data breach – Compliance Building

Data breach Sharing Framework

With the Massachusetts Data Privacy Law now in place (and presumably you are in compliance with it), you need to think about what to do if you have an incident.

Verizon has published the Verizon Incident Sharing Framework to help.

Our goal for our customers, friends, and anyone responsible for incident response, is to be able to create data sets that can be used and compared because of their commonality. Together, we can work to eliminate both equivocality and uncertainty, and help defend the organizations we serve.

The framework is set up to help classify incidents, their discovery, mitigation and impact.

Sources:

Verizon Incident Sharing Framework
Verizon Incident Metrics Framework Released on the Verizon Business Security Blog

Data Breaches and Knowledge Management

One of the features of the new Massachusetts Data Privacy Law is that it forces some knowledge management on companies in the context of data breaches.

Since the law required compliance on or before March 1, 2010, I assume you already have the policy and safeguards in place. That is, if you have social security numbers or financial account information for any Massachusetts resident in your computer systems or files. Yes, the reaches beyond the borders of Massachusetts and is not limited to Massachusetts companies.

201 CMR 17.03(h) and (i) require regular monitoring of your program and a periodic review of its scope.

201 CMR 17.03(j) goes on to require that you document any responsive actions, have a post-incident review and document any changes to your program after the review. That sounds a lot like knowledge management to me.

The Office of Consumer Affairs and Regulation has published a handy 201 CMR 17.00 Compliance Checklist (.pdf). You should also review and be familiar with the law itself contained in 201 CMR 17.00 Standards for the Protection of Personal Information (.pdf).

Image is by Darwinek in Wikimedia Commons: Flag Map of Massachusetts

2009 Data Breach Investigations Report

285 Million records were compromised in 2008. The Verizon Business RISK Team conducted a study of first hand evidence collected during data breach investigations of 90 confirmed breaches as part of their caseload. This 2008 caseload of more than 285 million records, exceeded the combined total from 2004 to 2007.

2009 Data Breach Investigations Report .

Investigators concluded that 87 percent of breaches could have been avoided through the implementation of simple or intermediate controls. All of these were the standard practices in the industry. In only 13 percent of cases were costly controls (in terms of effort and expense) recommended as the most efficient and effective means of avoiding the breach. Most of these were standard security controls, even though they are costly.

They conclude with these recommendations:

Align process with policy: Many organizations set security policies and procedures yet fail to implement them consistently. Controls focused on accountability and ensuring that policies are carried out can be extremely effective in mitigating the risk of a data breach.

Achieve essential, and then worry about excellent: We find that many organizations achieve very high levels of security in numerous areas but neglect others. Criminals will almost always prefer the easier route. Identifying a set of essential controls and ensuring their implementation across the organization without exception, and then moving on to more
advanced controls where needed is a superior strategy against real-world attacks.

Secure business partner connections: Basic partner-facing security measures as well as security assessments, contractual agreements, and improved management of shared assets are all viewed as beneficial in managing partner-related risk.

Create a data retention plan: Clearly, knowing what information is present within the organization, its purpose within the business model, where it flows, and where it resides is foundational to its protection. Where not necessitated by valid business needs, a strong effort should be made to minimize the retention and replication of data.

Control data with transaction zones: Based on data discovery and classification processes, organizations should separate different areas of risk into transaction zones. These zones allow for more comprehensive control implementations to include but not be limited to stronger access control, logging, monitoring, and alerting.

Monitor event logs: All too often, evidence of events leading to breaches was available to the victim but this information was neither noticed nor acted upon. Processes that provide sensible, efficient, and effective monitoring and response are critical to protecting data.

Create an Incident Response Plan: If and when a breach is suspected to have occurred, the victim organization must be ready to respond. An effective Incident Response Plan helps minimize the scale of a breach and ensures that evidence is collected in the proper manner.

Increase awareness: Delivered effectively, training that educates employees about the risks of data compromise, their role in prevention, and how to respond in the event of an incident can be an important line of defense and discovery.

Engage in mock incident testing: In order to operate efficiently, organizations should undergo routine IR training that covers response strategies, threat identification, threat classification, process definition, proper evidence handling, and mock scenarios.

Join me at 12:30 (July 29, Boston Time) for a free webinar on Preparing for the Strictest Privacy Law in the Nation: MA Privacy Law 201 CMR 17 hosted by Knowledge Management Associates.

Ten of the Most Embarrassing Data Breaches

data-theft

I gathered some notable data breaches in preparation for my presentation on the Massachusetts Data Privacy Law as part of my webinar on Wednesday: Preparing for the strictest privacy law in the nation: MA Privacy Law 201 CMR 17. If you wondered why there are so many state laws on data breaches, just take a look at some of these embarrassing data breaches.

