naid 2015 the state of data breach reporting presentation
TRANSCRIPT
CSR® Confidential and proprietaryCSR refers to the corporation CSR Professional Services, Inc. 2
Building an Incident Response ProgramWhat you’ll be able to do 60 minutes from now
Scope of the problem
Type of Breach
Regulations
Construct policy
Basis for a strong Incident Response Plan
Penalties: Civil and Criminal
Key take-aways
CSR® Confidential and proprietaryCSR refers to the corporation CSR Professional Services, Inc. 3
Business Disaster Preparedness
Why doesn’t everyone have BRICK houses?
Did everyone NOT read the 3 Little Pigs?
Businesses prepare for:– Earthquakes– Hurricanes
– Fire– Flood
– Lightning strikes– Power outages
But don’t devote resources to data breach planning
CSR® Confidential and proprietaryCSR refers to the corporation CSR Professional Services, Inc. 4
Government and Trade Groups Agree: PlanBBB: What to do if consumer data is stolen
1) Create and publish a data breach notification policy.2) Train your employees to identify breaches. 3) Immediately gather the facts of a potential breach. 4) Notify financial institutions. 5) Seek outside counsel.6) Notify affected customers.
FTC: “Create a plan to respond to security incidents.”http://www.business.ftc.gov/multimedia/videos/protecting-personal-information
VISA: “Consider a breach likely and plan accordingly. Identify and establish relationships with key vendors prior to an incident.”http://usa.visa.com/download/merchants/cisp_what_to_do_if_compromised.pdf
State AGs: No excuse for ignorance that data breach laws exist
CSR® Confidential and proprietaryCSR refers to the corporation CSR Professional Services, Inc. 5
It’s Not a Matter of If, But When…Just a few of the breaches in 2014:
Aaron Bros.AflacAOLAT&TBlue CrossCentury LinkComcastCVS CaremarkDairy QueeneBayGoodwillHumanaJimmy JohnsKaiser
KmartKrogerLittle Caesar'sLowe's MonsantoMozillaREIRite AidStubHubSupervaluUPSUSAAVictoria's SecretWalgreen
CSR® Confidential and proprietaryCSR refers to the corporation CSR Professional Services, Inc. 6
Scope
CSR® Confidential and proprietaryCSR refers to the corporation CSR Professional Services, Inc. 7
Scope
US companies most costly data breach at $188/ record
Average US cost $5.4 million per incident
Average file count 28,765
Decrease cost:
• Strong security plan
• Incident response plan
• CISO or SIPO
Average notification cost per incident $565,020
*http://ponemon.org
CSR® Confidential and proprietaryCSR refers to the corporation CSR Professional Services, Inc. 8
Scope
44% of respondents in a National Small Business Association survey reported breach (LA Times 7.13.14)
85% are unprepared; 41% had breach events (The Hartford Insurance Survey 2012 of SBE)
40% of SBE had breach or cyber attack (Verizon Business Survey 2013)
63.8% are unprepared; 37.5% had breach events (CSR unpublished data 2014)
CSR® Confidential and proprietaryCSR refers to the corporation CSR Professional Services, Inc. 9
Scope
CSR® Confidential and proprietaryCSR refers to the corporation CSR Professional Services, Inc. 10
Types
Malicious42%
Breaches
Malicious Human Systems
1. Malicious 42%*
2. Human Error 30%
3. System Glitch 28%
*IBM/ Ponemon Study 2014
Malicious42%
Malicious Human Systems
Human30%
Malicious42%
Systems28%
Breaches
Malicious Human Systems
Human30%
CSR® Confidential and proprietaryCSR refers to the corporation CSR Professional Services, Inc. 11
Types
Health Care44.30%
Breaches by Category
Health Care Business Sector Government/Military Unclassified
Business33.50%
Health Care Business Sector Government/Military Unclassified
Health Care44.30%
Business33.50%
Govt/Military14.70%
Health Care Business Sector Government/Military Unclassified
Unclass.7.00%
Health Care Business Sector Government/Military Unclassified
Health Care 44.3%
Business Sector 33.5%
Government/ Military 14.7%
Unclassified 7.0%
CSR® Confidential and proprietaryCSR refers to the corporation CSR Professional Services, Inc. 12
Regulators Tighten Grip
http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html
Pending and revised data breach laws increase scope Increase penalties Decrease time to
report
CSR® Confidential and proprietaryCSR refers to the corporation CSR Professional Services, Inc. 13
Regulation
International
Federal
State
Local
Sectoral
CSR® Confidential and proprietaryCSR refers to the corporation CSR Professional Services, Inc. 14
Regulations
Canada
EU (European Union) British Commonwealth
APEC
Over 100 Sovereign Nations
(Map: www.solvexia.com)
No Privacy Law
Countries with Comprehensive Privacy Laws
Countries with Some Privacy Laws
Countries with Pending Privacy Legislation
States with Breach Notification or Social Security Number Laws
States with Both Breach Notification and Social Security Number Laws
CSR® Confidential and proprietaryCSR refers to the corporation CSR Professional Services, Inc. 15
Regulation
14 Federal Laws
GLBA
HIPAA
CAN SPAM
FTC
