menu

July 24, 2017

Sources to Search: Data Breach Notices Databases

A series of new reports on hacking of credit card data at Trump hotels highlights a newly public records data source that can be increasingly high-value: data breach notices.

As companies have increasingly been targeted by hackers – and have become increasingly aware of the risks around exposing public data – states have imposed new laws requiring that companies disclose these data breaches to their affected (or potentially affected) customers. This typically takes the form of a fairly standardized data breach letter, disclosing some details of the breach and who is affected.

These can be a really interesting source of news and intelligence around the companies that file them and regarding the incidents themselves, but normally they’re only posted on the companies websites (often obscurely) or only sent to the recipients.

However, the state of California (along with a handful of other states) actually retains a database of major breaches. State law “requires a business or state agency to notify any California resident whose unencrypted personal information, as defined, was acquired, or reasonably believed to have been acquired, by an unauthorized person.” And in turn, that any notice sent to more than 500 California residents be sent to the California State Attorney General. Those notices are posted on an online database of major data breaches here.

These notices variously provide some details of what happened in the breach and – on occasion – how many folks are affected and what data was affected. For example, in the case of the filing for Trump Hotels the notice details how the breach happened (though not the overall number of people affected):

The Sabre SynXis Central Reservations system (CRS) facilitates the booking of hotel reservations made by consumers through hotels, online travel agencies, and similar booking services. Following an investigation, Sabre notified us on June 5, 2017 that an unauthorized party gained access to account credentials that permitted access to payment card data and certain reservation information for some of our hotel reservations processed through Sabre’s CRS. The investigation found that the unauthorized party first obtained access to Trump Hotels-related payment card and other reservation information on August 10, 2016. The last access to this information was on March 9, 2017.

While other states maintain similar data resources, California’s is the most comprehensive and appears to be the most frequently updated. Washington state also posts notices as they’re received, as does the state of Oregon, the state of Vermont, the state of Wisconsin, the state of Maine, and Montana.

The state of Massachusetts also posts some information on data breach notices, but they appear to update their records quarterly. The same appears to be true in Maryland. New Hampshire has a small number of records available as well.

The State of Indiana appears to release their reports on an annual basis.

At the federal level, HHS reports this information for breaches of unsecured protected health information affecting 500 individuals or more.

The Identity Theft Resource Center also aggregates a lot of this information on their website on a weekly basis.

While sometimes these filings become the center of news stories, they often don’t at the time, and can be a useful point to look back to for context.

Databases like California’s Data Breach Notices are integrated into the illumis Search platform and be accessed and monitored for new records through the platform. Contact us if you’re interested in a trial.

Please Note: This post was updated in June 2020 to reflect our company’s new name: illumis
ComplySci and illumis: Two regulatory compliance solutions joining together to benefit clients’ regulatory needs

In November of 2021, ComplySci announced the acquisition of illumis, a premier data aggregator and technology provider whose solutions are used by financial services firms to identify and mitigate risk from employee political contributions. While the initial acquisition saw the firms operating as two independent organizations, we are thrilled to announce the merging of the illumis and ComplySci brands. With this initiative, we aim to arm our clients with a more comprehensive solution to mitigating compliance risk, which includes the increased risk associated with employee political contributions.

Why real-time data is essential to helping your investment firm avoid violating pay-to-play regulations, SEC rule 206(4)-5

Political contributions made by firm employees pose a significant threat to investment advisory firms. And even firms with the best compliance teams can be at risk of violating pay-to-play regulations, like the Securities and Exchange Commission’s (SEC) rule 206(4)-5, given the complexity of the rules and the myriad of regulations to which firms must comply.

Because of this, investment firms must arm themselves with the access to and support of real-time data, which can help identify potential violations and anomalies in the political donation process.

By leveraging real-time data, investment firms can quickly detect suspicious or unauthorized activities and take prompt action to prevent pay-to-play violations.

Beyond SEC Rule 206(4)-5: A look at state and local political contributions compliance regulations

SEC Rule 206(4)-5 is arguably the most well known regulation regarding political contributions compliance or pay-to-play compliance. However, it certainly isn’t the only regulation to which firms must comply.

In fact, beyond federal regulations, firms which take part in government contracted work must contend with numerous and varied state and local regulations as well. Such regulations present unique challenges because of the various requirements within each, which should they be neglected, can cause significant financial and reputational damage.