program will help explain the role of employee I the area of information security.

How does this relate to the policies and significant securities framework covered in class?

The American luxury department stores that is owned by Hudson’s Bay, faced data breach that took place on 19th march where employee personal information was exposed. This information comprised of email address, phone number, date, time, and the product code of items. Additionally, the company had some issues on login of its websites where information was left vulnerable to hackers when the site was browsed on an open Wi-Fi. . In this case, the information breach include, revealing the personal information of employees through exposing it to hackers (Fisher, 2012). On the contrary, the data may cause, email phishing fraud, identity theft and hackers may use the email to get from the data breach and send out email with malicious software to attack. To reduce the risk of employee data breach, the company implemented, administration control where the sensitive information was identified and employee were trained because, some of data breaching are caused by careless behavior of workers and system administrator who deal with sensitive information. Furthermore, the company implemented technology control that helped it encrypt data sent to third party over the public network. The technology control egress monitoring that helped it ensure that unauthorized or malicious traffic never leave the internal network. Additionally, the company implemented training and awareness measure that helped it to train employee on the about company security policy, processes and standards.

If possible, what are the punitive implications of this breach?

In case of data, breach by an individual whether intentionally or unintentionally there should be a penalty by fines. The fine will due to actual damage, loss, theft leakage forgery or impairment of personal information. Imposing sanctions on data breach will help the employee to be accountable and protect any information sensitive to a company. Additionally, if a company information is breached, an individual responsible for this act should be jailed whether the breach was intentionally or intentionally (Fisher, 2012).. Furthermore, if a doctor violates his or her patient confidentiality, the patient has a right to pursue their grievances. This can be either by paying the patient an amount that may be equal to the information breached. On the other hand, should be taken to court since patients have a right to confidentiality and any violation of is lack of respect for a patient.

What are the non-fiscal repercussions of the breach?

In case employees resign or are fired, a significant loss as a result of a breach can take. The employee may give out a confidential information that may negatively affect the company involved. In this case, the brand reputation of a company product may be modified and as a result leading to loss of revenue (Fisher, 2012). Additionally, the fired employee may reveal customers privacy that may involve customer payment information. Since customers value their privacy, they may lose trust in the company and stop buying their products leading to falling in revenue. Additionally, the fired or resigned employee may lead to loss of intellectual property. This is because the rivals may not hesitate to take advantage of another business information, therefore; the fired employee may sell this information to the company rivals.

References

Baker, W., Hylender, A., Pamula, C. D., Porter, J., & Spitler, C. (2011). 2011 data breach investigations report. Verizon RISK Team, Available: www. Verizon business. com/resources/reports/rp_databreach-investigations report-2011_en_xg. pdf, 1-72.

Fisher, J. A. (2012). Secure my data or pay the price: Consumer remedy for the negligent enablement of a data breach. Wm. & Mary Bus. L. Rev., 4, 215.