CSR® Confidential and proprietaryCSR refers to the corporation CSR Professional Services, Inc. 16
Regulations
(Map: www.solvexia.com)
Required Risk Assessment
HIPAA Security Risk Analysis required annually, at minimumRequired again after every security incident or breach
CFR 164.308 (a) (1) (ii) (A)
CFR 164.502(e) (2): Business Associate Agreements
CSR® Confidential and proprietaryCSR refers to the corporation CSR Professional Services, Inc. 17
Regulation
47 States
California
Texas
Massachusetts
Minnesota
CSR® Confidential and proprietaryCSR refers to the corporation CSR Professional Services, Inc. 18
Regulations and Enforcement Tighten
Doing business in the U.S.All states will protect their residents
(consumers, employees, vendors)
Long-reaching laws: Arkansas California Connecticut Delaware Florida Georgia Hawaii IdahoIllinois Iowa Kansas Louisiana Massachusetts Minnesota Mississippi Missouri Montana NebraskaNevada New Hampshire New Jersey New York North Carolina North Dakota Oregon PennsylvaniaRhode Island South Carolina Tennessee Texas Utah Virginia Washington West Virginia WyomingWashington D.C. Puerto Rico U.S. Virgin Islands
$150,000: MA Long-reach consent decree http://privacylaw.proskauer.com/2014/08/articles/data-privacy-laws/massachusetts-enforces-privacy-regulations-against-out-of-state-entity/
Data breach laws: 47 states
Data protection laws in over 25 states
CSR® Confidential and proprietaryCSR refers to the corporation CSR Professional Services, Inc. 19
Breach Key Areas
Quick Response
Data Collection and Preservation
Data Recovery and Forensic Analysis
Malware and Advanced and Persistent Threat
Notification and Remediation
Images: google.com
CSR® Confidential and proprietaryCSR refers to the corporation CSR Professional Services, Inc. 20
Incident Response Plan (IRP)
How information is transferred, managed and delivered to third parties.
1. Transmittal of information protocol
2. Assessment of incident
3. Damage control
4. Response strategy
5. Documentation
6. Preservation of evidence
CSR® Confidential and proprietaryCSR refers to the corporation CSR Professional Services, Inc. 21
Incident Response Plan (IRP)
Verify that incident has occurred
Maintain or Restore Business Continuity
Reduce the incident impact
Determine incident vectors (How)
Prevent future incident (Learn/ Educate)
Improve security and incident response (Remediate)
CSR® Confidential and proprietaryCSR refers to the corporation CSR Professional Services, Inc. 22
Incident Response Plan (IRP)
1. Define roles and responsibilities
2. Establish procedures detailing actions to be taken
Type of incident
Criticality
Persistent or limited (completed)
CSR® Confidential and proprietaryCSR refers to the corporation CSR Professional Services, Inc. 23
Incident Response Plan (IRP)
IRP Team member contact information should be readily available.
An emergency contact procedure should be established.
Names should be listed in order of priority and call list should be tested.
(Image: www.micronetworks.biz)
CSR® Confidential and proprietaryCSR refers to the corporation CSR Professional Services, Inc. 24
Incident Response Plan (IRP)
Real or perceived
Nefarious or accidental or unknown
Level of information
Impact on operations
Location of incident
1. Internal vs external
2. Secure vs unsecure
(Image: www.tmlights.com)
CSR® Confidential and proprietaryCSR refers to the corporation CSR Professional Services, Inc. 25
Incident Response Plan (IRP)
Physical or Electronic
Number of files
Type of PII
Domestic vs Foreign
Long reach
Encryption
Redaction
Harm
CSR® Confidential and proprietaryCSR refers to the corporation CSR Professional Services, Inc. 26
Incident Response Plan (IRP)
Threshold per jurisdiction
Pre-reporting requirement
Consumer notification
Legal status
(Image: prontoforms.com)
CSR® Confidential and proprietaryCSR refers to the corporation CSR Professional Services, Inc. 27
Reporting and Notification
Harm threshold Long-reach File threshold PII Type Encryption Redaction Specified format Timeline
Email Surface mail Public notice Credit bureaus
CSR® Confidential and proprietaryCSR refers to the corporation CSR Professional Services, Inc. 28
Key TakeawaysBBB: What to do if consumer data is stolen
1) Create and publish a data breach notification policy.2) Train your employees to identify breaches. 3) Immediately gather the facts of a potential breach. 4) Notify financial institutions. 5) Seek outside counsel.6) Notify affected customers.
FTC: “Create a plan to respond to security incidents.”http://www.business.ftc.gov/multimedia/videos/protecting-personal-information
VISA: “Consider a breach likely and plan accordingly. Identify and establish relationships with key vendors prior to an incident.”http://usa.visa.com/download/merchants/cisp_what_to_do_if_compromised.pdf
CSR® Confidential and proprietaryCSR refers to the corporation CSR Professional Services, Inc. 29
Questions
??????????Dr. Ross Federgreen
[email protected] x0160
????? ?????