Consider this recent move by the New York State Department of Financial Services against the Delta Dental Insurance Company. State officials hit the insurance company for improper and inconsistent enforcement of its own data retention policies; improper incident response plan protocols; and improper notification of the security incident itself.
The company was fined more than $2 million.
The data retention violations are perhaps the most problematic. Had that policy been enforced properly, much of the stolen data would have been destroyed long before the attackers could have accessed it.
It’s not simply a matter of whether the IT rules for retention were sufficiently strict. Some regulators — and especially the US Federal Trade Commission (FTC) — focus extensively on companies who don’t do what they say publicly. If a corporate website promises something to customers, the FTC will hold companies to their word.
Read the full article here