Royal Navy

Imagine losing information on everyone who had applied to join the armed forces including passport numbers, medical histories, and bank details. Of course, it was not encrypted. It was just sitting in a laptop in the back of a car. That’s what happened Jan. 9, 2008, in Birmingham, U.K., when a Royal Navy Officer left the laptop in his car and it was promptly stolen.

BBC: Police probe theft of MoD laptop

UK’s Child Benefits Records

Her Majesty’s Revenue and Customs sent discs containing the entire child benefit database unregistered and unencrypted to the National Audit Office. There was no evidence that the discs fell into the wrong hands, but millions of families were told to be on alert for attempts to fraudulently use their details, which include addresses, bank account and National Insurance numbers, as well as children’s names and dates of birth.

BBC: Discs ‘worth £1.5bn’ to criminals

Veteran’s Affairs

The computer and hard drive was stolen from the home of an employee of the Department of Veterans Affairs. It contained details on no less than 26.5 million veterans. The laptop was stolen May 3rd and turned up two months later on the black market only four miles away. The purchaser bought both the laptop and the hard drive off the back of a truck.

New York Times: V.A. Laptop Is Recovered, Its Data Intact

TJX

The retailer had over 45 million customer records compromised. The current theory is that the thieves sat in the company parking lot and tapped into an unsecured wireless router.

Boston Globe: TJX faces scrutiny by FTC

Ameriprise

Lists containing the personal information of about 230,000 customers and advisers were compromised after a company laptop was stolen from an employee’s parked car. The laptop contained a list of reassigned customer accounts that were unencrypted.

New York Times: Ameriprise Says Stolen Laptop Had Data on 230,000 People

Verisign

Digital certificate issuing company VeriSign suffered a data breach when an employee’s laptop was stolen from their car last month. The laptop contained names, social security numbers, dates of birth, salary details, phone numbers and addresses of of VeriSign employees.

The Gap

A laptop containing unencrypted personal information for 800,000 people who applied for jobs with clothing retailer Gap Inc. was stolen. The laptop was stolen from the offices of a third-party vendor the Gap hired to manage applicant data.

The Register: Data for 800,000 job applicants stolen

Boston Globe

Instead of reporting on data breaches, the Boston Globe and The Worcester Telegram & Gazette suffered their own credit card breach. The credit card information for as many as 240,000 subscribers might have been inadvertently released.

The New York Times: Credit Data Breach at Two Newspapers

Hannaford Supermarkets

Unauthorized software that was secretly installed on servers in Hannaford Bros. Co.’s supermarkets enabled a massive data breach that compromised up to 4.2 million credit and debit cards.

Forbes: Malware cited in supermarket data breach

IBM

A vendor lost lost tapes containing sensitive information on IBM employees. The tapes contained sensitive information including dates of birth, Social Security numbers, and addresses. Some of the tapes were not encrypted

InfoWorld: IBM contractor loses employee data

Any others that you think should be on this list? Join the webinar and let us know.

Image is by d70focus: Credit Card Theft http://www.flickr.com/photos/23905174@N00/ / CC BY 2.0

Quick Hits

Some quick hits on stories that interest me, but did not make it to a full post:

SEC Posts XBRL Compliance Guide from The Filing Cabinet by Melissa Klein Aguilar

The staff of the Securities and Exchange Commission has posted a “small entity compliance guide” on its rules that require companies to submit financial statements tagged using eXtensible Business Reporting Language to the Commission and to post them on their corporate Websites.

Data Breach: Identity Theft Risk Insufficient to Support Claims by Hunton & Williams LLP’s Global Privacy and Information Security Law and Analysis

The mere increased risk of identity theft following a data breach is sufficient to give the data subjects standing to bring a lawsuit in federal court but, absent actual identity theft or other actual harm, claims against the data owner and its service provider for negligence and breach of contract cannot survive, a federal judge ruled this month. Ruiz v. Gap, Inc., et al., No. 07-5739 SC (N.D. Cal. April 6, 2009).

Updating Your Gift & Entertainment Policy by Melissa Klein Aguilar for Compliance Week

In a recent survey of more than 500 compliance and ethics professionals, 46 percent said their organization hasn’t significantly updated its gift and entertainment policy in the last year. Of that group, 20 percent admitted it’s been at least three years since their policies were significantly updated. Observers say compliance executives have plenty of reasons to give those policies a fresh look, not the least being the continued enforcement crackdown on bribery.

Data Breach Costs $202 per Customer Record

PGP Corporation and Ponemon Institute issued their fourth annual U.S. Cost of a Data Breach Study. The study examined 43 organizations across 17 different industry sectors with a range of 4,200 to 113,000 records that were affected. According to the report, data breach incidents cost U.S. companies $202 per compromised customer record in 2008, compared to $197 in 2007. Within that number, the largest cost increase in 2008 concerns lost business created by abnormal churn of customers. Since the study’s inception in 2005, this cost component has grown by more than $64 on a per victim basis, nearly a 40% increase.